Understanding Types of CUI

What is CUI

The Controlled Unclassified Information (CUI) program was established by Executive Order 13556 on November 4, 2010, and standardized the way the executive branch handles unclassified information that requires safeguarding. Prior to the CUI program, departments and agencies of the Executive Branch used agency-specific and ad hoc policies, which led to confusing and inconstant protection and or restrictive dissemination policies that created impediments to authorized information sharing. The executive order names the National Archives and Records Administration (NARA) to implement and oversee agency actions to comply with the order. Part of the executive order required NARA to establish a public CUI register, that reflects the categories and sub categories of CUI.

The Definition of CUI

CUI is defined as “Information the Government creates or possesses or that an entity creates or possess for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits and agency to handle using safeguarding or dissemination controls.”  To learn more about these controls, read our blog on DFARS in Microsoft 365

CUI does not include classified information defined in Executive Order 13526, Classified National Security Information, or information covered by the Atomic Energy Act 

Marking CUI

CUI doesn’t just magically appear with markings. As CUI can be created by the government OR those doing business with it, it is common for defense contractors to create new CUI in the process of delivering on their contracts. “The authorized holder of a document or material is responsible for determining, at the time of creation, whether the information falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly. Each organization within DoD may generate specific guidance.” The first step to managing CUI is properly marking information that requires safeguarding or dissemination controls. The primary reference for correct marking of CUI is The CUI Marking Handbook.

Limited Dissemination Control Markings

In addition to general CUI categories and specifications, CUI can also be marked with limited dissemination controls. Information can be marked with mutiple limited dissemination controls by separating them with a single forward slash.

• NOFORN - No Foreign Dissemination
• FED ONLY - Federal Employees Only
• FEDCON - Federal Employees and Contractors Only
• NOCON - No dissemination to contractors
• DL ONLY - Dissemination list controlled
• REL TO - Authorized for release to certain nationals only (Ex: REL TO USA)
• DISPLAY ONLY  - Disclosure allowed to a foreign recipient with providing a copy
• Attorney Client - Protected by attorney client privilege
• Attorney Work Product - Dissemination prohibited unless specifically permitted by overseeing attorney

Categories and Organization of CUI

NARA established the CUI Public Registry at archives.gov/cui which includes information on properly marking CUI, references for the safeguarding or Dissemination authority for each type of CUI. The CUI registry navigation is a bit cumbersome, so we have taken the time to put the index below together with direct links to the Archive.Gov documentation

Organizational Index Groups

• Critical Infrastructure
• Defense
• Export Control
• Financial
• Intelligence
• International Agreements
• Law Enforcement
• Legal
• Natural and Cultural Resources
• North Atlantic Treaty Organization (NATO)
• Nuclear
• Patents
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax
• Transportation

Types of Critical Infrastructure CUI

• Ammonium Nitrate
• Chemical-terrorism Vulnerability Information
• Critical Energy Infrastructure Information
• Emergency Management
• General Critical Infrastructure Information
• Information Systems Vulnerability Information
• Physical Security (PHYSEC)
• Protected Critical Infrastructure Information
• SAFETY Act Information
• Toxic Substances
• Water Assessments

Types of Defense CUI

• Controlled Technical Information (CTI)
• DoD Critical Infrastructure Security Information
• Naval Nuclear Propulsion Information
• Unclassified Controlled Nuclear Information - Defense (UCNI)

Types of Export Control CUI

• Export Controlled
• Export Controlled Research

Types of Financial CUI

• Bank Secrecy
• Budget
• Comptroller General
• Electronic Funds Transfer (EFT)
• Financial Supervision Information
• General Financial Information
• Net Worth
• Retirement

Types of Intelligence CUI

• Foreign Intelligence Surveillance Act (FISA)
• Foreign Intelligence Surveillance Act Business Records
• General Intelligence
• Geodetic Product Information
• Intelligence Financial Records
• Internal Data
• Operations Security (OPSEC)

Types of International Agreements CUI

• International Agreement Information

Types of Law Enforcement CUI

• Accident Investigation
• Campaign Funds
• Committed Person
• Communications
• Controlled Substances
• Criminal History Records Information
• DNA
• General Law Enforcement
• Informant
• Investigation
• Juvenile
• Law Enforcement Financial Records
• National Security Letter
• Pen Register/Trap & Trace
• Reward
• Sex Crime Victim
• Terrorist Screening
• Whistleblower Identity

Types of Legal CUI

• Administrative Proceedings
• Child Pornography
• Child Victim/Witness
• Collective Bargaining
• Federal Grand Jury
• Legal Privilege
• Legislative Materials
• Presentence Report
• Prior Arrest
• Protective Order
• Victim
• Witness Protection

Types of Natural and Cultural Resources CUI

• Archaeological Resources
• Historic Properties

Types of North Atlantic Treaty Organization (NATO) CUI

• NATO Restricted
• NATO Unclassified

Types of Nuclear CUI

• General Nuclear
• Nuclear Recommendation Material
• Nuclear Security-Related Information
• Safeguards Information
• Unclassified Controlled Nuclear Information - Energy (UCNI)

Types of Patent CUI

• Patent Applications
• Inventions
• Secrecy Orders

Types of Privacy CUI

• Contract Use
• Death Records
• General Privacy
• Genetic Information
• Health Information
• Inspector General Protected
• Military Personnel Records
• Personnel Records
• Student Records

Types of Procurement and Acquisition CUI

• General Procurement and Acquisition
• Small Business Research and Technology
• Source Selection

Types of Proprietary Business Information CUI

• Entity Registration Information
• General Proprietary Business Information
• Ocean Common Carrier/Marine Terminal Operator Agreements
• Ocean Common Carrier Service Contracts
• Proprietary Manufacturer
• Proprietary Postal

Types of Provisional CUI

• Operations Security Information (OPSEC)
• Personnel Security Info (PERSEC)
• Privacy Information
• Sensitive Personally Identifiable Information (PII)

Types of Statistical CUI

• Statistical Information

Types of Tax Information CUI

• Federal Taxpayer Information
• Tax Convention
• Written Determinations

Types of Transportation CUI

• Railroad Safety Analysis Records
• Sensitive Security Information