Controlled Unclassified Information Β· 32 CFR Part 2002 / Executive Order 13556

Controlled Unclassified Information (CUI) Marking & Handling

Also known as: CUI program, controlled unclassified information, EO 13556

What you do here: Recognize, mark, safeguard, and dispose of CUI according to the governmentwide program

At a Glance

Who it applies to
Any contractor that creates, receives, or handles CUI in performing a federal contract
What it obligates
Recognize, properly mark, safeguard, disseminate, and destroy CUI per the governmentwide standard
Governing authority
Executive Order 13556 and 32 CFR Part 2002 (NARA is the CUI Executive Agent)
The CUI Registry
NARA's public registry lists the CUI categories (e.g., Controlled Technical Information, Privacy, Procurement) and their handling rules
The stakes
Mishandling CUI breaches your safeguarding obligations (DFARS 7012 / CMMC) and can trigger incident reporting

What It Is

Controlled Unclassified Information (CUI) is the governmentwide category for information that is sensitive but not classified β€” information the government requires to be safeguarded or disseminated under a law, regulation, or governmentwide policy, but which isn't marked Confidential, Secret, or Top Secret. It was created by Executive Order 13556 (2010) and is implemented by 32 CFR Part 2002, with the National Archives and Records Administration (NARA) as the CUI Executive Agent. Before CUI, agencies used dozens of inconsistent labels β€” 'For Official Use Only' (FOUO), 'Sensitive But Unclassified' (SBU), 'Law Enforcement Sensitive,' and many others β€” with no common rules. The CUI program replaced that patchwork with a single system: a public CUI Registry (maintained by NARA) lists the approved categories β€” such as Controlled Technical Information, Privacy, Proprietary Business Information, Procurement and Acquisition, and Export Control β€” and the marking, handling, dissemination, and destruction rules for each. For a contractor, CUI matters because it's the thing all the safeguarding machinery is built to protect: the DoD calls the CUI it entrusts to contractors 'Covered Defense Information,' DFARS 252.204-7012 requires you to protect it to NIST SP 800-171, and CMMC Level 2 verifies that protection. Your obligations run to the full lifecycle: recognizing when information is CUI (often it should be marked, but you may also generate CUI yourself), marking it with the correct banner and category, storing and transmitting it only on properly safeguarded systems, sharing it only with those who have a lawful government purpose, and destroying it by approved means. In plain terms: CUI is the sensitive information; the safeguarding clauses and CMMC are how you're required to protect it.

When It Applies

  • Whenever a contract requires you to handle information the government marks β€” or that meets a CUI category β€” such as controlled technical information.
  • When you generate information in performance that itself qualifies as CUI (you may have to mark it).
  • When storing, transmitting, sharing, or destroying CUI β€” each step has governmentwide handling rules.
  • As the trigger that determines whether DFARS 252.204-7012 and CMMC Level 2 (vs. only FCI-level requirements) apply.

Key Features

FeatureWhat It Means
Governmentwide standardOne system (EO 13556 / 32 CFR Part 2002) replaced dozens of agency labels like FOUO and SBU with uniform categories and rules.
The CUI RegistryNARA maintains a public registry of approved CUI categories and the specific safeguarding and dissemination controls for each.
Full-lifecycle handlingObligations cover recognizing, marking, storing, transmitting, sharing, and destroying CUI β€” not just storage.
DoD calls its CUI 'CDI'Covered Defense Information is the DoD subset of CUI that triggers DFARS 252.204-7012 and NIST SP 800-171 protection.
The trigger for the strict regimeWhether a contract involves CUI decides whether you face only FCI-level basics or the full 800-171 / CMMC Level 2 stack.

The SDVOSB Angle

For a small SDVOSB, the most valuable CUI skill is simply recognizing it early, because whether a contract involves CUI is what flips your cybersecurity cost from cheap (FCI basics / CMMC Level 1) to expensive (NIST SP 800-171 / CMMC Level 2). Read the solicitation for a CUI or Covered Defense Information designation and any DFARS 7012 clause before you bid, and ask the contracting officer if it's ambiguous β€” discovering CUI obligations after award is a margin killer. Operationally, the single best move a small firm can make is to build a CUI 'enclave': keep CUI on a small, well-controlled subset of systems rather than letting it spread across every laptop and mailbox, so your safeguarding and CMMC assessment scope stays small and affordable. Mark and handle CUI exactly as the registry and your contract require, train the handful of employees who touch it, and flow the handling requirements to any similarly situated subcontractor who will receive it β€” a mishandling incident is both a compliance failure and, under DFARS 7012, a reportable event.

How to Comply

  1. Check the solicitation and contract for a CUI / Covered Defense Information designation before you bid.
  2. Consult NARA's CUI Registry to identify the category and its specific marking and handling rules.
  3. Keep CUI in a small, controlled enclave rather than spread across all your systems.
  4. Mark, store, transmit, share, and destroy CUI according to the registry and contract requirements.
  5. Train the employees who handle CUI and flow the handling requirements to subcontractors who receive it.

Watch Out For

  • Not recognizing CUI (including CUI you generate) and therefore under-scoping your safeguarding obligations.
  • Letting CUI sprawl across every system, which balloons your NIST SP 800-171 / CMMC assessment cost.
  • Mismarking or over-marking β€” both create compliance and dissemination problems.
  • Improper destruction β€” CUI must be destroyed by approved methods, and mishandling can be a reportable incident.

Run the Numbers

Price-to-Win Calculator β†’

Frequently Asked

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is government information that is sensitive but not classified β€” information that a law, regulation, or governmentwide policy requires to be safeguarded or restricted, but which is not marked Confidential, Secret, or Top Secret. Created by Executive Order 13556 and implemented by 32 CFR Part 2002 (with NARA as the Executive Agent), CUI replaced inconsistent agency labels like FOUO and SBU with a single governmentwide system of categories and handling rules listed in the public CUI Registry.

How is CUI related to CMMC and NIST 800-171?

CUI is the information; NIST SP 800-171 and CMMC are how you protect it. When a DoD contract requires you to handle CUI (which DoD calls Covered Defense Information), DFARS 252.204-7012 requires you to safeguard it using the NIST SP 800-171 controls, and CMMC Level 2 verifies that you have. If a contract involves only Federal Contract Information (FCI) and no CUI, the lighter FAR 52.204-21 basics and CMMC Level 1 apply instead. So identifying whether a contract involves CUI determines which cybersecurity regime β€” and cost β€” applies.

Do I have to mark CUI that my company creates?

Potentially yes. CUI obligations cover information the government provides to you and information you create or collect in performing the contract that falls within a CUI category (such as Controlled Technical Information). When you generate such information, you may be responsible for applying the correct CUI markings β€” the banner marking and category designation β€” and handling it under the registry's rules. Your contract and the government's guidance specify the categories in play; when it's unclear whether something is CUI, ask the contracting officer rather than guessing.

Primary Sources

Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often β€” the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.

Last updated Update cadence: Quarterly, plus on FAR/DFARS amendment, a new NIST SP 800-171 revision, or CMMC phase-in changes
Change log (1)
  1. LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside β€” basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule β€” each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.

Related Safeguarding Requirements

Systems You’ll Use

SPRS — Supplier Performance Risk System→

Clauses That Apply

FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems→

How It Plays by Contract Type

FFP β€” Firm-Fixed-Price (FFP)β†’

Terms Used on This Page

FAR

In the FAQ Knowledge Base

What VA IT contracts are available to SDVOSBs?β†’
← All Cybersecurity & Information Safeguarding Requirements