Home
Training & Education
CUI 101: What Controlled Unclassified Information Really Is (and Why It Matters)
CUI 101: What Controlled Unclassified Information Really Is (and Why It Matters)
Common Types of CUI You’ll Encounter
If you work with the Department of Defense (DoD) or support the Defense Industrial Base (DIB), you’ve almost certainly heard the term CUI—but it’s also one of the most misunderstood concepts in compliance. Understanding Controlled Unclassified Information (CUI) is foundational to DFARS, NIST SP 800-171, and CMMC compliance.
This guide breaks it down clearly and practically.
What Is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information that:
- The U.S. Government creates or possesses, or
- A non-federal organization creates or possesses for or on behalf of the Government,
AND
-
A law, regulation, or Government-wide policy requires or permits safeguarding or dissemination controls.
This definition comes directly from 32 CFR § 2002.4(h) and is reinforced through DFARS, DoD Instructions, and the CUI Registry.
Key takeaway:
CUI is not classified—but it is controlled.
Practical tip: Once information is identified as CUI, it is required to be clearly marked. Many organizations start with standardized CUI coversheets, document labels, and folder markings to ensure consistent handling across teams.
A Critical Clarification: The DoD Decides What Is CUI
One of the biggest myths is that contractors decide what qualifies as CUI.
That’s not how it works.
According to DoD Procurement Toolbox Cybersecurity FAQ 22:
Any information provided by or developed for the DoD that requires safeguarding or dissemination controls—consistent with law and regulation—must be protected in accordance with DFARS 252.204-7012.
The CUI Registry exists to define authorized categories and subcategories of information that require protection.
Contractors do not invent CUI categories. They are responsible for recognizing and protecting CUI once it exists.
CUI Is NOT “Only Documents”
Because CUI exists beyond documents, organizations often need CUI labels, asset tags, and signage to properly mark non-paper formats such as media, storage locations, and controlled spaces.
Another common misconception is that CUI only applies to formal documents or files.
In reality, CUI is information—regardless of format.
Per OMB Circular A-130, information includes:
- Textual data
- Numerical data
- Graphics
- Engineering drawings
- Cartographic data
- Electronic files
- Audio or visual media
- Presentations and discussions
If the information qualifies, the format does not matter.
Common Types of CUI You’ll Encounter
Each of the CUI types below typically requires visible, durable marking—from engineering drawings and data packages to storage areas and secure workspaces.
Within the DoD environment, CUI commonly includes:
- Engineering Information
- Technical Information
- Controlled Technical Information (CTI)
Let’s break these down.
Engineering Information
Engineering information includes data used for:
- Design
- Development
- Testing
- Manufacturing
- Acceptance
- Training
- Operation
- Maintenance
- Overhaul
Examples include:
- Engineering drawings
- Bills of Materials (BOMs)
- Parts lists and data lists
- Manufacturer specifications
- Data sheets
- Test reports
- Technical manuals
- Engineering change documents
- Technical data packages
Source: DoDI 5230.24
Technical Information
Technical information is broader and includes any technical data or software that can be used or adapted for:
- Design
- Production
- Manufacturing
- Assembly
- Repair
- Engineering
- Development
- Testing
- Reconstruction
It also includes technologies that:
- Advance the state of the art, or
- Establish a new capability with significant military applicability
Source: DoDI 5230.24
Controlled Technical Information (CTI)
CTI is technical information with military or space applications that is subject to controls on:
- Access
- Use
- Reproduction
- Modification
- Performance
- Display
- Release
- Disclosure
- Distribution
CTI often overlaps with export control (ITAR/EAR) considerations.
Click here for FAQ on ITAR/EAR.
CUI Media: More Than Files
Marking physical CUI media is one of the most frequently missed areas during assessments. CUI media labels, removable media markings, as well as workstation signage help demonstrate consistent control to assessors.
Under CMMC and NIST SP 800-171, CUI media can include anything that:
- Enables access to or reproduction of a part, item, or product
- Represents fit, form, or function
- Accurately conveys controlled technical details
This includes:
- Documents
- Images and photographs
- Graphics
- Presentations
- Discussions
- Engineering data
- Digital or physical media
Any medium, system, conversation, or activity that involves CUI—whether by access, transmission, or discussion—falls under CUI handling requirements.
What About Commercial (COTS) Items?
When commercial items become DoD-modified or tied to controlled drawings, organizations often need part labeling, storage bin labels, and controlled area signage to prevent accidental disclosure.
Commercial-Off-The-Shelf (COTS) items are generally exempt.
However, COTS items can become CUI when:
- They are modified
- They are customized for DoD use
- They are included in a DoD-unique Bill of Materials
- They are tied to controlled engineering or technical data
Context matters. A commercial bolt may not be CUI—but a bolt modified to DoD specifications, tied to controlled drawings, very well could be.
Why This Matters (Especially for CMMC)
Assessors routinely look for physical evidence of CUI handling—such as marked documents, restricted-area signs, visitor control signage, and properly labeled storage locations.
CUI identification and protection sit at the core of:
- DFARS 252.204-7012
- NIST SP 800-171
- CMMC Level 2
If you don’t correctly identify CUI:
- You can’t mark it properly
- You can’t protect it properly
- You can’t demonstrate compliance
And that’s one of the most common audit findings.
Final Takeaway: CUI Is About Information Control
Strong CUI programs combine policy, training, and physical marking. Using standardized CUI signage, labels, coversheets, and compliance kits makes CUI handling obvious, repeatable, and audit-ready.
CUI is not about paperwork—it’s about protecting sensitive government information across its entire lifecycle.
If you:
- Create it
- Receive it
- Store it
- Process it
- Share it
You are responsible for safeguarding it.
Understanding what qualifies as CUI is the first—and most critical—step toward compliance.
Need help identifying, marking, or safeguarding CUI?
That’s exactly what we help organizations do every day.
Explore our CUI marking, signage, and physical compliance solutions at CUISupply.com and make CUI compliance clear, consistent, and audit-ready.
what is controlled unclassified information
- #CMMC
- #CMMC Compliance
- #CMMC Industry Standards Council
- #CMMC Mythbusters
- #CMMC Phase I
- #CMMC Phase I Affirmation
- #CMMC Timeline
- #Compliance
- #Contract Eligibility
- #Contractor Guidance
- #controlled unclassified information
- #CUI
- #CUI Awareness
- #CUI Management
- #CUI Marking
- #CUI Marking Aid
- #CUI Marking training
- #CUI Supply
- #CUI Training
- #cybersecurity
- #Cybersecurity Compliance
- #Cybersecurity Readiness
- #Defense Industry
- #DFARS
- #Do I have CUI
- #DoD compliance
- #DoD CUI Marking
- #Government Contractors
- #government data protection
- #How to mark CUI
- #information security
- #NIST SP 800-171
- #Protect CUI
- #SPRS Score
- #Training and Education
- #What is CUI?
Share
