CUI — Controlled Unclassified Information — is government-created or government-owned information that is sensitive but not classified, and that the law requires you to safeguard or limit how you share. If a federal contract puts CUI on your laptops, servers, or cloud tenant, you inherit real handling duties — and on the cybersecurity side, you trigger NIST SP 800-171. This page explains what CUI is, where it comes from, the difference between CUI Basic and CUI Specified, and what it actually means for a small business chasing IT and software work. It is educational, not legal advice — always verify against the solicitation and the official NARA CUI Registry.
What CUI actually is
The category that exists between “public” and “classified.”
Controlled Unclassified Information is information the government creates or owns that requires safeguarding or dissemination controls under a law, regulation, or government-wide policy — but that is not classified under Executive Order 13526 or the Atomic Energy Act.
In plain terms: it is sensitive enough that you can’t post it publicly or email it to anyone, but it is not Secret or Top Secret. Think contract deliverables marked controlled, certain technical drawings, export-controlled data, privacy records, or law-enforcement and procurement-sensitive material. The label travels with the information, not the contract — so the obligation lands on whoever holds the data.
Why the program exists. Before CUI, agencies invented their own markings — “For Official Use Only” (FOUO), “Sensitive But Unclassified” (SBU), “Law Enforcement Sensitive,” and dozens more. None had consistent rules. The CUI Program replaced that patchwork with one standardized system so the same information is handled the same way across the executive branch.
One discipline matters from day one: don’t guess. Whether something is CUI — and which category it falls under — is the government’s call, documented in the solicitation, the contract, or a marking on the document itself. When it’s ambiguous, ask the Contracting Officer in writing rather than assuming.
Where CUI comes from
The order, the rule, and the registry that define the program.
Executive Order 13556
Signed in 2010, EO 13556 established the government-wide CUI Program and named the National Archives and Records Administration (NARA) as Executive Agent. NARA delegated the day-to-day role to its Information Security Oversight Office (ISOO).
32 CFR Part 2002
The implementing regulation. Published as a final rule on September 14, 2016 and effective November 14, 2016, it sets uniform policy for designating, marking, safeguarding, disseminating, decontrolling, and disposing of CUI across agencies.
The NARA CUI Registry
The government-wide online repository of every approved CUI category and subcategory, with a description and the legal authority behind each. If a category isn’t in the Registry, it isn’t CUI. Check it at archives.gov/cui.
That three-part structure — order, rule, registry — is worth internalizing. When a clause or a marking references “CUI,” it is pointing back to this framework, and the Registry is the authoritative source for what each category requires.
CUI Basic and CUI Specified
A common misconception: these are not two levels of sensitivity.
Every CUI category in the Registry is either Basic or Specified. The distinction is about which rules apply, not about how secret the information is.
CUI Basic
The default. The law or policy authorizing the category requires protection but doesn’t spell out controls beyond the baseline. You apply the standard handling rules in 32 CFR 2002. Category markings are encouraged but generally optional unless agency policy requires them.
CUI Specified
The authorizing law, regulation, or government-wide policy imposes specific handling that differs from the Basic baseline. Those rules govern. Because the handling is different, the category marking is mandatory and the Specified category must always appear in the CUI banner so every recipient knows it carries extra requirements.
Get this right. CUI Basic and CUI Specified are not “low” and “high.” A Specified category isn’t more sensitive — it just comes with its own statutory handling rules. Treating Specified as merely “stricter CUI” can cause you to miss controls that the underlying law actually mandates.
What you’re expected to do with it
The mechanics of holding CUI day to day.
Marking and handling are how the program stays consistent across thousands of organizations. The practical expectations:
- Recognize the markings. CUI documents carry a banner (and often a designation indicator naming the office that controlled it). The banner identifies the control level and, for Specified, the category.
- Don’t over- or under-mark. You don’t get to decide information is CUI — the government designates it. Your job is to honor existing markings and apply them correctly when you create derivative material that contains the same CUI.
- Limit dissemination. Share CUI only with people who have a lawful government purpose to access it, and only through channels that protect it.
- Safeguard at rest and in transit. Lock it down physically and electronically — which is where the cybersecurity baseline (next section) kicks in.
- Decontrol and dispose properly. CUI status can end; destruction must prevent reconstruction.
The authoritative reference for the visual mechanics is NARA’s CUI Marking Handbook. When a contract specifies handling that goes beyond these basics, the contract language controls.
CUI on your systems triggers NIST 800-171
This is the part that costs money and wins (or loses) you contracts.
The moment your nonfederal system processes, stores, or transmits CUI, you owe a cybersecurity baseline: NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
NIST SP 800-171 is the standard for protecting the confidentiality of CUI when it lives on contractor systems rather than government ones. Revision 2 (published February 2020) organized its requirements into 110 security requirements across 14 families — the number most people still cite. Revision 3 became final on May 14, 2024 and restructured those families and parameters. Because the two revisions differ, don’t assume the count: verify which revision your specific solicitation invokes.
For DoD work, add DFARS 252.204-7012
Defense contracts handling covered defense information layer on DFARS clause 252.204-7012, which requires implementing NIST SP 800-171 “in effect at the time the solicitation is issued” (or as authorized by the Contracting Officer), plus rapid cyber-incident reporting. DoD also expects a self-assessment score submitted to SPRS — estimate yours with our SPRS calculator. CMMC builds on this same 800-171 foundation.
Honesty note. An online tool or self-assessment is a floor, not a certification. It helps you find gaps and prioritize — it does not prove compliance, and it doesn’t replace a real assessment or legal review. Confirm the applicable revision, clauses, and any CMMC level against the actual solicitation and your Contracting Officer before you rely on a number.
BrandShyp bids federal and state IT work every week and maintains its own NIST 800-171 posture — we eat our own cooking. If you’re staring at a CUI clause and unsure what it obligates, talk to us before you respond to the solicitation.