- US Government data falls on a spectrum: Uncontrolled Unclassified (UUI), Controlled Unclassified (CUI), Confidential, Secret, Top Secret.
- CUI is NOT classified, but it still requires safeguarding under NIST SP 800-171 and federal regulations.
- For most businesses dealing with NIST 800-171 / CMMC, the focus is on a subset of CUI called Controlled Technical Information (CTI). Technical data, engineering drawings, source code, and related materials.
- Legacy terms FOUO (For Official Use Only) and SBU (Sensitive But Unclassified) are being phased out and replaced by CUI designations.
- Not all ITAR data is CUI. ITAR compliance involves additional export control requirements beyond CUI protections.
Data Classification Spectrum
Executive Orders (EO) 12356 and EO 13526 established the foundation for what "classified" data is. EO 13556 established the foundation for Controlled Unclassified Information (CUI).
Two Types
There are two (2) types of Unclassified data from the US Government's perspective:
Controlled Unclassified Information (CUI)
- CUI Basic
- CUI Specified
Uncontrolled Unclassified Information (UUI)
- General UUI (not publicly released or FCI)
- Federal Contract Information (FCI)
- Information that has been cleared for public release
*note: Per NARA, Uncontrolled Unclassified Information (UUI), as described in 32 CFR Part 2002, refers to information that is neither CUI nor classified, but is still subject to agency public release policies.
Three Types
There are three (3) types of Classified data from the US Government's perspective, each with progressively more stringent handling, storage and access requirements:
Damage to national security.
Serious damage to national security.
Exceptionally grave damage to national security.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is difficult to provide a simple answer to. The authoritative source that defines CUI is the US National Archives with the CUI Registry. However, for most businesses that have to address NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC), the focus is on a subset of CUI, Controlled Technical Information (CTI). "Technical Information" means technical data or computer software. Examples of technical information include:
- Research and engineering data;
- Engineering drawings;
- Associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information; and
- Computer software executable code and source code.
The concept behind Controlled Unclassified Information (CUI) is that it is meant to foster consistency and accountability across the federal ecosystem:
Established under and overseen by NARA/ISOO, replacing agency-specific terms like FOUO or SBU.
Encompasses “unclassified but sensitive” content, such as export-controlled data, proprietary technical info, contracts and FOUO material.
Requires standardized handling, marking, storage, dissemination limits, governed by baseline policies (e.g., NIST SP 800-171).
Divided into CUI Basic and CUI Specified, based on handling requirements established by laws, regulations and/or US Government-wide policies.
Mandatory for federal agencies and contractors.
Understanding Requirements For CUI
The best place to start is with understanding Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, since that establishes the definitions and need to protect CUI.
DFARS 252.204-7012 Defines A Requirement To Provide "Adequate Security"
This refers to protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
- Defined by the security requirements in the contract for services or systems operated on behalf of the US Government.
- Further defined by NIST 800-171 for all other “Covered Contractor Information Systems.”
Covered Contractor Information System (CCIS)
This refers to an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “Covered Defense Information.”
Covered Defense Information (CDI)
This refers to unclassified "Controlled Technical Information" or other information, as described in the Controlled Unclassified Information (CUI) Registry.
Controlled Technical Information (CTI)
When you read through the CUI Registry and find Controlled Technical Information (CTI), it refers to technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
- CTI is to be marked in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents."
- The term does not include information that is lawfully publicly available without restrictions.
Frequently Asked Questions (FAQ)
Is CUI classified?
No. Controlled Unclassified Information (CUI) is not classified data and it states that within its name (e.g., unclassified). While CUI is unclassified information, it still requires safeguarding under federal regulations. CUI is distinct from classified information and resides outside the national security classification system.
Is All ITAR CUI?
No. Not all International Traffic in Arms Regulations (ITAR) data is Controlled Unclassified Information (CUI). While ITAR governs sensitive defense information, not all ITAR data is categorized as CUI.
- ITAR controls export and import of defense-related articles and services; and
- CUI includes many categories such as export control information, but ITAR data often exceeds CUI baseline controls and is regulated separately under export laws.
ITAR information may be handled under CUI protections if it falls within CUI categories, but ITAR compliance involves additional controls such as strict export licensing and access restrictions.
What Are Examples of Controlled Unclassified Information (CUI)?
The US National Archives maintains the CUI Registry and provides an authoritative list of applicable safeguarding and/or dissemination authorities, which govern that specific type of CUI.
CUI typically arises when information is developed under government contract or pertains to federal interests. Examples include defense-related technical data, procurement plans, health or privacy regulated data (e.g. PHI) and infrastructure design documents. While unclassified, CUI demands enhanced handling under frameworks including NIST 800 171 and in some cases NIST SP 800-172.
Is All ITAR CUI?
The acronym FOUO refers to For Official Use Only. The FOUO designation is meant to alert personnel on how to store, transmit and share the information securely. Unauthorized disclosure of FOUO could adversely affect government operations or an individual’s privacy.
FOUO materials:
- Are not classified under national security categories; and
- Require protection and cannot be publicly released.
While FOUO still exists within the US Government, FOUO is being phased out with Controlled Unclassified Information (CUI) designations as a more granular way to label information that is sensitive but not classified.