What is CUI? Controlled Unclassified Information, explained

The plain-English answer to every CUI question: what it is, Basic versus Specified, who marks it, who protects it, how it is decontrolled and destroyed, and how it differs from FCI. Then the one thing that matters for a contractor, which CMMC level CUI puts you at.

Last updated July 5, 2026 · Primary sources cited

CUI in one paragraph

Controlled Unclassified Information (CUI) is information the government creates or possesses, or that someone creates for the government, that a law, regulation, or government-wide policy requires to be safeguarded, but that is not classified. It replaced a patchwork of old labels like For Official Use Only. CUI is defined by Executive Order 13556 and 32 CFR Part 2002, and its categories are listed in the National Archives CUI Registry. For a defense contractor, the practical meaning is simple: handling CUI puts you at CMMC Level 2.

The pieces of CUI, at a glance

CUI Basic

The default control level. Safeguarded to a uniform baseline: moderate confidentiality, and NIST SP 800-171 on nonfederal systems. Most CUI is Basic.

CUI Specified

A subset with extra handling rules set by the underlying law or policy, for example access limits or dissemination controls. Its rules override the Basic defaults.

Marking

A banner marking at the top of each page, the designating office, and the category. Marking makes the safeguarding obligation travel with the information.

CUI marking

Decontrol

CUI stops being controlled when the designating agency decontrols it, on a date, an event, or a decision. Only the designating authority can decontrol it.

CUI decontrol

Destruction

Destroyed so it is unreadable and irrecoverable: NIST SP 800-88 for media, high-security cross-cut shredding for paper. The goal is no reconstruction.

CUI destruction

The CUI Registry

The National Archives (ISOO) maintains the official list of CUI categories, from Controlled Technical Information to Export Controlled. It is the authoritative index.

CUI Registry

CUI vs FCI: which CMMC level you need

The two terms decide your entire compliance path. The simplest test: FCI is not marked, CUI is.

FCI only

CMMC Level 1

Non-public information a contract hands you, but nothing marked CUI. Fifteen safeguards, self assessed.

CMMC Level 1 →
Handling CUI

CMMC Level 2

Marked or controlled information, or a contract citing DFARS 252.204-7012. All 110 NIST SP 800-171 requirements.

CMMC Level 2 →

Not sure whether what you handle counts as CUI? The free check reads your situation and tells you your level in about two minutes.

Take the free CMMC check →

CUI questions, answered

What is Controlled Unclassified Information (CUI)?+

Controlled Unclassified Information, or CUI, is information the U.S. government creates or possesses, or that an entity creates for the government, that a law, regulation, or government-wide policy requires to be safeguarded or controlled, but that is not classified. It replaced older labels like For Official Use Only. CUI is defined by Executive Order 13556 and 32 CFR Part 2002, and the categories are listed in the National Archives CUI Registry.

What is the difference between CUI Basic and CUI Specified?+

CUI Basic is the default: information the government must control, safeguarded to a uniform standard (moderate confidentiality, NIST SP 800-171 for nonfederal systems). CUI Specified is a subset where the underlying law, regulation, or policy adds specific handling rules beyond the baseline, for example limits on who may access it or how it must be marked. If a category is Specified, its rules override the Basic defaults.

Who is responsible for applying CUI markings?+

The government office that designates the information as CUI is responsible for marking it. In practice the authorized holder who creates or possesses the CUI applies the markings: a banner marking at the top of the document, the CUI category, and the name of the office that designated it. Contractors mark CUI they generate under a contract according to the guidance the government provides, often in a DD Form 254 or contract clause.

Who is responsible for protecting CUI?+

Everyone who handles it. Any authorized holder, whether a federal employee or a contractor, is responsible for safeguarding CUI in their possession and for controlling how it is shared. For a defense contractor, protecting CUI on your own systems is what CMMC Level 2 verifies, through the 110 requirements of NIST SP 800-171.

How is CUI marked?+

A CUI document carries a banner marking centered at the top of each page, reading CUI (or CUI//SP- with the category for Specified). It names the designating office and the applicable category, and portion markings may be used inside the document. Marking makes the control obligation travel with the information so any holder knows it must be safeguarded.

How is CUI destroyed?+

CUI must be destroyed in a way that makes it unreadable, indecipherable, and irrecoverable, following the methods in NIST SP 800-88 for media and high-security cross-cut shredding for paper. The goal of destroying CUI is to ensure it cannot be reconstructed or retrieved once it is no longer needed.

What is the difference between CUI and FCI?+

FCI, Federal Contract Information, is non-public information provided by or generated for the government under a contract, and it triggers CMMC Level 1 (15 safeguards). CUI is a higher tier: information the government specifically marks or controls under a law or policy, and it triggers CMMC Level 2 (110 requirements). The simplest test: FCI is not marked, CUI is. If you handle marked or controlled information, you are at Level 2.

Does handling CUI mean I need CMMC Level 2?+

Yes. If your contracts hand you CUI, or cite DFARS 252.204-7012, you are in CMMC Level 2 territory and must meet the 110 requirements of NIST SP 800-171. If you handle only FCI and never touch marked CUI, you are at Level 1. Not sure which you handle? The free CMMC check reads your situation in about two minutes.

Sources: Executive Order 13556 · 32 CFR Part 2002 · NARA CUI Registry · NIST SP 800-171 r2 · NIST SP 800-88 · DFARS 252.204-7012.