What Is CUI (Controlled Unclassified Information)?

What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to sensitive government-related data that is not classified but still requires protection under federal laws, regulations, or policies. This includes information that, if improperly disclosed, could harm national interests, critical infrastructure, or privacy.

Examples of information that can be considered CUI span from defense contexts to a multitude of other contexts, including legal data, as well as health, financial, critical infrastructure, or law enforcement information, such as:

• Unclassified controlled nuclear information
• Information on patent applications
• Blueprints, drawings, or plans related to defense systems
• Health records related to diagnoses
• Legal documents tied to federal cases

The U.S. National Archives and Records Administration (NARA) oversees the CUI program. Organizations handling this data, from federal agencies to contractors and critical infrastructure operators must follow strict security standards.

Why CUI Matters in 2025

In addition to obvious nation-state hacker interest in classified information, state-linked hackers and ransomware groups frequently seek to obtain non-classified but highly valuable data that can help inform their targeting or pressure targets to pay ransoms. 

Protecting CUI can be considered both a national security obligation and a compliance requirement.

Best Practices For Managing CUI

Adherence to security standards for managing CUI has been patchy at times in recent years, as the Department of Defense Office of Inspector General has noted. A few best practices for managing CUI can include maintaining required controls, such as user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.  These can present challenges even to organizations that are aware of their compliance requirements.

Key Frameworks That Govern CUI

There are a number of federal resources that can help inform your security team’s approach to compliance with proper CUI handling and management:

1. CUI Program (Executive Order 13556)

• Established in 2010 to standardize how federal agencies and contractors handle CUI
• Defines categories, marking rules, and handling procedures
• Managed by NARA

2. NIST Special Publication 800-171

• Framework for protecting CUI in non-federal systems
• Contains 110 security controls across 14 control families
• Required for contractors under the Defense Federal Acquisition Regulation Supplement (DFARS)

3. Cybersecurity Maturity Model Certification (CMMC 2.0)

• Builds on NIST 800-171 to ensure defense contractors follow controls
• Level 2 certification (and sometimes Level 3) applies to CUI environments
• Requires third-party or self-assessments based on contract

4. FISMA and FedRAMP

• Apply when CUI is stored or processed in cloud services
• Require specific federal authorizations and continuous monitoring

Organizations can map risk signals key to compliance controls, monitor vendor issues, and prepare documentation for audits and attestations with SecurityScorecard.

Examples of CUI by Category

The breach of the Office of Personnel Management (OPM) is a notorious breach related to CUI, according to the Information Security Oversight Office. In the breach, threat actors broke into OPM and stole data related to current, former, and potential federal employees and their background checks. The OPM hack affected the files of nearly 22 million people, with information ranging from Social Security Numbers to usernames and passwords.

There are countless other examples and categories of information that threat actors can steal or access that would be considered a CUI breach, such as:

Critical Infrastructure: Information security of weapons storage facilities, maps or drawings of internal infrastructure

Defense: Information related to special nuclear material facilities

Export control: Information on export reviews or export license applications

Financial and Tax: U.S. bank record or financial information related to security clearance eligibility

Health: Records tied to diagnoses, drug abuse, or rehabilitation

Intelligence: Maps of military installations or intelligence reports

Law enforcement: Legal case information, such as audio or video from the jury’s chambers

Privacy: Genetic tests or other health information

Technical information: Cybersecurity plans, IP addresses, nodes, or research and engineering data

Your organization can learn more about categories and types of data considered CUI at the CUI Registry site.

How CUI Moves and Where It’s Vulnerable

CUI typically flows between federal agencies, contractors, and subcontractors through:

• Collaboration tools (such as, email or shared drives)
• Procurement and grant portals
• Cloud-hosted storage and processing systems
• File transfer and backup software
• Application Programming Interfaces (APIs)

Common vulnerabilities include:

• Misconfigured cloud storage
• File transfer tools. Just two vulnerabilities in file transfer software accounted for over 63% of vulnerability-based breaches in 2024, according to SecurityScorecard breach research
• Weak or missing encryption
• Unsecured endpoints or vendor access
• Legacy tools without access controls

SecurityScorecard’s Supply Chain Detection and Response (SCDR) solution can help organizations identify vulnerabilities and exposures, especially in third-party environments.

How SecurityScorecard Supports CUI Compliance

SecurityScorecard can help provide:

• Attack surface visibility for your environment and vendors
• Alerts for TLS misconfigurations, exposed ports, and more
• Dark web monitoring for leaked credentials or CUI-related chatter

This insight can help inform federal contractors working to meet compliance obligations while reducing operational risk across digital supply chains.

Transform Third-Party Risk into a Supply Chain Resilience

With SecurityScorecard’s Supply Chain Detection and Response (SCDR), gain actionable insights into your vendors’ security postures. Our solution empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.

🔗 Explore SCDR