Controlled Unclassified Information (CUI) — Federal Marking and Safeguarding Standards
Controlled Unclassified Information (CUI) is the federal government's unified category for sensitive but unclassified information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy — but that does not meet the threshold for classification as Confidential, Secret, or Top Secret. Before 2010, federal agencies used over 100 different unofficial markings for such information — "For Official Use Only" (FOUO), "Sensitive But Unclassified" (SBU), "Law Enforcement Sensitive" (LES), "Limited Official Use," "Official Use Only," and dozens of agency-specific variants — with inconsistent standards, no government-wide definition, and no systematic oversight. Executive Order 13556 (November 4, 2010) established the CUI Program to consolidate these markings into a single, standardized framework. The implementing regulations at 32 CFR Part 2002, issued by the Information Security Oversight Office (ISOO) within the National Archives and Records Administration (NARA), establish the marking standards, safeguarding requirements, and oversight structure that all executive branch agencies must follow.
Legal Authority
- Executive Order 13556 (November 4, 2010) — Controlled Unclassified Information: established the CUI Program, designated NARA as the CUI Executive Agent, and directed all executive branch agencies to implement a standardized, registry-based framework replacing the prior proliferation of agency-specific sensitivity markings
- 44 U.S.C. § 3301 — Federal Records Act: defines federal records and establishes NARA's authority over federal records management; provides the statutory basis for NARA's role as CUI Executive Agent
- 32 CFR Part 2002 — ISOO regulations implementing E.O. 13556: establishes the CUI marking standards, safeguarding requirements, dissemination controls, and agency compliance obligations for the entire executive branch
Key Mechanics
Before 2010, federal agencies used over 100 different informal markings — "For Official Use Only" (FOUO), "Sensitive But Unclassified" (SBU), "Law Enforcement Sensitive," "Official Use Only," and dozens of variants — with no uniform definition, no cross-agency consistency, and no oversight. E.O. 13556 replaced all of these with a single program: Controlled Unclassified Information (CUI). The CUI Program is built around the CUI Registry (archives.gov/cui), maintained by ISOO, which lists every authorized CUI category and subcategory with the specific law or regulation authorizing the controls. Agencies may only designate information as CUI if it falls within a Registry category. CUI divides into two tiers: CUI Basic (standard safeguarding — protect from unauthorized access) and CUI Specified (category-specific handling requirements mandated by the authorizing law, such as grand jury information or export-controlled technical data). Documents marked CUI carry a standard header banner reading "CUI" and a footer with the category designation, handling instructions, and agency identifier.
Current Rule (2026)
| Parameter | Value |
|---|---|
| Citation | 32 CFR Part 2002 |
| Issuing agency | Information Security Oversight Office (ISOO), NARA |
| Statutory authority | E.O. 13556 (Nov. 4, 2010); 44 U.S.C. § 3301 (Federal Records Act) |
| CUI Executive Agent | NARA (delegated to ISOO Director) |
| CUI Registry | Publicly available at archives.gov/cui |
| Legacy marking cutoff | November 14, 2016 |
| Last major amendment | 2016 (81 FR 63324) |
What This Rule Does
E.O. 13556 designated NARA as the CUI Executive Agent (CUI EA) — the single authority responsible for overseeing the CUI Program across all executive branch agencies. ISOO, as NARA's designated implementing office, issues implementing directives, maintains the CUI Registry, and provides oversight of agency compliance.
The CUI Program operates through the CUI Registry — a publicly accessible, ISOO-maintained catalog (at archives.gov/cui) that lists every authorized CUI category and subcategory, the specific law, regulation, or government-wide policy that authorizes the controls, the safeguarding and dissemination requirements for each category, and the standard marking language agencies must use. If an agency cannot point to a Registry entry authorizing CUI treatment for a given document, the information may not be designated CUI. This "Registry-or-nothing" rule was a fundamental change: before E.O. 13556, individual agencies could create ad hoc markings without any external authorization.
CUI divides into two tiers: CUI Basic (information requiring standard safeguarding — protect from unauthorized access but no additional controls) and CUI Specified (information with specific handling requirements mandated by the authorizing law, such as grand jury materials, tax return information, or certain export-controlled technical data). CUI Specified categories are rare; most CUI is CUI Basic.
Key Provisions
- § 2002.4 — Definitions: "CUI" means information the Government creates or possesses that a law, regulation, or government-wide policy requires or permits an agency to safeguard or disseminate using controls consistent with the CUI Program; "decontrolling" means removing CUI designation from information that no longer requires protection; the definitions resolve decades of ambiguity about what "sensitive but unclassified" actually means
- § 2002.10 — CUI Registry: ISOO maintains the registry as the authoritative source for all authorized CUI categories; agencies may not treat information as CUI unless it fits an established Registry category; new categories may be proposed to ISOO via agency petition with citation to the authorizing authority; the public nature of the Registry is deliberate — citizens and researchers can verify whether a marking is legitimate
- § 2002.12 — Designating CUI: authorized holders who create or receive information that meets a CUI Registry category may (or, for some categories, must) designate it CUI; designation is a determination, not a stamp — the information controls follow from the legal authority, not from the physical marking; agencies must train personnel on when designation is appropriate
- § 2002.14 — Safeguarding: CUI must be protected from unauthorized access; basic physical protection standards include locking unattended CUI, restricting access to personnel with a need to know, and ensuring electronic CUI is on authorized systems with appropriate access controls; CUI Basic follows the minimum protections ISOO establishes; CUI Specified follows the specific safeguarding requirements in the authorizing law or regulation
- § 2002.16 — Accessing and disseminating: agencies may share CUI with persons inside or outside the government when sharing is consistent with the authorizing law and there is a lawful government purpose; sharing CUI with non-federal contractors or partners requires a written agreement (e.g., contract clause, information sharing agreement) that imposes equivalent safeguarding obligations; agencies may not impose controls that exceed those the law or regulation authorizes
- § 2002.18 — Decontrolling: CUI must be decontrolled when the authorizing law no longer applies (e.g., the document is no longer law enforcement sensitive, the tax information is no longer protected by § 6103, the export-controlled design is now public); agencies may also decontrol proactively; decontrolled information may be released or disclosed as agency policy permits; decontrolling does not require ISOO review — it is an agency determination
- § 2002.20 — Marking: CUI must be marked so that persons handling it know what it is and how to protect it; the required marking elements include: (1) the CUI designation indicator ("CUI" or "CONTROLLED" in the banner line); (2) the CUI category marking if required by the Registry entry (e.g., "CUI//PRVCY" for Privacy Act-protected information; "CUI//SP-EXPT" for export-controlled); (3) the required handling caveats for CUI Specified; for intelligence information, "NOFORN" or similar dissemination controls may be added; labels applied to physical media must meet certain minimum size and placement standards
- § 2002.32 — Legacy materials: agencies had until November 14, 2016 to implement the new CUI markings; documents created before that date with old agency-specific markings (FOUO, SBU, etc.) were treated as CUI-equivalent for safeguarding purposes during the transition; agencies were required to re-mark legacy materials as they were accessed or processed
- § 2002.36 — Legacy markings after the transition: documents bearing pre-CUI markings (FOUO, SBU, LES, and similar) continue to be treated as CUI equivalent even after the transition cutoff — they are not stripped of protection just because they carry the old marking; however, if an agency is re-issuing or significantly updating a legacy document, it must apply proper CUI marking at that time
- §§ 2002.54–2002.56 — Self-inspection and sanctions: agencies must establish self-inspection programs to assess compliance with Part 2002; employees who improperly designate, mark, or handle CUI (including over-designation — marking more broadly as CUI than authorized) are subject to appropriate sanctions; the regulations specifically flag both under-protection (failing to protect legitimately sensitive information) and over-designation (applying CUI controls to information not covered by any Registry category) as policy violations
How It Affects You
If you work for a federal agency or federal contractor: CUI is the most operationally significant information security standard for the vast majority of federal workers — far more day-to-day relevant than classified information handling, which applies to a small fraction of the workforce. If you handle personally identifiable information (Privacy Act), tax return data (IRC § 6103), law enforcement sensitive materials, export-controlled technical data, or controlled medical records, you are working with CUI. The practical obligations: mark documents correctly using the CUI Header/Banner format, store CUI on authorized systems (for contractors, typically NIST SP 800-171-compliant systems), control access on a need-to-know basis, and dispose of CUI through approved means (shredding, secure deletion). Federal contractors subject to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 have the most demanding CUI obligations — including mandatory cyber incident reporting and use of NIST SP 800-171 controls.
If you are a researcher, journalist, or FOIA requester: The CUI marking on a document does not automatically exempt it from FOIA release. CUI designation tracks whether information requires internal handling controls — it does not independently establish a FOIA exemption. The underlying law authorizing the CUI designation (the Privacy Act, § 6103, a specific exemption from FOIA Exemption 3) determines whether information can be withheld. Many FOUO-marked documents that agencies previously withheld as a matter of practice are not legitimately exempt from FOIA; the CUI standardization has arguably made agencies more accountable for citing specific legal authorities for withholding. Over-designation (marking as CUI without Registry authority) is a policy violation that auditors and FOIA officers may challenge.
If you work in defense acquisition or technology transfer: The intersection of CUI with the NIST Cybersecurity Framework and CMMC (Cybersecurity Maturity Model Certification) is the most commercially significant aspect of the CUI Program. Defense contractors that handle CUI (called "Covered Defense Information" in DFARS) must implement NIST SP 800-171 controls across their networks — 110 security requirements covering access control, incident response, configuration management, and more. CMMC certification, now rolling out through the DoD acquisition system, requires third-party verification of these controls for certain contract categories. Non-compliance can disqualify a contractor from receiving or continuing DoD contracts.
Statutory Authority
This rule implements:
- Executive Order 13556 (November 4, 2010) — establishes the CUI Program; designates NARA as CUI Executive Agent; directs ISOO to issue implementing directives; requires executive branch agencies to comply within a reasonable period; directs agencies to develop training programs; mandates that agency-specific ad hoc markings be eliminated and replaced with CUI categories
- 44 U.S.C. § 3301 (Federal Records Act) — the underlying authority under which NARA exercises records management oversight; CUI Program operates as part of the broader federal records management framework
Recent Rulemakings
2016 final rule (81 FR 63324) — the original implementing regulation for the CUI Program, establishing all core provisions of Part 2002; set November 14, 2016 as the agency implementation deadline; introduced the CUI Registry framework, the marking standards, and the self-inspection requirement.
No major amendments since 2016. ISOO has issued CUI Notices (implementing directives) that supplement the regulation — including directives on CUI safeguarding standards for controlled unclassified information in nonfederal systems (cross-referencing NIST SP 800-171), marking of CUI in contractor environments, and CUI training requirements. These directives are published at archives.gov/cui and have the force of policy for agency compliance.