Plain-English summary
A plain-English introduction to CUI, markings, the CUI Registry, and why contractors should not guess. This page is for orientation only. Always verify the official source, contract language, solicitation instructions, and qualified professional advice before making commitments.
The official idea in plain English
Controlled Unclassified Information is unclassified information that still requires safeguarding or dissemination controls under applicable law, regulation, or government-wide policy. It is not classified national-security information, but it is also not ordinary public information. That middle space is what makes CUI confusing for many small contractors.
Do not identify CUI by instinct alone
A drawing, spreadsheet, report, email, test result, or technical note may look sensitive, but that does not automatically make it CUI. At the same time, a file may look ordinary and still be controlled because of its category, marking, contract, agency instruction, or context. The NARA CUI Registry is the government-wide online repository for federal CUI guidance, but agencies and contractors should also consult agency policy and contract direction.
Why CUI changes the system conversation
When CUI is stored, processed, or transmitted in a contractor system, the discussion can move beyond basic safeguarding. NIST SP 800-171 focuses on security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. That can affect access control, logging, media handling, configuration, training, incident response, and service-provider expectations.
A safer practice for contractors
When a customer sends controlled-looking material, do not guess silently. Ask where the information-handling requirement is stated, what markings apply, whether subcontractors may receive it, where it may be stored, whether cloud services are allowed, how long it must be retained, and what to do at contract closeout. The right answer is often buried in the contract, agency instructions, or customer security package.
Key takeaways
- CUI is unclassified but controlled information.
- Markings, categories, contracts, and agency policy matter.
- The NARA CUI Registry is an important reference, not a substitute for customer direction.
- Ask before storing or sharing questionable material.
Official sources to verify
Use these official sources for current requirements. This page is educational and may not reflect every contract-specific detail.