CUI is information that must be protected but doesn’t necessarily impact national security. It requires fewer protections than classified CUI – Classified Unclassified Information, and access is based on having a lawful government purpose instead of the strict need-to-know requirement.
CUI is generally government-created or owned information that requires dissemination controls consistent with laws, regulations, and government-wide policies. It is not corporate intellectual property unless it was created for or included in requirements related to a government contract.
1. Unclassified Information
There are many categories of unclassified information that need protection from unauthorized release or disclosure.
These include technical information and technology used to support research and development, testing, and evaluation activities. It also includes data and documentation produced by federally sponsored projects at universities, research organizations or in the private sector.
It may also be sensitive because of a need to protect attorney-client and work product privileges or other legal privileges.
Unclassified information that requires handling controls is called Controlled Unclassified Information (CUI).
Authorized holders of CUI are responsible for complying with the corresponding security requirements.
2. Specified Information
Specified information is not classified, but it is sensitive and requires handling and dissemination controls. Specifically, laws, regulations, and government-wide policy can require safeguarding or dissemination controls in three ways: by providing no specific requirements.
which makes the information CUI Basic; by specifying some but not all of those requirements, which makes the information CUI Specified; or by requiring both safeguarding and dissemination control requirements, which makes the information both CUI Specified and CUI Basic.
Any documents containing specified information must be marked as such with the appropriate category markings, and the entire document must be designated as CUI.
Adding an event or date that authorizes the decontrolling of the specified information to any such documents is encouraged but not required.
These supplemental administrative markings may not appear in the CUI banner but can be incorporated into supplementary portion or segment markings or included as watermarks.
A best practice is to include a point of contact or group email address for the agency of designation on the first page of any documents containing specified information.
3. Controlled Information
Information that is unclassified but associated with a law, regulation, or government-wide policy requiring safeguarding. This information may require access control, handling, marking, dissemination controls, and other protections.
4. Basic Information
It is important for authorized holders to understand that even if their information does not bear the CUI designation indicator and/or banner markings, it could still qualify for the status of CUI if its underlying authority calls for additional safeguarding requirements or dissemination controls.
Any such requirements or restrictions are reflected in the CUI Registry Category List as either CUI Basic or CUI Specified.
Contractors must identify DoD-owned CUI via their contracting vehicle and mark any such documents, materials, or media that contain it.
