Controlled Unclassified Information (CUI) is sensitive but unclassified information that the U.S. federal government creates or holds (or that others hold on its behalf) and that must be protected and controlled by law, regulation, or government‑wide policy.

What CUI Actually Is

  • It is government-related information that the government or a contractor creates or possesses for government work.
  • It is not classified (like Secret or Top Secret) but still requires protection and limited sharing.
  • Protection requirements come from specific laws, regulations, or policies that say this type of information needs safeguarding or dissemination controls.

A simple way to think of it: CUI is “sensitive, not-for-the-public” government information that can’t just be freely shared, even though it’s not formally classified as secret.

How the CUI Program Works

  • The federal CUI Program was created to standardize how agencies label, protect, and share this kind of information across the government.
  • It was established under Executive Order 13556, with the National Archives (ISOO) designated to oversee the program.
  • The goal is to avoid the old patchwork of labels and create one coherent framework for handling sensitive but unclassified information.

Because of this, agencies and contractors follow consistent rules instead of inventing their own local markings or categories.

Types and Categories of CUI

Many kinds of information can be CUI, as long as a law or regulation says it must be protected. Common examples (high level):

  • Privacy and personal data (certain protected personal information).
  • Law enforcement sensitive information.
  • Critical infrastructure, export control, or certain technical data.
  • Some defense or research information created for federal contracts.

Within the program, CUI is often divided into:

  • CUI Basic – when the authority says it must be protected but does not specify detailed controls.
  • CUI Specified – when the authority includes specific safeguarding or dissemination rules.

These distinctions matter for how strict the technical and procedural protections must be.

Marking and Handling CUI

CUI must be clearly marked and handled using defined controls so people know it cannot be freely shared. Typical features include:

  • A banner marking at the top of a document indicating “CUI” or “CONTROLLED,” sometimes with a category, such as “CUI // PRIVACY.”
  • Additional markings for limited dissemination , such as “NOFORN” when information cannot be released to foreign nationals.
  • Technical and organizational safeguards (access control, secure systems, restricted sharing, training) tailored to the type of CUI and its governing authority.

For defense and other contractors, properly protecting CUI is also tied to broader cybersecurity and compliance frameworks (for example, CMMC requirements).

What Is Not CUI

Not every sensitive piece of information is CUI. Examples of what typically does not qualify include:

  • Classified national security information (that is in its own, separate system).
  • Publicly available information.
  • Many types of contractor corporate data (like internal HR or financial records) unless they are part of a government requirement or contract and explicitly fall under a CUI category.

In short, if there is no law, regulation, or government‑wide policy requiring special controls, the information is not treated as CUI.

Information gathered from public forums or data available on the internet and portrayed here.