Back

Understanding Types of CUI

What is CUIThe Controlled Unclassified Information CUI program was established by Executive Order 13556httpsobamawhitehousearchivesgo...

4 min read
Published on Feb 9, 2021
Understanding Types of CUI

What is CUI

The Controlled Unclassified Information (CUI) program was established by Executive Order 13556 on November 4, 2010, and standardized the way the executive branch handles unclassified information that requires safeguarding. Prior to the CUI program, departments and agencies of the Executive Branch used agency-specific and ad hoc policies, which led to confusing and inconstant protection and or restrictive dissemination policies that created impediments to authorized information sharing. The executive order names the National Archives and Records Administration (NARA) to implement and oversee agency actions to comply with the order. Part of the executive order required NARA to establish a public CUI register, that reflects the categories and sub categories of CUI.

The Definition of CUI

CUI is defined as “Information the Government creates or possesses or that an entity creates or possess for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits and agency to handle using safeguarding or dissemination controls.”  To learn more about these controls, read our blog on DFARS in Microsoft 365

CUI does not include classified information defined in Executive Order 13526, Classified National Security Information, or information covered by the Atomic Energy Act 

Marking CUI

CUI doesn’t just magically appear with markings. As CUI can be created by the government OR those doing business with it, it is common for defense contractors to create new CUI in the process of delivering on their contracts. “The authorized holder of a document or material is responsible for determining, at the time of creation, whether the information falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly. Each organization within DoD may generate specific guidance.” The first step to managing CUI is properly marking information that requires safeguarding or dissemination controls. The primary reference for correct marking of CUI is The CUI Marking Handbook.

Limited Dissemination Control Markings

In addition to general CUI categories and specifications, CUI can also be marked with limited dissemination controls. Information can be marked with mutiple limited dissemination controls by separating them with a single forward slash.

  • NOFORN - No Foreign Dissemination
  • FED ONLY - Federal Employees Only
  • FEDCON - Federal Employees and Contractors Only
  • NOCON - No dissemination to contractors
  • DL ONLY - Dissemination list controlled
  • REL TO - Authorized for release to certain nationals only (Ex: REL TO USA)
  • DISPLAY ONLY  - Disclosure allowed to a foreign recipient with providing a copy
  • Attorney Client - Protected by attorney client privilege
  • Attorney Work Product - Dissemination prohibited unless specifically permitted by overseeing attorney

Categories and Organization of CUI

NARA established the CUI Public Registry at archives.gov/cui which includes information on properly marking CUI, references for the safeguarding or Dissemination authority for each type of CUI. The CUI registry navigation is a bit cumbersome, so we have taken the time to put the index below together with direct links to the Archive.Gov documentation

Organizational Index Groups

Types of Critical Infrastructure CUI

Types of Defense CUI

Types of Export Control CUI

Types of Financial CUI

Types of Intelligence CUI

Types of International Agreements CUI

Types of Law Enforcement CUI

Types of Legal CUI

Types of Natural and Cultural Resources CUI

Types of North Atlantic Treaty Organization (NATO) CUI

Types of Nuclear CUI

Types of Patent CUI

Types of Privacy CUI

Types of Procurement and Acquisition CUI

Types of Proprietary Business Information CUI

Types of Provisional CUI

Types of Statistical CUI

Types of Tax Information CUI

Types of Transportation CUI

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

CMMC Documentation Requirements: Avoid Assessment Failure

GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

Strong documentation is critical to CMMC success. Learn the key evidence assessors expect and how to avoid common documentation failures.

Jul 24, 2025
5 min read
Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read
Technical vs. Process Controls in CMMC Compliance

Understanding Technical vs. Process Controls for CMMC Compliance

Understand the difference between technical and process controls in CMMC compliance. Learn how both work together to protect FCI and CUI data effectively.

Jul 14, 2025
4 min read
20 Essential Questions to Ask a Managed Service Provider

Top Questions to Ask Your Managed Service Provider (MSP)

Looking for a new MSP? Stay ahead with the top questions to ask—from security and scalability to pricing and offboarding. Vet your provider with confidence.

Jul 12, 2025
5 min read
Overview of CMMC 2.0 and Its Levels: DoD Compliance Guide

CMMC 2.0 Explained: Levels, Compliance Requirements, and Key Changes

CMMC 2.0 simplifies cybersecurity requirements for DoD contractors. Explore an overview of its levels, key changes from CMMC 1.0, and what each level means for compliance.

Jul 11, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation