Unclassified vs Classified Data Types

Executive Orders (EO) 12356 and 13526 established the foundation for what "classified" data is. EO 13556 established the foundation for Controlled Unclassified Information (CUI).

unclassified vs classified - UUI vs CUI vs confidential vs secret vs top secret

Unclassified Data Types

There are two (2) types of Unclassified data from the US Government's perspective:

  1. Controlled Unclassified Information (CUI)
    • CUI Basic
    • CUI Specified
  2. Uncontrolled Unclassified Information (UUI)
    • General UUI (not publicly released or FCI)
    • Federal Contract Information (FCI)
    • Information that has been cleared for public release

Classified Data Types

There are three (3) types of Classified data from the US Government's perspective:

  1. Confidential;
  2. Secret; and
  3. Top Secret.

What is Controlled Unclassified Information (CUI)?

Controlled Unlassified Information (CUI) is difficult to provide a simple answer to. The authoritative source that defines CUI is the US National Archives with the CUI Registry. However, for most businesses that have to address NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC), the focus is on a subset of CUI, Controlled Technical Information (CTI). "Technical Information" means technical data or computer software. Examples of technical information include:

The concept behind Controlled Unclassified Information (CUI) is that it is meant to foster consistency and accountability across the federal ecosystem:

Understanding Requirements For CUI

The best place to start is with understanding Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, since that establishes the definitions and need to protect CUI.

For Official Use Only (FOUO) & Sensitive But Unclassified (SBU)

There are two (2) legacy data types that are replaced by CUI:

  1. For Official Use Only (FOUO); and
  2. Sensitive But Unclassified (SBU).

Per US Government guidance, "legacy documents" do not need to be remarked until and unless the information is re-used, restated, or paraphrased. When new documents are derived from legacy documents, they must follow the new CUI marking standards.

Is CUI classified?

No. Controlled Unclassified Information (CUI) is not classified data and it states that within its name (e.g., unclassified). While CUI is unclassified information, it still requires safeguarding under federal regulations. CUI is distinct from classified information and resides outside the national security classification system. 

Is All ITAR CUI?

No. Not all International Traffic in Arms Regulations (ITAR) data is Controlled Unclassified Information (CUI). While ITAR governs sensitive defense information, not all ITAR data is categorized as CUI.

ITAR information may be handled under CUI protections if it falls within CUI categories, but ITAR compliance involves additional controls such as strict export licensing and access restrictions.

What Are Examples of Controlled Unclassified Information (CUI)?

The US National Archives maintains the CUI Registry and provides an authoritative list of applicable safeguarding and/or dissemination authorities, which govern that specific type of CUI.

CUI typically arises when information is developed under government contract or pertains to federal interests. Examples include defense-related technical data, procurement plans, health or privacy regulated data (e.g. PHI) and infrastructure design documents. While unclassified, CUI demands enhanced handling under frameworks including NIST 800 171 and in some cases NIST SP 800-172.

What is FOUO?

The acronym FOUO refers to For Official Use Only. The FOUO designation is meant to alert personnel on how to store, transmit and share the information securely. Unauthorized disclosure of FOUO could adversely affect government operations or an individual’s privacy.

FOUO materials:

While FOUO still exists within the US Government, FOUO is being phased out with Controlled Unclassified Information (CUI) designations as a more granular way to label information that is sensitive but not classified. 

 

Browse Our Products

  • Secure Controls Framework (SCF) Policy, Standards, Controls & Metrics Template - DSP / SCF

    Digital Security Program (DSP)

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...

    $10,400.00 - $15,200.00
    Choose Options
  • ComplianceForge - NIST 800-171 & CMMC NIST 800-171 Compliance Program (NCP): CMMC Level 2

    NIST 800-171 Compliance Program (NCP)

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 Rev 2 & Rev 3 / CMMC 2.0 Compliance Made Easier! The NCP is editable & affordable cybersecurity documentation to address your NIST 800-171 R2 / R3 and CMMC 2.0 Levels 1-2 compliance needs. When you click the image or the link...

    $5,300.00 - $10,100.00
    Choose Options