← Glossary·Data

CUI (Controlled Unclassified Information)

CMMCNIST

Federal information requiring safeguarding or dissemination controls per Executive Order 13556; protected by NIST SP 800-171.

Controlled Unclassified Information (CUI) is federal information that requires safeguarding or dissemination controls consistent with law, regulation, or government-wide policy. CUI is governed by the National Archives CUI Registry and protected per NIST SP 800-171 in non-federal systems.

Why it matters
Any DoD contractor with access to CUI must meet CMMC Level 2 (NIST 800-171). FCI-only contractors meet Level 1.

Related terms

FCI (Federal Contract Information)
Non-public information provided by or generated for the federal government under a contract; protected by FAR 52.204-21.
CMMC
DoD certification model required of defense contractors handling FCI / CUI; three levels (Foundational, Advanced, Expert).
NIST SP 800-53
NIST catalogue of 1000+ security and privacy controls for federal information systems (Rev 5).

Does your program actually cover CUI (Controlled Unclassified Information)?

Run a free ComplianceIQ audit against CMMC and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free CMMC auditBack to glossary