Controlled Unclassified Information (CUI)

Bits of information can act like puzzle pieces that an adversary may collect, aggregate, analyze, and exploit to do harm to or gain an advantage over the U.S. Sensitive information can be especially vulnerable to compromise due to its potential for aggregation. As such, it is crucial to have robust safeguards in place to protect this type of information.

What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

The CUI program, established by Executive Order 13556 and implemented by 32 CFR part 2002, defines the need for protection of this type of information and establishes requirements for protecting it.

Identifying CUI

Unclassified information associated with a law, regulation, or government-wide policy and identified as needing safeguarding is considered CUI. It requires access control, handling, marking, dissemination controls, and other protective measures for safeguarding.

CUI is clustered into organizational indexes (e.g., defense, privacy, proprietary) with associated categories, and is categorized by the DoD according to the specific law, regulation, or government-wide policy requiring control.

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information falls into a CUI category and for applying CUI markings and dissemination instructions accordingly.

The National Archives and Records Administration (NARA) maintains the CUI Registry, which lists the authorities that require or permit safeguarding or dissemination controls for specific types of information.

CUI Responsibilities and Training Requirements

Every individual at every level, including DoD civilian, military personnel, and contractors providing support to the DoD, are required to comply with the requirements in DoDI 5200.48.

The Department of Defense (DoD) has implemented a mandatory CUI training program to educate personnel on the proper handling, protection, and dissemination of CUI. All individuals, both cleared and uncleared, that perform U.S. Government related work could be exposed to CUI information and should complete CUI training.

Reporting Requirements

  • If you receive CUI and have not yet completed CUI training, contact your Facility Security Officer (FSO) immediately.
  • When you receive CUI information, documents, or materials, notify your company’s FSO for awareness.
  • If you find CUI that is not properly controlled or stored, you must report this to your company’s FSO.

Resources and Additional Learning

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!

Related Articles

travel documents and passports with pre-travel checklist

Foreign Travel Reporting Requirements

Traveling outside the United States can expose U.S. citizens to increased risks, including potential targeting—even in low-risk destinations. Taking appropriate precautions is essential to maintaining safety and awareness.

Read More

Learn how FSO PROS® can help
support your security program

Let’s discuss how we can help support your security and compliance needs.
Secret Link