What is controlled unclassified information

Definition and Purpose

Controlled Unclassified Information (CUI) represents U.S. government information requiring protection and safeguarding but not meeting the threshold for classification as a national security secret. Created under Executive Order 13556 and standardized through NARA's CUI Program, it provides a consistent framework for protecting sensitive information across federal agencies. CUI includes information that, if disclosed, could compromise operational security, personal privacy, proprietary interests, or other protected interests, yet doesn't rise to the level requiring classification review.

Categories and Types

CUI encompasses multiple categories established by federal statute and regulation. These include Controlled Technical Data (technical specifications and design information), Law Enforcement Sensitive information, Privacy information (personally identifiable information protected under privacy laws), Health information (protected health information under HIPAA), Financial information, and Proprietary information belonging to private companies or individuals. Each category has specific handling requirements and authorized recipients, limiting access to personnel with documented need-to-know.

Marking and Identification

All CUI documents must be clearly marked with the designation 'CUI' at the top and bottom of pages, along with specific category labels indicating the type of controlled information contained. The marking system ensures employees understand handling requirements and protects the information appropriately. Agencies must maintain CUI registries documenting what information they hold and how it's protected. This standardized marking system enables consistent handling across government.

Handling Requirements

CUI requires specific safeguarding protocols including authorized access only to personnel with documented need-to-know, secure transmission through approved channels (never through unsecured email), secure storage in locked facilities or encrypted digital systems, and limitation of copying to authorized personnel. Information technology systems handling CUI must meet specific cybersecurity standards. When CUI is no longer needed, agencies must securely destroy it through approved methods. Training on CUI handling is mandatory for federal employees with access.

Legal and Compliance Implications

Unauthorized disclosure of CUI violates federal law and can result in criminal prosecution, civil penalties, and employment termination. Federal employees sign confidentiality agreements acknowledging their understanding of CUI protection requirements. Contractors and consultants working with CUI must also comply with protection standards. The CUI Program audit and compliance mechanism ensures agencies maintain appropriate controls. Individuals and organizations discovered mishandling CUI face serious legal consequences reflecting the sensitive nature of this unclassified information.