Controlled Unclassified Information (CUI)

Definition

Controlled Unclassified Information (CUI) is unclassified information that the executive branch is required to safeguard or disseminate only under specific controls, per Executive Order 13556 and 32 CFR Part 2002. The CUI Registry (archives.gov) lists approved categories: export-controlled data, PII, law-enforcement sensitive, and others. For contractors, handling CUI triggers DFARS 252.204-7012 (for DoW) or FAR 52.204-21, plus NIST SP 800-171 Rev 2 implementation, plus CMMC Level 2 where applicable.

Why It Matters

Almost every DoW contract that involves non-commercial, technical, or operational information now involves CUI. Mishandling it — storing it in unapproved cloud services, emailing it unencrypted, or failing to mark it — can trigger cure notices, contract termination, or False Claims Act liability under DoW rules that treat compliance statements as material to payment. Understanding what CUI you have, where it lives, and who has access to it is foundational cyber hygiene for defense work.

Example

A contractor receives a technical data package with CUI markings. It ensures the CUI is stored only on an NIST SP 800-171-compliant system, restricts access to cleared U.S. persons per the export-control banner, and trains staff on the CUI handling guide before opening the package.

Related Terms