What Is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) refers to sensitive government-related data that is not classified but still requires protection under federal laws, regulations, or policies. This includes information that, if improperly disclosed, could harm national interests, critical infrastructure, or privacy.Examples of information that can be considered CUI span from defense contexts to a multitude of other contexts, including legal data, as well as health, financial, critical infrastructure, or law enforcement information, such as:
- Unclassified controlled nuclear information
- Information on patent applications
- Blueprints, drawings, or plans related to defense systems
- Health records related to diagnoses
- Legal documents tied to federal cases
Why CUI Matters in 2025
In addition to obvious nation-state hacker interest in classified information, state-linked hackers and ransomware groups frequently seek to obtain non-classified but highly valuable data that can help inform their targeting or pressure targets to pay ransoms.Protecting CUI can be considered both a national security obligation and a compliance requirement.
Best Practices For Managing CUI
Adherence to security standards for managing CUI has been patchy at times in recent years, as the Department of Defense Office of Inspector General has noted. A few best practices for managing CUI can include maintaining required controls, such as user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information. These can present challenges even to organizations that are aware of their compliance requirements.Key Frameworks That Govern CUI
There are a number of federal resources that can help inform your security team’s approach to compliance with proper CUI handling and management:1. CUI Program (Executive Order 13556)
- Established in 2010 to standardize how federal agencies and contractors handle CUI
- Defines categories, marking rules, and handling procedures
- Managed by NARA
2. NIST Special Publication 800-171
- Framework for protecting CUI in non-federal systems
- Contains 110 security controls across 14 control families
- Required for contractors under the Defense Federal Acquisition Regulation Supplement (DFARS)
3. Cybersecurity Maturity Model Certification (CMMC 2.0)
- Builds on NIST 800-171 to ensure defense contractors follow controls
- Level 2 certification (and sometimes Level 3) applies to CUI environments
- Requires third-party or self-assessments based on contract
4. FISMA and FedRAMP
- Apply when CUI is stored or processed in cloud services
- Require specific federal authorizations and continuous monitoring
Examples of CUI by Category
The breach of the Office of Personnel Management (OPM) is a notorious breach related to CUI, according to the Information Security Oversight Office. In the breach, threat actors broke into OPM and stole data related to current, former, and potential federal employees and their background checks. The OPM hack affected the files of nearly 22 million people, with information ranging from Social Security Numbers to usernames and passwords.There are countless other examples and categories of information that threat actors can steal or access that would be considered a CUI breach, such as: Critical Infrastructure: Information security of weapons storage facilities, maps or drawings of internal infrastructure Defense: Information related to special nuclear material facilities Export control: Information on export reviews or export license applications Financial and Tax: U.S. bank record or financial information related to security clearance eligibility Health: Records tied to diagnoses, drug abuse, or rehabilitation Intelligence: Maps of military installations or intelligence reports Law enforcement: Legal case information, such as audio or video from the jury’s chambers Privacy: Genetic tests or other health information Technical information: Cybersecurity plans, IP addresses, nodes, or research and engineering data
Your organization can learn more about categories and types of data considered CUI at the CUI Registry site.
How CUI Moves and Where It’s Vulnerable
CUI typically flows between federal agencies, contractors, and subcontractors through:- Collaboration tools (such as, email or shared drives)
- Procurement and grant portals
- Cloud-hosted storage and processing systems
- File transfer and backup software
- Application Programming Interfaces (APIs)
- Misconfigured cloud storage
- File transfer tools. Just two vulnerabilities in file transfer software accounted for over 63% of vulnerability-based breaches in 2024, according to SecurityScorecard breach research
- Weak or missing encryption
- Unsecured endpoints or vendor access
- Legacy tools without access controls
How SecurityScorecard Supports CUI Compliance
SecurityScorecard can help provide:- Attack surface visibility for your environment and vendors
- Alerts for TLS misconfigurations, exposed ports, and more
- Dark web monitoring for leaked credentials or CUI-related chatter
🔗 Explore SCDR
Is CUI the same as classified information?
u003cspan style=u0022font-weight: 400u0022u003eNo. CUI is not classified under national security standards, but it is still sensitive and regulated. u003c/spanu003e
Do all defense contractors need CMMC certification?
u003cspan style=u0022font-weight: 400u0022u003eIf your contract involves handling CUI, you must meet Level 2 requirements under CMMC 2.0.u003c/spanu003e
How do I know if my organization handles CUI?
u003cspan style=u0022font-weight: 400u0022u003eReview federal contracts and data-sharing agreements. Perform a data classification and mapping exercise to confirm. Check the u003c/spanu003eu003ca href=u0022https://www.archives.gov/cuiu0022u003eu003cspan style=u0022font-weight: 400u0022u003eCUI Registry siteu003c/spanu003eu003c/au003eu003cspan style=u0022font-weight: 400u0022u003e for more information.u003c/spanu003e
