A lot of CUI confusion comes from people trying to decide for themselves whether something is controlled. You do not have to. There is an authoritative list, and its job is to answer exactly that question.
What the CUI Registry is
The CUI Registry is maintained by the Information Security Oversight Office (ISOO) at the National Archives. It is the government-wide catalog of every approved CUI category, the law or policy that authorizes each one, and how each is marked. If a type of information is CUI, it maps to a category in the Registry. If it does not appear there, it is not CUI.
How categories work
Every category traces back to an authority, a law, regulation, or government-wide policy that requires the information be controlled. Categories fall into two handling types:
| Type | What it means | Marking |
|---|---|---|
| CUI Basic | Safeguarded to the uniform baseline | CUI |
| CUI Specified | Extra handling rules from the source authority | CUI//SP-[code] |
The Registry groups categories into families such as Defense, Export Control, Privacy, Procurement and Acquisition, and Critical Infrastructure. Each family holds one or more specific categories.
Categories a defense contractor sees most
- Controlled Technical Information (CTI): technical data with military or space application, subject to access and distribution controls. Often marked
CUI//SP-CTI. - Export Controlled: information subject to export control laws like ITAR or EAR. Often marked
CUI//SP-EXPT. - Critical Infrastructure: information about systems and assets whose disruption would harm security or safety.
- Privacy: personal information the government must protect, such as records with personally identifiable information.
- Procurement and Acquisition: sensitive source selection and contracting information.
Controlled Technical Information is the one small defense contractors encounter most. See the glossary entry for Controlled Technical Information for the details.
What is not CUI
Information the government cleared for public release is not CUI. Neither is ordinary Federal Contract Information that carries no marking and maps to no Registry category. And a contracting officer casually calling something sensitive does not make it CUI, only a written designation tied to a Registry category does.
What it means for CMMC
The category tells you how to mark and handle the information. It does not change your CMMC level. Any CUI category at all, Basic or Specified, puts you at CMMC Level 2 and the 110 requirements of NIST SP 800-171. If you handle no Registry category of CUI, you are at Level 1.
Frequently asked questions
What is the CUI Registry?
The CUI Registry is the official, government-wide catalog of Controlled Unclassified Information categories, maintained by the Information Security Oversight Office (ISOO) at the National Archives (NARA). It lists every approved CUI category, its authority, and its markings. It is the authoritative source for what counts as CUI, so categories are defined by the Registry, not by an individual's judgment.
What are examples of CUI categories?
Common categories for defense contractors include Controlled Technical Information (CTI), Export Controlled, and Critical Infrastructure information, along with broad groupings like Privacy, Procurement and Acquisition, and Law Enforcement. Each category has an authority and, for Specified categories, specific handling rules.
Who decides which CUI category applies?
The government designating agency decides, based on the law or policy that controls the information, and records it against the categories in the CUI Registry. A contractor does not choose the category on its own; it marks and handles CUI according to the government's designation.
Is Controlled Technical Information the same as CUI?
Controlled Technical Information (CTI) is one category of CUI, common on DoD contracts. It covers technical information with military or space application that is subject to controls on access and distribution. It is typically CUI Specified, marked CUI//SP-CTI, and like all CUI it puts a contractor at CMMC Level 2.
Does the CUI category change my CMMC level?
No. Any CUI category, Basic or Specified, puts you at CMMC Level 2 and the 110 requirements of NIST SP 800-171. The category affects marking and specific handling rules, not which CMMC level you owe. Handling any CUI at all means Level 2.