Controlled Unclassified Information
Also known as: CUI
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.
In more detail
CUI was created by Executive Order 13556 (2010) and implemented government-wide by 32 CFR Part 2002. The categories of information that qualify are maintained in the NARA CUI Registry — examples include export-controlled technical data, controlled technical information (CTI), naval nuclear propulsion information, personally identifiable information of contract employees.
The single clearest distinguishing feature: CUI is marked. If a document does not bear a CUI banner marking, it is not CUI in the regulatory sense — even if it is sensitive.
Related terms
- Federal Contract Information
Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.
- Covered Defense Information
Covered Defense Information (CDI) is the subset of CUI that DoD specifically requires contractors to protect under DFARS 252.204-7012. It includes unclassified controlled technical information and other information that requires safeguarding when in support of a DoD contract.
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.
- NARA CUI Registry
The NARA CUI Registry is the official, public list of every category and subcategory of information that qualifies as Controlled Unclassified Information across the federal government. It is the authoritative source for determining whether a given type of information is CUI.
- Executive Order 13556
Executive Order 13556, signed in November 2010, established the government-wide Controlled Unclassified Information (CUI) program and designated the National Archives (NARA) as Executive Agent. It is the legal origin of the entire CUI regime and, indirectly, of NIST SP 800-171 and CMMC.
Read more in the Library
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026
FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)
Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.