What is CUI?

Controlled Unclassified Information is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.


CUI does not include classified information (see 32 CFR Part 2002.4(e)) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.


Law, regulation, or government-wide policy may require or permit safeguarding or dissemination controls of CUI in three ways: (32 CFR Part 2002.4 (h))

  1. Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic.
  2. Requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified.
  3. Or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Each federal agency is responsible for identifying and marking its CUI in line with the National Archives and Records Administration guidelines, ensuring appropriate handling and compliance across contractors and affiliated organizations.

CUI categories, markings and safeguarding

CUI categories

The National Archives CUI Registry website identifies the groups and categories of information that may be CUI.  Information that may be CUI falls into specified groups such as: critical infrastructure, defense, export controlled, financial, immigration, intelligence, international agreements, law enforcement, legal, national or cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax and transportation. Within each group are the categories of information that would be CUI.

For example, the Defense group has the Controlled Technical Information category.  The registry provides a description of this category, along with the marking and safeguarding requirements.  DoD mandates protections for CTI under regulations such as 48 CFR 252.204-7012, which requires contractors to implement controls from NIST SP 800-171 to secure this information against unauthorized access and cyber threats.

CUI markings

CUI markings alert recipients that special handling may be required to comply with law, regulation, or government-wide policy. CUI markings should be at the top of the page of the information you receive.   CUI markings should be in the body of all emails if the email (or email attachments) contain CUI. CUI sent via regular mail, or a mail delivery service may not have the outer envelope or box marked; however, the documents inside the envelope must be clearly marked.

If you receive information marked CUI via regular mail or delivery service, that you did not expect, physically secure the information (e.g. locked desk drawer), do not disseminate further and contact  Service Now Review Research Cybersecurity Requirements in Contracts/Proposals for instructions. For CUI sent via email for which a pre-arranged secure means of electronic receipt is not in place, do not download the CUI onto the ASU network or disseminate further and contact Service Now Review Research Cybersecurity Requirements in Contracts/Proposals for instructions.

CUI safeguarding

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls.  Agencies handle CUI Basic according to the uniform set of controls (which may be identified in the agreement) and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified in this section), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI. (32 CFR Part 2002.4(j)).

CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The National Archives CUI Registry indicates which laws, regulations, and government-wide policies include such specific requirements.  CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out specific controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and government-wide policies do not provide specific guidance (32 CFR Part 2002.4(r)).

One example of CUI Specified is information that may have military or space application, which is categorized as Controlled Technical Information. This type of information is regulated under 48 CFR 252.204-7012 and must be clearly marked as such (e.g., CUI, CUI//SP-CTI, or CONTROLLED//SP-CTI). 

NOTE – While CUI is often associated with electronic data—such as digital documents, emails or databases—it also encompasses a broad range of physical information and objects. CUI may appear in printed documents, notes, records, drawings, blueprints, and even on physical prototypes or models.  For example, a research lab might handle printed technical data subject to export control, sensitive project documentation, or personally identifiable information of study participants—all of which might require the same protection as digital CUI. Moreover, physical objects like storage media and physical access tools (e.g., keys and badges) that control entry to secure CUI storage areas, are also considered CUI. By recognizing that CUI extends beyond purely digital formats, organizations can take a more comprehensive approach to securing sensitive information, covering both physical and digital vulnerabilities. (See upcoming FAQs for more information.)

CUI training and resources

CITI webinar – “Controlled Unclassified Information – What It Is, Isn’t, and University Obligations”. After logging into CITI under your ASURITE at citiprogram.org, scroll to Learner Tools at the bottom of the page and click “add a course”, select the Research Security category, then select the webinar.

DoD Mandatory Controlled Unclassified Information (CUI) Training  If your award will involve CUI this training will be required by ASU.

CUI and Distribution Statements:

DoD Distribution statements

DoD Instruction 5230.24 Distribution Statements on DoD Technical iInformation

National Archives CUI Registry training resources

Resources

For Assistance and Questions on CUI for sponsored research

Contact KE Research Technology Office at Service Now Review Research Cybersecurity Requirements in Contracts/Proposals. For assistance if you receive unexpected CUI or a prospective sponsor wants to send you CUI.   Additionally for specific CUI system requirements for proposal budgets and awards, receipt of CUI via email (when no contractual agreements in place), and implementation of CUI contract specific requirements (system security plan, etc.)

Contact KE ORSPA at [email protected] or your specific Proposal and/or Contract GCO for review of FOA/NOFO terms and conditions related to CUI for proposals and the negotiation of CUI requirements in contracts/agreements.

Contact KE Research Compliance at [email protected].  For assistance with general questions or consults related to CUI, all Export Controlled CUI questions, and accessing CUI training, etc.