What Are the Two Types of CUI?
The two types of Controlled Unclassified Information (CUI) are:
- CUI Basic; and
- CUI Specified.
CUI Basic is the general category of CUI that requires safeguarding or dissemination controls but does not involve any additional restrictive markings or handling requirements.
- The controls for CUI Basic are standardized and defined by the National Archives and Records Administration (NARA); and
- Organizations handling CUI Basic must apply baseline security controls to protect it adequately.
CUI Specified is a subset of CUI that has additional handling or dissemination controls specified by law, regulation, or government-wide policy. CUI Specified requirements may include extra requirements such as specific marking, additional encryption, or restricted sharing limitations.
The distinction between CUI Basic and CUI Specified helps organizations apply the appropriate level of controls based on the sensitivity and regulatory requirements attached to the information.