What are the 19 categories of CUI?

What is Controlled Unclassified Information (CUI)?

CUI stands for Controlled Unclassified Information. CUI is defined as government-related information that needs to be protected and transmitted using controls compatible with government laws, regulations, and policies. A document marked with CUI markings

indicates that it requires protection of the information contained in it.

The CUI Program was established to standardize the way the government and its contracted companies handle information that requires protection and is not classified. The program was introduced with Obama’s Executive Order 13556 in 2010 to create a streamlined process for information sharing and safeguarding of controlled unclassified information.

Before the DoD’s concerted effort to standardize policies related to information security in 2010, CUI was loosely termed as information that was “for official use only” (FOUO) or “sensitive but unclassified” (SBU). With no standardized guidelines for CUI, the onus of determining the level of protection needed and implementing secure practices to protect this broad category of information fell on each individual firm. As the responsibility for cyber security moved up in the corporate hierarchy due to its direct impact on national security, ambiguous security standards became a thing of the past. 

Addressing a dramatic and continuous upward trend in cyber attacks on government agencies and contracted firms, the DoD (Department of Defense) has regulated the CUI security classification and handling processes in the mandated CMMC certification.

CUI is a broad category that encompasses several different information types. DoD contractors should be able to identify information that is not classified but that still requires protection like CUI. This is a critical part of doing work for the DoD and maintaining good standing within the defense industrial base.

There are 20 organizational CUI categories. These CUI classifications are further broken down into the type of CUI commonly found in each of these categories. You can read the full breakdown in the federal CUI registry.

Organizational Index Groups

• Critical Infrastructure
• Defense
• Export Control
• Financial
• Intelligence
• International Agreements
• Law Enforcement
• Legal
• Natural and Cultural Resources
• North Atlantic Treaty Organization (NATO)
• Nuclear
• Patents
• Privacy
• Procurement and Acquisition
• Proprietary Business Information
• Provisional
• Statistical
• Tax
• Transportation