Back to Glossary
Security

Controlled Unclassified Information(CUI)

Information requiring safeguarding or dissemination controls pursuant to law or policy, but not classified. Contractors handling CUI must implement NIST SP 800-171.

Overview

Controlled Unclassified Information (CUI) is a category of government information that requires safeguarding but does not meet the threshold for classification as Confidential, Secret, or Top Secret. Established by Executive Order 13556, the CUI program standardizes how agencies mark, handle, and protect sensitive but unclassified information, replacing the patchwork of agency-specific designations like FOUO, SBU, and LES.

Why It Matters in GovCon

Contractors handling CUI must implement the 110 security controls specified in NIST SP 800-171. With the rollout of CMMC, the ability to demonstrate CUI protection through third-party assessment is becoming a prerequisite for many DoD contracts. Non-compliance can result in contract loss, False Claims Act liability, and exclusion from future awards.

Key Details

  • NIST SP 800-171: The primary security standard for protecting CUI in non-federal systems, with 110 controls across 14 families.
  • CMMC: The Cybersecurity Maturity Model Certification requires verified implementation of CUI protections for DoD contractors.
  • CUI Registry: The National Archives maintains the CUI Registry listing all approved CUI categories and subcategories.
  • Marking: CUI must be marked with appropriate banners and category designations on documents and emails.
  • DFARS 252.204-7012: The DFARS clause requiring contractors to provide adequate security for CUI and report cyber incidents within 72 hours.

Related Terms

  • NIST SP 800-171
  • Cybersecurity Maturity Model Certification (CMMC)
  • Federal Contract Information (FCI)
  • DFARS 252.204-7012

More Security Terms

Contracting Officer (CO)

The government official with the authority to enter into, administer, and terminate contracts on behalf of the U.S. government.

Contracting Officer's Representative (COR)

A government employee designated by the contracting officer to monitor contractor performance and serve as the technical point of contact.

Federal Information Security Management Act (FISMA)

Federal law establishing a framework for securing federal information systems and protecting government data.

FedRAMP

A government-wide program that provides a standardized approach to security assessment and authorization for cloud services.

For Official Use Only (FOUO)

A sensitivity designation for unclassified information that requires protection from unauthorized disclosure.

Identity and Access Management (IAM)

Policies and technologies that control who can access systems and data and what they can do.

Ready to Win More Contracts?

Use GovCon Data to find opportunities matched to your business and generate winning proposals with AI.

Start Free TrialBrowse Glossary