Which of the Following Is True of Controlled Unclassified Information
You're handling a document from a federal agency. It's not marked "Classified," but there's something about it that makes you hesitate before sharing it with your colleague. The header says "CUI" — and you're not entirely sure what that means or what you're allowed to do with it.
Sound familiar? That said, controlled Unclassified Information is one of those topics that trips up a lot of people, even those who work in or with the federal government. You're not alone. There's confusion about what it actually is, what you can do with it, and why it matters No workaround needed..
So let's clear it up Small thing, real impact..
What Is Controlled Unclassified Information
Controlled Unclassified Information — commonly shortened to CUI — is information that isn't classified but still needs protection. That's the simplest way to say it. It's not secret, it's not top secret, but it's also not meant for public consumption.
Here's what makes it official: CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. The key word there is "controls." Someone has decided this information needs to be handled carefully, even though it doesn't meet the threshold for classification And that's really what it comes down to..
The CUI program itself was established by Executive Order 13556 in 2010, and the National Archives and Records Administration (NARA) oversees it. Because of that, before this program existed, different agencies used their own labels — Law Enforcement Sensitive, For Official Use Only, Sensitive but Unclassified. That created chaos. One agency's "sensitive" might mean something completely different from another's. CUI was meant to standardize this.
CUI Basic vs. CUI Specified
Here's something that matters: not all CUI is the same. There are two main categories The details matter here..
CUI Basic is information where the safeguarding or dissemination controls come from government-wide policies. The rules are the same no matter which agency produced it.
CUI Specified is information where a specific federal agency has imposed additional controls beyond the standard ones. The designating agency gets to add extra handling requirements. This matters because if you're dealing with CUI Specified, you need to pay attention to what the originating agency specifically said about it Took long enough..
Examples of CUI
What does CUI actually look like in practice? A few examples:
- Personally identifiable information (PII) like Social Security numbers, medical records, or tax information when held by the government
- Law enforcement sensitive information that could interfere with investigations if released
- Proprietary business information that companies submit to the government during contracts or regulatory reviews
- Certain technical data related to military systems that isn't classified but could still be useful to adversaries
- Financial information about government operations that isn't public
The common thread: it's information that could cause harm if it got into the wrong hands, but the harm wouldn't rise to the level of a national security emergency.
Why It Matters
Here's why you should care about getting this right.
First, CUI is everywhere. If you work in government contracting, healthcare, law enforcement, or any field that involves federal agencies, you're going to encounter CUI. It's not some obscure category that only affects a handful of people.
Second, the rules around CUI are legally binding. Here's the thing — this isn't a suggestion. Failing to properly protect CUI can result in administrative sanctions, loss of access to future contracts, or even criminal penalties in some cases. The laws that govern specific categories of CUI — like privacy laws for PII or export control laws for certain technical data — carry real consequences Easy to understand, harder to ignore..
Third, the line between CUI and classified information is clearer than people think, but the line between CUI and public information is where things get fuzzy. A lot of people assume "if it's not classified, I can share it.On top of that, " That's not true. CUI exists precisely because some unclassified information still needs protection.
The official docs gloss over this. That's a mistake.
And honestly, this is the part most guides get wrong. They treat CUI as this abstract government category and forget that real people — contractors, grantees, state and local partners — need to actually handle this stuff day in and day out Not complicated — just consistent..
How It Works
How Information Gets Designated as CUI
Federal agencies are responsible for identifying and marking CUI within their own records and information. On the flip side, there's no central body that goes through everything and slaps a CUI label on it. Each agency decides what in their possession qualifies.
We're talking about important to understand: agencies have the authority to designate CUI, but they're supposed to do it consistently with the CUI Registry maintained by NARA. The Registry lists the approved categories and markings. Agencies can't just make up new categories on the fly Surprisingly effective..
Marking Requirements
When something is CUI, it needs to be marked. The standard format includes "CUI" in the header and footer, along with the specific category — like "CUI//SP-OP" for certain law enforcement information or "CUI//PRIV" for privacy information.
If you're handling a document that has these markings, those markings tell you what rules apply. Don't ignore them Small thing, real impact..
Who Can Access CUI
Basically where it gets practical. CUI can be shared with authorized recipients — people who have a legitimate need to know it for their official duties.
For federal employees, this is generally straightforward. If the information is relevant to your job, you can access it.
For contractors and non-federal entities, it depends on what the contract or agreement says. The federal agency that's sharing the CUI with you is supposed to ensure you have appropriate safeguards in place and that you're authorized to receive it.
Safeguarding CUI
The specific safeguards depend on the category of CUI, but the general principle is this: you need to protect it commensurate with the risk. Some CUI might just need basic physical security and access controls. Other categories — like PII — have specific requirements under laws like the Privacy Act.
The key point: there's no one-size-fits-all safeguard. You actually have to look at what category of CUI you're dealing with and apply the appropriate controls.
Common Mistakes / What Most People Get Wrong
Let me tell you about the misunderstandings I see most often.
"If it's not classified, it's public." This is probably the biggest misconception. Classified and CUI are different categories for a reason. Just because information isn't classified doesn't mean it can be released to the public. CUI exists in the space between classified and public.
"CUI markings are optional." They're not. Proper marking is how people know they're dealing with CUI in the first place. If something is CUI but isn't marked, that creates confusion and increases the risk of improper handling.
"All CUI has the same handling requirements." As I mentioned earlier, CUI Basic and CUI Specified are different. And even within categories, specific laws might add extra requirements. You can't treat all CUI the same way.
"CUI only applies to federal agencies." Wrong. Contractors, grantees, state and local governments, and anyone else who receives CUI from a federal agency has obligations too. The chain of custody matters.
"Once something is CUI, it always is." Not necessarily. CUI designations can be reviewed and changed. Information that was CUI might become publicly available later if the underlying justification for protecting it no longer applies.
Practical Tips / What Actually Works
If you're dealing with CUI in your work, here's what I'd suggest:
Know what you're looking at. When you receive a document, check the markings. If it says CUI, pay attention to the category. That category tells you what rules apply.
Ask if you're not sure. If you're uncertain whether something is CUI, or what you can do with it, ask the originating agency or your supervisor. It's better to ask than to guess wrong.
Keep track of where it is. CUI needs to be accounted for. Don't just leave it lying around. Know who has it, where it's stored, and when it's no longer needed The details matter here..
Understand your agreement. If you're a contractor or partner, your contract or agreement with the federal government should spell out your CUI obligations. Read it. Know what you agreed to That's the whole idea..
Don't over-classify and don't under-classify. Some people mark everything as CUI to be "safe." That's not helpful. Others assume nothing is CUI unless explicitly told otherwise. That's risky. The right approach is to apply the standards as they're written.
FAQ
Is CUI the same as "Sensitive but Unclassified"?
No, but it's related. Now, "Sensitive but Unclassified" was an informal term that different agencies used inconsistently. CUI was created to replace that混乱 (chaos). The official term now is CUI Turns out it matters..
Can CUI be shared with the public?
Generally no, unless there's a specific exception in the law. CUI is protected information. Sharing it publicly without authorization could violate the laws that govern that specific category of information.
What happens if I mishandle CUI?
Consequences vary depending on what happened and what category of CUI was involved. In real terms, they can range from administrative discipline to termination of contracts to criminal penalties. It's not something to take lightly.
Does CUI apply to state and local governments?
Yes, when they receive CUI from federal agencies. A state agency working on a federal grant might receive CUI as part of that work, and they'd have obligations to protect it.
How is CUI different from classified information?
Classification is based on national security damage if the information is disclosed. CUI is based on other types of harm — privacy, law enforcement interests, business confidentiality, and similar concerns. The processes, markings, and consequences are different.
The Bottom Line
Controlled Unclassified Information is information that isn't classified but still needs protection. Worth adding: it's a defined category with specific rules about marking, safeguarding, and sharing. If you work with federal information in any capacity, you'll likely encounter it Most people skip this — try not to..
The short version: pay attention to the markings, know the category, apply the right safeguards, and ask when you're unsure. It's not as complicated as it sounds once you understand what it's actually for.
And the next time you see "CUI" on a document header, you'll know exactly what that means — and what to do with it.
