What is CUI?
Controlled Unclassified Information (CUI) is a US Government construct created under Executive Order 13556 (2010) that effectively replaces For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) going forward. The US National Archives runs the US Government’s CUI Program and NIST SP 800-171 is the set of minimum security requirements to protect the integrity and confidentiality of CUI. The concept behind CUI is that it is meant to foster consistency and accountability across the federal ecosystem:
- Origins: Established under and overseen by NARA/ISOO, replacing agency-specific terms like FOUO or SBU.
- Scope: Encompasses “unclassified but sensitive” content, such as export-controlled data, proprietary technical info, contracts and FOUO material.
- Protection: Requires standardized handling, marking, storage, dissemination limits, governed by baseline policies (e.g., NIST SP 800-171).
- Categories: Divided into CUI Basic and CUI Specified, based on handling requirements established by laws, regulations and/or US Government-wide policies.
- Applicability: Mandatory for federal agencies and contractors.