Do I Have CUI? 8-Step Checklist to Identify Controlled Unclassified Information for DoD Contractors (2026)

The short answer is, “Yes, you likely have CUI if you work on DoD contracts.” 

Use this 8-step checklist: Confirm the information meets a law/regulation/policy requirement → Check the official DoD CUI Registry → Apply markings if it qualifies. Print it, use it daily, and you’ll stay compliant.

Why “Do I Have CUI?” Is the #1 Question DoD Contractors Ask in 2026

Before you can mark, store, or destroy Controlled Unclassified Information (CUI), you must first know whether you actually have it. Misidentifying CUI (or missing it) is still one of the most common findings in CMMC assessments and DoD audits.

This practical 8-step checklist is built directly from DoDI 5200.48, 32 CFR Part 2002, and the official DoD CUI Registry.

The 8-Step CUI Identification Checklist Every Contractor Should Use

  1. Does the information belong to the Government? CUI must be created by, for, or on behalf of the U.S. Government (or received from it).
  2. Is it unclassified? If it’s already classified, it’s not CUI — it’s classified information.
  3. Does a law, regulation, or Government-wide policy require safeguarding or dissemination controls? This is the core test. CUI is defined by the government. If the answer is ever yes, it’s CUI.
  4. Check the Official DoD CUI Registry Search for the exact category (CTI, EXPT, PRVCY, DCRIT, etc.). If it matches, you have CUI.
  5. Look at your contract or statement of work Many contracts explicitly list CUI categories or include DFARS 252.204-7012 clauses.
  6. Review the data type Common triggers: technical drawings, PII, export-controlled data, source selection info, vulnerability data, etc.
  7. Decide on portion marking If only parts of the document are CUI, plan to mark those portions.
  8. Document your decision Keep a quick(download below). note

Quick-Reference Table: Most Common “Yes, This Is CUI” Triggers for Contractors

Situation Likely CUI Category What to Do Next
Technical drawings or specs CTI Mark CUI//CTI
ITAR/EAR technical data EXPT Mark CUI//EXPT
Employee or customer PII PRVCY Mark CUI//PRVCY
Security plans or vulnerability info DCRIT Mark CUI//DCRIT
Solicitations or bid data PROCACQ Mark CUI//PROCACQ
Cost or budget data FINANCIAL Mark CUI//FINANCIAL


5 Most Common Mistakes When Identifying CUI

  1. Assuming everything from the Government is CUI (not true).
  2. Using old FOUO/SBU logic instead of the CUI Registry.
  3. Marking something as CUI “just to be safe” (over-marking creates unnecessary burden).
  4. Forgetting that CUI can exist in emails, slides, drawings, and databases.
  5. Not asking the Government when unsure.

Official Sources (2026)

  • DoDI 5200.48 (Controlled Unclassified Information)
  • 32 CFR Part 2002 (National CUI Program)
  • Official DoD CUI Registry at dodcui.mil
  • December 2025 DoD CUI Identification & Marking Training Aid

Free Resources & Next Steps

Once you’ve confirmed you have CUI, the next step is proper marking. → Read our complete How to Mark CUI in 2026” guide 

Need the physical products that make compliance easy? → Shop SF-901 CUI Cover Sheets & Pads → Pre-printed CUI Banner Labels & Portion-Marking Stamps → Category-Specific Asset Tags

Share information about your brand with your customers. Describe a product, make announcements, or welcome customers to your store.