Controlled Unclassified information or CUI is information created or possessed by the U.S. federal government that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. CUI is data not classified as national security information or restricted data under the Atomic Energy Act, but it does require protection from unauthorized disclosure.
CUI encompasses a wide variety of unstructured, sensitive data including:
- Personal data (e.g. personal identifiers, financial records)
- Sensitive business information (e.g. trade secrets, commercial data)
- Critical infrastructure information
- Documents related to law enforcement investigations
- Controlled technical information
CUI requirements apply to both information directly from the government as well as relevant data that companies, organizations or individuals possess or create on behalf of the government. Proper handling, marking, decontrolling and disposal of CUI is mandated to prevent unauthorized access or disclosure.
History of CUI
Prior to 2010, over 100 different policies governed the protection of unclassified information across the executive branch, resulting in inconsistent safeguarding practices and confusion. In 2010, President Obama issued Executive Order 13556 to establish the Controlled Unclassified Information (CUI) program. This created uniform categories and safeguarding requirements for sensitive unclassified government information across federal agencies.
The CUI program aims to standardize how agencies designate, mark, safeguard, and disseminate unclassified data requiring protection, while enabling authorized information sharing. Key milestones included the proposed CUI regulation in 2015, finalized in 2016, and the National Archives’ role in implementation and oversight.
The program continues evolving to address challenges in integrating CUI standards into regular agency practices while enabling lawful government information sharing.