CUI (Controlled Unclassified Information) is unclassified information the U.S. government requires to be safeguarded or controlled under law, regulation, or government-wide policy. It was created by Executive Order 13556 and is managed through the National Archives (NARA) CUI Registry. For defense contractors, handling CUI triggers DFARS 252.204-7012 and the 110 NIST SP 800-171 controls of CMMC Level 2.

What's the difference between CUI and FCI?

FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract; it maps to CMMC Level 1. CUI is information in a specific government-defined protection category — such as controlled technical information or export-controlled data — and maps to CMMC Level 2 and the 110 NIST SP 800-171 controls. CUI is the higher bar.

CUI is marked with a banner at the top of each page reading 'CUI' (and 'CUI//SP-' plus a category for CUI Specified), category markings, any limited-dissemination controls, and a designation indicator identifying who designated it. Documents may also carry a portion or footer marking. If information is marked CUI, you must protect it accordingly.

What Is CUI? Markings, Categories, and How to Handle It (2026)

Q: How do you protect CUI?

Limit access to authorized people, keep CUI inside a defined boundary, encrypt it in transit and at rest with FIPS-validated cryptography, control how it flows, log access, and handle media and disposal securely. For DoD contractors these requirements are formalized as the 110 controls of NIST SP 800-171 (CMMC Level 2), documented in a System Security Plan.

Almost every CMMC conversation comes back to one three-letter acronym: CUI. It's the thing the whole framework exists to protect, and whether you handle it decides your CMMC level. Yet a lot of contractors are fuzzy on what actually counts. Here's the plain-English version.

What CUI is

Controlled Unclassified Information is unclassified information that the U.S. government still requires you to safeguard or control, under a law, regulation, or government-wide policy. It's not classified (no Secret/Top Secret), but it's not public either — it sits in the protected middle. CUI was created by Executive Order 13556 (2010) to replace a patchwork of agency-specific labels (like "FOUO") with one government-wide system, managed through the National Archives (NARA) CUI Registry.

For a defense contractor, the practical trigger is simple: if a contract puts CUI in your hands, you fall under DFARS 252.204-7012 and the 110 controls of NIST SP 800-171 — i.e., CMMC Level 2.

CUI vs FCI — don't mix them up

These two get confused constantly, and the difference sets your obligations:

Type	What it is	Maps to
FCI	Non-public info provided by or generated for the government under a contract	CMMC Level 1 (15 FAR safeguards)
CUI	Info in a government-defined protection category (e.g., technical data, export-controlled)	CMMC Level 2 (110 NIST 800-171 controls)

Contractors routinely under-call CUI as "just FCI" and get caught short. When in doubt, treat the higher bar as the working assumption until your contracting officer confirms.

CUI Basic vs CUI Specified

CUI comes in two flavors:

CUI Basic — the default. Protected under the standard CUI rules, with no extra handling beyond the baseline.
CUI Specified — categories where a specific law or regulation imposes additional controls (for example, certain export-controlled or nuclear information). The marking includes the category, like CUI//SP-EXPT.

Common CUI categories for contractors

The NARA registry lists many categories; the ones defense suppliers hit most include:

Controlled Technical Information (CTI) — technical data and drawings with military application.
Export-Controlled — ITAR/EAR information.
Privacy — personally identifiable information the government requires protected.
Procurement & Acquisition — sensitive contract and proposal data.

How CUI is marked

Marked CUI is hard to miss once you know the pattern:

Banner marking at the top of each page: CUI (or CUI//SP-[category] for Specified).
Category and dissemination markings identifying the type and any limits on who can receive it.
Designation indicator — who designated it as CUI and how to reach them.

If a document is marked CUI, the marking is your instruction: protect it to the standard. (Unmarked information can still be CUI if it meets a category — when unsure, ask the source.)

Handle CUI? See where your protections stand — free

If CUI is in play, you're a Level 2 shop. Find out how you score against all 110 NIST 800-171 controls in minutes — free, no signup.

Calculate your SPRS score free →

How you have to protect it

Protecting CUI isn't vague — for DoD work it's the 110 controls of NIST SP 800-171, documented in a System Security Plan. The essentials:

Limit access to authorized people and devices, and keep CUI inside a defined boundary or enclave.
Encrypt it in transit and at rest with FIPS-validated cryptography.
Control the flow so CUI doesn't leak to unapproved locations.
Log and monitor access, and handle media, marking, and disposal securely.

Scoping tightly — putting CUI in a small enclave — is the single biggest lever for keeping the effort and cost down.

CUI — frequently asked

What is CUI?

Unclassified information the government requires safeguarded under law or policy, created by EO 13556 and managed via the NARA CUI Registry. For contractors it triggers DFARS 7012 and CMMC Level 2.

CUI vs FCI?

FCI is non-public contract information (Level 1). CUI is information in a government protection category (Level 2, 110 controls). CUI is the higher bar.

How is CUI marked?

A "CUI" banner on each page (with a category for CUI Specified), category/dissemination markings, and a designation indicator. The marking tells you to protect it.

How do you protect CUI?

Limit access, keep it in a defined boundary, encrypt with FIPS-validated crypto, control flow, and log access — formalized as the 110 NIST 800-171 controls in your SSP.

Next step

If you've confirmed you handle CUI, you're Level 2 — start by finding your gaps. Calculate your SPRS score, then build your plan with the free SSP generator. Not sure whether CMMC applies at all? See do I need CMMC.