Information May Be Cui In Accordance With

Controlled Unclassified Information (CUI) represents a critical category of data within the U.S. federal ecosystem, governed by a specific set of rules designed to protect sensitive, yet non-classified, government information. Understanding when information may be CUI in accordance with federal regulations is not merely a compliance exercise for contractors, researchers, and grant recipients; it is a fundamental aspect of national security, economic competitiveness, and individual privacy protection. This framework ensures that sensitive data—ranging from technical specifications to personally identifiable information—receives uniform handling and safeguarding across all government agencies and their partners. Navigating this landscape requires clarity on the legal foundations, the specific categories of CUI, and the practical steps for identification and proper stewardship.

What Exactly is CUI?

Controlled Unclassified Information is information that requires protection under law, regulation, or government-wide policy but does not meet the criteria for classification under Executive Order 13556. Prior to the establishment of the CUI framework, agencies managed sensitive unclassified information with disparate and often conflicting markings and handling requirements, leading to confusion and inconsistent protection. The CUI program, mandated by Executive Order 13556 and implemented via the CUI Registry managed by the National Archives and Records Administration (NARA), created a single, unified system. This system standardizes how such information is marked, handled, and decontrolled. The core principle is that while the information is not "classified" (i.e., it does not require a security clearance to access), it is still controlled—its dissemination and safeguarding are restricted by law or policy. Examples include export-controlled technical data, certain law enforcement sensitive records, and critical infrastructure information.

The Legal and Regulatory Framework

The authority for the CUI program stems directly from Executive Order 13556, “Classified National Security Information”, which tasked NARA with overseeing the CUI program. The implementation is detailed in 32 CFR Part 2002 (the CUI regulation) and the CUI Registry. This registry is the definitive, government-wide listing of all CUI categories and subcategories, their applicable legal authorities, and specific handling requirements. For organizations doing business with the federal government, compliance is often contractually enforced. Key regulations include:

• DFARS (Defense Federal Acquisition Regulation Supplement): Clause 252.204-7012 and the accompanying NIST SP 800-171 requirement mandate that all non-federal entities handling CUI on behalf of the Department of Defense implement specific security controls.
• NIST SP 800-171: “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides the baseline security requirements for protecting CUI in non-federal systems.
• FAR (Federal Acquisition Regulation): Incorporates CUI clauses into contracts across civilian agencies. Failure to adhere to these requirements can result in contract termination, financial penalties, and loss of future contracting opportunities.

Categories and Subcategories of CUI

The CUI Registry organizes information into 20 broad categories, each with specific subcategories. Understanding these is the first step in identification. Major categories include:

1. Critical Infrastructure: Information about systems or assets whose incapacity would debilitate national security, the economy, or public health.
2. Export Control: Technical data or software subject to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).
3. Financial: Information protected by the Bank Secrecy Act or other financial privacy laws.
4. Proprietary Business Information: Trade secrets, commercial or financial information obtained from a person and privileged or confidential.
5. Privacy: Personally Identifiable Information (PII) and Protected Health Information (PHI) that is protected by specific statutes like the Privacy Act or HIPAA.
6. Security: Information related to the security of federal facilities, personnel, or operations.
7. Technical: Scientific, technical, or engineering information subject to specific controls. Each subcategory in the Registry cites its authorizing law or regulation (e.g., “ITAR,” “HIPAA,” “Atomic Energy Act”). This citation is crucial; it is the legal basis that makes the information CUI. If no legal authority applies, the information generally cannot be designated as CUI.

How to Identify If Information May Be CUI

Determining if a piece of information is CUI is a fact-based, legal determination, not a subjective one. Follow this systematic approach:

1. Source and Context: Did the information originate from a federal agency or a federal contract? Is it being created or used under a federal award (grant, cooperative agreement)? If yes, it is highly likely to be CUI.
2. Consult the CUI Registry: Search the official NARA CUI Registry for keywords related to your data. Identify the specific category and subcategory. The Registry will tell you the applicable legal authority and any specific handling caveats (e.g., “CUI//REL TO USA, AUS, CAN”).
3. Check the Contract or Award Document: Federal contracts and grants will explicitly state which CUI categories are involved, often through the inclusion of specific clauses (like DFARS 252.204-7012) and by referencing the CUI Registry.
4. Look for Markings: Legitimate CUI must be marked according to NARA guidelines. The basic marking is “CUI” followed by the category and subcategory (e.g., **CUI//PRIVACY

//PII). If you see such a marking, it is a strong indicator that the information is CUI. However, the absence of a marking does not mean the information is not CUI; it may simply be unmarked.

5. Apply the Legal Test: Does the information fall under one of the 20 categories and is there a specific statute, regulation, or government-wide policy that requires its protection? If the answer is yes, it is likely CUI. If no legal authority exists, it cannot be CUI.

6. Err on the Side of Caution: When in doubt, treat the information as CUI until you can confirm otherwise. Misclassifying non-CUI as CUI is a lesser risk than mishandling actual CUI.

Common Pitfalls in CUI Identification

• Assuming All Sensitive Information is CUI: Not all sensitive data is CUI. For example, proprietary business information shared with the government is CUI, but the same information shared in a purely private transaction is not.
• Ignoring Contractual Requirements: Even if information seems generic, a federal contract may require its protection as CUI.
• Overlooking Subcategories: Some categories have very specific subcategories. For instance, not all export-controlled data is CUI; only data subject to ITAR or EAR under a federal contract or award qualifies.
• Failing to Update Knowledge: The CUI Registry is dynamic. New categories and guidance are added as laws and policies evolve.

Conclusion

Identifying Controlled Unclassified Information is a critical skill for anyone working with federal data. It requires a clear understanding of the CUI framework, diligent use of the NARA CUI Registry, and careful attention to legal authorities and contractual obligations. By systematically applying these principles, organizations can ensure they handle CUI appropriately, protecting both national interests and individual privacy while complying with federal law. In an era where information is both an asset and a liability, mastering CUI identification is not just a compliance exercise—it is a cornerstone of responsible information stewardship.

The process of identifying Controlled Unclassified Information demands both precision and adaptability. As federal policies evolve and new categories are added to the CUI Registry, organizations must remain vigilant, continuously updating their understanding and practices. This is not a static task but an ongoing responsibility that requires cross-functional collaboration—legal teams, compliance officers, IT specialists, and program managers must work together to ensure accurate identification and proper handling.

Equally important is fostering a culture of awareness. Employees at all levels should be trained to recognize potential CUI, understand its significance, and know the correct procedures for its protection. Missteps in this area can lead to serious consequences, including legal penalties, loss of contracts, or breaches of privacy. On the other hand, over-classification can create unnecessary burdens and inefficiencies, so striking the right balance is essential.

Ultimately, effective CUI identification is about more than compliance—it is about safeguarding the integrity of government operations and the trust of the public. By treating this responsibility with the seriousness it deserves, organizations not only meet their legal obligations but also contribute to a more secure and accountable information environment. In doing so, they uphold the highest standards of information stewardship in an increasingly complex and interconnected world.