← Custodia

CUI Basic vs CUI Specified: The Plain-English Difference (2026)

CUI Basic vs CUI Specified explained in plain English: what each one is, how to tell them apart from the banner marking, the handling rules that differ, and what both mean for CMMC Level 2.

By David Fuentes· Compliance Officer, CustodiaJuly 5, 20268 min read

These two terms trip up almost every contractor new to Controlled Unclassified Information. They sound like security levels, as if Specified were the scarier one. That is not what they mean. The difference is about where the control rules come from, not how dangerous the information is.

What CUI Basic is

CUI Basic is the default category of Controlled Unclassified Information. When a law, regulation, or government-wide policy says information must be protected but does not spell out exactly how, it falls under CUI Basic and is safeguarded to a single uniform standard.

On a nonfederal system, that standard is NIST SP 800-171: the 110 security requirements at the heart of CMMC Level 2. Most CUI a small defense contractor sees is Basic. It is marked with a plain CUI banner at the top of the document, with no category code attached.

What CUI Specified is

CUI Specified is the subset of CUI where the authorizing law or policy goes further and imposes specific handling rules. Those rules might limit who can receive the information, require particular markings, or set dissemination controls the Basic baseline does not.

The classic examples for defense contractors are Controlled Technical Information (marked CUI//SP-CTI) and Export Controlled information (marked CUI//SP-EXPT). The SP tag stands for Specified, and the code names the category whose rules apply.

How to tell them apart

You never have to guess. The banner marking tells you which one you are holding.

CUI BasicCUI Specified
BannerCUICUI//SP-[code]
Control rules come fromThe uniform CUI baselineA specific law, regulation, or policy
Safeguarding standardNIST SP 800-171NIST SP 800-171 (same baseline)
Extra handlingNone beyond the baselineDissemination or access limits from the source authority
CMMC levelLevel 2Level 2 (same)

If the banner reads CUI alone, it is Basic. If it reads CUI//SP- anything, it is Specified, and you should read the category rules for the extra handling requirements. The National Archives CUI Registry lists every category and its authority.

What both mean for CMMC

Here is the part that matters most for your budget and your bid eligibility: Basic and Specified both put you at CMMC Level 2. The cybersecurity baseline is the same 110 requirements either way.

The Basic versus Specified distinction changes how you mark and share the information, not how you secure your network. So the practical takeaway is simple: if any document under your contract carries a CUI banner, Basic or Specified, you owe Level 2. If you handle no marked CUI at all, only Federal Contract Information, you are at Level 1.

What to do this week

  1. Find the banner. Open the documents the government sent you and look for CUI at the top. Note whether any carry a //SP- code.
  2. List your Specified categories. For each CUI//SP- code, look it up in the CUI Registry and note the extra handling rules.
  3. Confirm your level. Any CUI at all means Level 2. No marked CUI means Level 1.
  4. Scope it. Decide whether to build a CUI enclave before you start securing anything.

Frequently asked questions

What is the difference between CUI Basic and CUI Specified?

CUI Basic is the default control level: information the government must safeguard to a uniform baseline, moderate confidentiality and NIST SP 800-171 on nonfederal systems. CUI Specified is a subset where the underlying law, regulation, or government-wide policy adds specific handling rules beyond that baseline, such as who may access it or how it must be marked and disseminated. If a category is Specified, its rules override the Basic defaults.

How do I tell if my CUI is Basic or Specified?

Read the banner marking. CUI Basic is marked simply CUI (or CONTROLLED). CUI Specified is marked CUI//SP- followed by the category code, for example CUI//SP-CTI for Controlled Technical Information or CUI//SP-EXPT for Export Controlled. The SP tag and category code are the signal that Specified handling rules apply.

Does CUI Specified require more security than CUI Basic?

Not necessarily more cybersecurity. The safeguarding baseline, NIST SP 800-171, is the same for both on a nonfederal system. What Specified adds is dissemination and handling rules from the source law, such as limits on who can receive it. For CMMC Level 2, both Basic and Specified are protected with the same 110 requirements.

Is CUI Specified more sensitive than CUI Basic?

Specified is not automatically more sensitive, it is more specifically regulated. The distinction is about whether a law or policy imposes particular controls, not about a higher classification. Some very sensitive information is CUI Basic, and some routine Specified categories carry extra dissemination rules mainly for legal reasons.

Do CUI Basic and CUI Specified change my CMMC level?

No. Handling either one puts you at CMMC Level 2 and the 110 requirements of NIST SP 800-171. The Basic versus Specified distinction affects how you mark and share the information, not which CMMC level you owe. If you handle any CUI, marked Basic or Specified, you are at Level 2.

Keep reading
  1. CUI
    CUI Categories and the CUI Registry, Explained (2026)

    The National Archives CUI Registry is the official list of what counts as CUI. Here is how the categories work, the ones defense contractors see most, and why the list, not your judgment, decides.

    Read →
  2. CMMC Level 1
    CUI vs FCI: What's the Difference? (With 12 Real Examples), 2026

    FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.

    Read →
  3. CUI
    Who Is Responsible for Marking and Protecting CUI? (2026)

    The government office that designates information as CUI is responsible for its markings, but every authorized holder who touches it is responsible for protecting it. Here is exactly who does what.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)