CUI Classification Guide
Updated: Mar 14
Directives for Controlled Unclassified Information (CUI) have left numerous organizations confused about classifying their information. An executive order 13556 by President Obama on 4th November 2010 established the CUI program.
Laws and regulations binding CUI was issued so that policies that dictate how CUI could be used, safeguarded, designated, disseminated, marked, decontrolled, disposed of, or used for requirements of self-inspection and oversight can be established.
However, organizations have had a hard time identifying the categories of CUI and whether the information they contain falls under CUI. The following guide can help organizations decipher whether the information they contain falls under CUI directives to take the necessary steps according to laws and regulations about them.
CUI is any information created or possessed by either the government or government agency itself or by a separate entity that has created or possesses said information for the government or federal agency.
The entity or the federal agency will be liable to government-wide laws, regulations, and policies for handling, safeguarding, disseminating, or disposing said information. However, information defined under Executive Order 13526 Classified National Security Information, or which comes under the Atomic Energy Act is not classified as CUI.
Why Is It Necessary For Organizations To Identify CUI?
Whether the organization falls under a federal or nonfederal category, if it contains information classified as CUI, the information must be utilized and protected according to the established laws and regulations of NIST 800-171 and Cybersecurity Maturity Model Certification.
The information must be identified and marked according to the provided guidelines and policies. Failure to do so may result in sanctions for liable organizations according to the type of CUI and the relevant law found in violation. The National Archives and Records Administration (NARA) is responsible for managing the program established for CUI across the Federal government and is the official Controlled Unclassified Information Executive Agent. NARA has delegated the responsibilities of a CUI executive agent to the director of ISOO.
Furthermore, ISOO has released guidelines for federal agencies and executive branch departments for handling (marking and safeguarding) CUI. CUI information is of great concern regarding national security, use, and management of important yet unclassified information. If used inappropriately, this information can reveal critical vulnerabilities, expose important details and jeopardize various state functions.
Therefore, national agencies have carefully classified all information that could be of potential concern under the CUI and have set out detailed guidelines on classifying and marking such information.
How Can Organizations Identify If They Have CUI Information?
Although the classification of information is a lengthy and cumbersome process for organizations, it is critical to safeguard important information.
CUI can be in any document or media form and must be categorized and marked according to guidelines. Determination of whether certain information is applicable for CUI status falls under the CUI categories and applying relevant security markings is the responsibility of an authorized holder. This can be an organization, agency, an individual, or a group that has been permitted to handle or to designate Controlled Unclassified Information according to the 32 CFR Part 2002.
As the Executive Agent for CUI, NARA has released detailed guidelines for handling CUI. There is also a detailed CUI registry maintained by NARA for organizations and individuals to go through and see if the information they contain falls under the CUI category and is according to government laws.
This online government-wide repository has guidance at the federal level for policies and practices about CUI. But it is still incumbent for both contractors and personnel from relevant agencies to consult the relevant CUI policy guidelines, contract documents, the contractors themselves, or the CUI program’s government management office for detailed guidance. This includes guidance on how to classify the information according to CUI categories and how to mark the relevant media with the necessary markings.
There are numerous determinants of whether the information is classified as CUI. These pertain to regulations, laws, and policies for how the information is utilized, obtained, or processed and whether it is associated with federal agencies such as the Department of Defense (DoD).
Although numerous different types of information fall under the umbrella term Controlled Unclassified Information, the details of which are mentioned below, here are a few examples of some common types of CUI information. This type of information must be kept protected even though it is not classified.
Sensitive Personally Identifiable Information (SPII)
Unclassified Controlled Technical Information (UCTI)
Personally Identifiable Information (PII)
Sensitive but Unclassified (SBU)
Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI)
Law Enforcement Sensitive (LES), and others.
For Official Use Only (FOUO)
Categories Of CUI
According to the CUI Registry, all Controlled Unclassified Information falls under 20 broad categories or “Organizational Index Groupings.” These categories are further subdivided into a total of 124 subcategories. In addition, the CUI Registry provides detailed guidelines on the laws and regulations in place for how this information must be handled according to each category and what sanctions are in place if the organization is found in violation of them.
CUI can also be differentiated into CUI Specified or CUI Basic. Suppose there are any regulations, policies, or laws for a CUI type that contain specific guidelines on how the information is to be handled or disseminated, and there are sanctions in place for not following the detailed safety guidelines. In that case, that type of information is classified as CUI Specified.
However, If there are no government-wide regulations, or laws, or any authorizing policy or sanction for that particular CUI, then it will be referred to as CUI Basic. The main difference between CUI Specified and CUI Basic is that CUI Specified categories have more laws, regulations, and policies than the average requirement and common practice for protecting this type of information. However, the information is not classified as a higher CUI. Instead, it is termed CUI specified.
The categories and subcategories of CUI as stated by the DoD CUI registry are listed below:
Chemical-terrorism Vulnerability Information
Critical Energy Infrastructure Information
General Critical Infrastructure Information
Information Systems Vulnerability Information
Physical Security (PHYSEC)
Protected Critical Infrastructure Information
SAFETY Act Information
Controlled Technical Information
DoD Critical Infrastructure Security Information
Naval Nuclear Propulsion Information
Unclassified Controlled Nuclear Information - Defense (UCN)
Export Controlled Research
Electronics Funds Transfer (EFT)
Financial Supervision Information
General Financial Information
International Financial Institutions
Foreign Intelligence Surveillance Act (FISA)
FISA Business Records
Geodetic Product Information
Intelligence Financial Records
International Agreement Information
Criminal History Records Information
General Law Enforcement
Law Enforcement Financial Records
National Security Letter
Pen Register/Trap & Trace
Sex Crime Victim
Federal Grand Jury
Natural and Cultural Resources
North Atlantic Treaty Organization (NATO)
Nuclear Recommendation Material
Nuclear Security-Related SRI Information
Unclassified Controlled Nuclear Information - Defense
Inspector General Protected
Military Personnel Records
Procurement and Acquisition
General Procurement and Acquisition
Small Business Research and Technology
Proprietary Business Information
Entity Registration Information
General Proprietary Business Information
Ocean Common Carrier and Marine Terminal Operator Agreements
Ocean Common Carrier Service Contracts
Operations Security Information (OPSEC)
Personnel Security Information (PERSEC)
Sensitive Personally Identifiable Information (PII)
Federal Taxpayer Information
Railroad Safety Analysis Records
Sensitive Security Information
Appropriate usage, handling, and dissemination of information are crucial for state security and the general management of information. This holds especially true for Controlled Unclassified Information. According to regulations underlined by NIST 800-171 and the Cybersecurity Maturity Model Certification information, no matter what document or media the information is on, it must be classified and marked according to CUI guidelines at the time of origination by appropriate individuals.
Guidelines for classification, marking, and handling of CUI data have been set by The National Archives and Records Administration (NARA), which acts as the Executive Agent (EA) for Controlled Unclassified Information. Organizations must follow said guidelines to ensure the information they are handling is classified appropriately.
To ensure that they have the correct classifications and markings, organizations must refer to the CUI registry with detailed categories and subcategories defining which type of information corresponds to which category and what laws and sanctions apply to it. The CUI registry has numerous resources and a CUI program management office as well for additional assistance.