CUI Categories and Examples

CUI is defined in 32 CFR Part 2002 as information that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. It is not classified, but it is not public either.

The key distinction: the government decides what is CUI. As a contractor, you identify and protect information the government has designated, rather than making your own designations.

CUI vs FCI

Two categories of controlled information appear in DoD contracts:

• CUI (Controlled Unclassified Information): Requires protection under NIST SP 800-171. Identified by specific categories in the CUI Registry.
• FCI (Federal Contract Information): Information not intended for public release but not meeting CUI criteria. Requires basic safeguarding under FAR 52.204-21.

Your contract clauses tell you which applies. DFARS 252.204-7012 indicates CUI. FAR 52.204-21 indicates FCI.

How to Identify CUI in Your Environment

1. Check contract clauses: DFARS 252.204-7012 is the primary indicator.
2. Look for markings: Documents marked "CUI" or with category-specific banners.
3. Review CDRLs: Contract Data Requirements Lists often specify CUI deliverables.
4. Check DD Form 254: For classified contracts, this form identifies CUI categories.
5. Ask your contracting officer: When uncertain, get written clarification.

The CUI Registry maintained by the National Archives defines all authorized categories. Below are the major categories with practical examples of what each covers in defense contracting contexts.

Information about systems whose disruption would impact national security, economic security, or public health and safety.

• Power grid operations data shared with defense facilities
• Telecommunications infrastructure maps for military installations
• Water system schematics for bases or critical government facilities

Military plans, capabilities, and operations information not otherwise classified.

• Technical specifications for weapons systems components
• Military base access procedures and perimeter security details
• Logistics data for troop movements or supply chains

Technical data subject to ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations).

• Engineering drawings with ITAR-controlled dimensions and materials
• Software source code for defense applications with export restrictions
• Performance data for missile or aircraft systems

Financial information requiring protection under law or regulation.

• Cost accounting data submitted under government contracts
• Bid and proposal financial details on sensitive programs
• Audit reports with sensitive findings

Information related to immigration status, benefits, or enforcement.

• Employee visa documentation for cleared personnel
• Citizenship verification records for security clearances
• Immigration case files handled by government contractors

Intelligence-related information not meeting classification thresholds.

• Open-source intelligence collection methodologies
• Intelligence community contracting requirements
• Threat indicator data shared with defense contractors

Information related to treaties, alliances, and international partnerships.

• NATO interoperability requirements for defense systems
• Coalition sharing agreements and restrictions
• Foreign military sales documentation

Information related to law enforcement investigations or operations.

• Background investigation data for security clearances
• Incident reports involving government facilities
• Investigative support materials provided to contractors

Legal information protected by privilege or statute.

• Attorney-client privileged communications on government matters
• Litigation materials involving government contracts
• Legal opinions on classified program operations

Nuclear-related information not meeting Restricted Data or Formerly Restricted Data classification.

• Nuclear facility security plans for contractor-operated sites
• Radiological emergency response procedures
• Nuclear materials tracking and inventory data

Patent application information requiring protection.

• Patent applications for defense-related inventions under secrecy orders
• Invention disclosures with national security implications
• Patent search results on sensitive technologies

Personally identifiable information (PII) requiring protection under the Privacy Act.

• Employee personnel records for government contract work
• Security clearance application data (SF-86 content)
• Medical records for employees in government programs

Acquisition-sensitive information that could affect contract competition.

• Source selection information and evaluation criteria
• Pre-award cost estimates and independent government cost estimates
• Contract negotiation strategies and pricing data

Commercial or financial information that is privileged or confidential.

• Company trade secrets shared with government under contract
• Proprietary manufacturing processes for defense components
• Competitive pricing and cost structures

Statistical data protected from disclosure under law.

• Census-style data collected under government contracts
• Statistical analysis with privacy-protected source data
• Survey results with confidentiality guarantees

Tax information protected under internal revenue laws.

• Tax return data for government contractors under audit
• Tax identification information in payroll systems
• Tax compliance documentation for government programs

Transportation security information requiring protection.

• Shipping routes for sensitive government cargo
• Transportation security plans for hazardous materials
• Logistics schedules for defense supply chains

Proper marking is both a compliance requirement and a practical tool for scoping. If documents are not marked, you cannot reliably identify CUI in your environment.

Banner Markings

CUI documents must include banners at the top and bottom of each page:

• Header: "CUI" or "CUI//[Category]" (e.g., "CUI//SP-SSEL" for Procurement Sensitive)
• Footer: Same designation as header, plus handling instructions when required
• Format: Banners should be clearly visible, typically in a designated font and size

Portion Markings

Within documents, individual portions (paragraphs, sections, figures) containing CUI should be marked:

• Format: "(CUI)" or "(CUI//Category)" at the beginning of each controlled portion
• Purpose: Allows partial document sharing when only some content is controlled
• Example: "(CUI) This paragraph contains controlled technical specifications..."

Common Marking Mistakes

• Missing banners: CUI content without top/bottom designations
• Inconsistent categories: Using wrong or outdated category codes
• Over-marking: Marking entire documents as CUI when only portions qualify
• Legacy markings: Failing to update from old FOUO or other deprecated markings
• Email markings: Not marking email chains where CUI content appears in replies

Scoping is the process of identifying where CUI lives, how it flows, and who touches it. Get this right and your compliance effort scales to actual risk. Get it wrong and you either over-spend or face assessment gaps.

Data Discovery Approach

1. Contract inventory: List all contracts with DFARS 252.204-7012 or similar clauses.
2. Document review: Sample files from file shares, SharePoint, and email for CUI markings.
3. System scan: Search for "CUI" in file names, content, and metadata.
4. Interviews: Talk to program managers about what data they receive from and send to the government.

System and Workflow Mapping

For each CUI category you identify, map:

• Systems: Where CUI is stored (file servers, SharePoint, databases, SaaS tools)
• Endpoints: Devices that access CUI (workstations, laptops, mobile devices)
• Networks: Network segments that carry CUI traffic
• Applications: Software that processes CUI (ERP, PLM, CAD, email)
• People: Roles and individuals with CUI access

Third-Party and Subcontractor CUI

Extend your scope to include:

• Subcontractors who receive CUI from you
• Vendors with access to systems containing CUI
• Cloud service providers hosting CUI data
• Joint ventures and teaming partners

Document flow-down requirements in subcontracts and verify compliance through vendor risk management processes.

Documenting Your CUI Inventory

Create a CUI inventory that includes:

• CUI categories present in your environment
• Systems, applications, and storage locations
• Contracts generating each CUI type
• Access controls and user populations
• Data flows and sharing relationships
• Retention requirements and disposition schedules

This inventory becomes part of your System Security Plan and evidence base for assessments.

Assuming "We Do Not Have CUI" Without Checking

Many organizations assume CUI only applies to classified contracts. In reality, CUI appears in a wide range of DoD work including logistics, professional services, IT support, and construction. Check contract clauses, not just clearance levels.

Missing CUI in Email, File Shares, and Cloud Storage

CUI rarely stays in one place. An engineer receives a CUI drawing, emails it to a colleague, saves it to a personal SharePoint, and shares it via a collaboration tool. Your scope must cover the entire data lifecycle, not just designated repositories.

Not Tracking CUI Shared with Vendors

When you share CUI with subcontractors or vendors, your compliance responsibility does not end. You must verify they have appropriate controls and flow-down requirements in place. Untracked vendor CUI is a common audit finding.

Over-Scoping (Treating Everything as CUI)

Some organizations respond to CUI uncertainty by treating all government contract data as CUI. This increases compliance cost and operational burden unnecessarily. Take time to categorize correctly and scope controls to actual requirements.

See our Enclave Guide for strategies to limit scope when only part of your environment touches CUI.