← Custodia

CUI Categories and the CUI Registry, Explained (2026)

What the CUI Registry is, how CUI categories work, and examples of the categories a defense contractor sees most (Controlled Technical Information, Export Controlled, and more), in plain English.

By David Fuentes· Compliance Officer, CustodiaJuly 5, 20266 min read

A lot of CUI confusion comes from people trying to decide for themselves whether something is controlled. You do not have to. There is an authoritative list, and its job is to answer exactly that question.

What the CUI Registry is

The CUI Registry is maintained by the Information Security Oversight Office (ISOO) at the National Archives. It is the government-wide catalog of every approved CUI category, the law or policy that authorizes each one, and how each is marked. If a type of information is CUI, it maps to a category in the Registry. If it does not appear there, it is not CUI.

How categories work

Every category traces back to an authority, a law, regulation, or government-wide policy that requires the information be controlled. Categories fall into two handling types:

TypeWhat it meansMarking
CUI BasicSafeguarded to the uniform baselineCUI
CUI SpecifiedExtra handling rules from the source authorityCUI//SP-[code]

The Registry groups categories into families such as Defense, Export Control, Privacy, Procurement and Acquisition, and Critical Infrastructure. Each family holds one or more specific categories.

Categories a defense contractor sees most

  • Controlled Technical Information (CTI): technical data with military or space application, subject to access and distribution controls. Often marked CUI//SP-CTI.
  • Export Controlled: information subject to export control laws like ITAR or EAR. Often marked CUI//SP-EXPT.
  • Critical Infrastructure: information about systems and assets whose disruption would harm security or safety.
  • Privacy: personal information the government must protect, such as records with personally identifiable information.
  • Procurement and Acquisition: sensitive source selection and contracting information.

Controlled Technical Information is the one small defense contractors encounter most. See the glossary entry for Controlled Technical Information for the details.

What is not CUI

Information the government cleared for public release is not CUI. Neither is ordinary Federal Contract Information that carries no marking and maps to no Registry category. And a contracting officer casually calling something sensitive does not make it CUI, only a written designation tied to a Registry category does.

What it means for CMMC

The category tells you how to mark and handle the information. It does not change your CMMC level. Any CUI category at all, Basic or Specified, puts you at CMMC Level 2 and the 110 requirements of NIST SP 800-171. If you handle no Registry category of CUI, you are at Level 1.

Frequently asked questions

What is the CUI Registry?

The CUI Registry is the official, government-wide catalog of Controlled Unclassified Information categories, maintained by the Information Security Oversight Office (ISOO) at the National Archives (NARA). It lists every approved CUI category, its authority, and its markings. It is the authoritative source for what counts as CUI, so categories are defined by the Registry, not by an individual's judgment.

What are examples of CUI categories?

Common categories for defense contractors include Controlled Technical Information (CTI), Export Controlled, and Critical Infrastructure information, along with broad groupings like Privacy, Procurement and Acquisition, and Law Enforcement. Each category has an authority and, for Specified categories, specific handling rules.

Who decides which CUI category applies?

The government designating agency decides, based on the law or policy that controls the information, and records it against the categories in the CUI Registry. A contractor does not choose the category on its own; it marks and handles CUI according to the government's designation.

Is Controlled Technical Information the same as CUI?

Controlled Technical Information (CTI) is one category of CUI, common on DoD contracts. It covers technical information with military or space application that is subject to controls on access and distribution. It is typically CUI Specified, marked CUI//SP-CTI, and like all CUI it puts a contractor at CMMC Level 2.

Does the CUI category change my CMMC level?

No. Any CUI category, Basic or Specified, puts you at CMMC Level 2 and the 110 requirements of NIST SP 800-171. The category affects marking and specific handling rules, not which CMMC level you owe. Handling any CUI at all means Level 2.

Keep reading
  1. CUI
    CUI Basic vs CUI Specified: The Plain-English Difference (2026)

    CUI Basic is the default control level. CUI Specified adds handling rules set by a specific law or policy. Here is how to tell which one you have, and why it barely changes your CMMC obligation.

    Read →
  2. CMMC Level 1
    CUI vs FCI: What's the Difference? (With 12 Real Examples), 2026

    FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.

    Read →
  3. CUI
    How to Destroy CUI Correctly: The Goal, Methods, and Rules (2026)

    The goal of destroying CUI is to make it unreadable, indecipherable, and irrecoverable. Here are the approved methods for paper and digital media, and the CMMC requirement behind them.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)