Home
Training & Education
Do I Have CUI? 8-Step Checklist to Identify Controlled Unclassified Information for DoD Contractors (2026)
Do I Have CUI? 8-Step Checklist to Identify Controlled Unclassified Information for DoD Contractors (2026)
The short answer is, “Yes, you likely have CUI if you work on DoD contracts.”
Use this 8-step checklist: Confirm the information meets a law/regulation/policy requirement → Check the official DoD CUI Registry → Apply markings if it qualifies. Print it, use it daily, and you’ll stay compliant.
Why “Do I Have CUI?” Is the #1 Question DoD Contractors Ask in 2026
Before you can mark, store, or destroy Controlled Unclassified Information (CUI), you must first know whether you actually have it. Misidentifying CUI (or missing it) is still one of the most common findings in CMMC assessments and DoD audits.
This practical 8-step checklist is built directly from DoDI 5200.48, 32 CFR Part 2002, and the official DoD CUI Registry.
The 8-Step CUI Identification Checklist Every Contractor Should Use
- Does the information belong to the Government? CUI must be created by, for, or on behalf of the U.S. Government (or received from it).
- Is it unclassified? If it’s already classified, it’s not CUI — it’s classified information.
- Does a law, regulation, or Government-wide policy require safeguarding or dissemination controls? This is the core test. CUI is defined by the government. If the answer is ever yes, it’s CUI.
- Check the Official DoD CUI Registry Search for the exact category (CTI, EXPT, PRVCY, DCRIT, etc.). If it matches, you have CUI.
- Look at your contract or statement of work Many contracts explicitly list CUI categories or include DFARS 252.204-7012 clauses.
- Review the data type Common triggers: technical drawings, PII, export-controlled data, source selection info, vulnerability data, etc.
- Decide on portion marking If only parts of the document are CUI, plan to mark those portions.
- Document your decision Keep a quick(download below). note
Quick-Reference Table: Most Common “Yes, This Is CUI” Triggers for Contractors
| Situation | Likely CUI Category | What to Do Next |
|---|---|---|
| Technical drawings or specs | CTI | Mark CUI//CTI |
| ITAR/EAR technical data | EXPT | Mark CUI//EXPT |
| Employee or customer PII | PRVCY | Mark CUI//PRVCY |
| Security plans or vulnerability info | DCRIT | Mark CUI//DCRIT |
| Solicitations or bid data | PROCACQ | Mark CUI//PROCACQ |
| Cost or budget data | FINANCIAL | Mark CUI//FINANCIAL |
5 Most Common Mistakes When Identifying CUI
- Assuming everything from the Government is CUI (not true).
- Using old FOUO/SBU logic instead of the CUI Registry.
- Marking something as CUI “just to be safe” (over-marking creates unnecessary burden).
- Forgetting that CUI can exist in emails, slides, drawings, and databases.
- Not asking the Government when unsure.
Official Sources (2026)
- DoDI 5200.48 (Controlled Unclassified Information)
- 32 CFR Part 2002 (National CUI Program)
- Official DoD CUI Registry at dodcui.mil
- December 2025 DoD CUI Identification & Marking Training Aid
Free Resources & Next Steps
Once you’ve confirmed you have CUI, the next step is proper marking. → Read our complete “How to Mark CUI in 2026” guide
Need the physical products that make compliance easy? → Shop SF-901 CUI Cover Sheets & Pads → Pre-printed CUI Banner Labels & Portion-Marking Stamps → Category-Specific Asset Tags

