What are the 19 categories of CUI?

What are the 19 categories of CUI?What are the 19 categories of CUI?
Rebecca KappelRebecca Kappel Staff asked 1 year ago

1 Answers
Rebecca KappelRebecca Kappel Staff answered 1 year ago

What is Controlled Unclassified Information (CUI)?

CUI stands for Controlled Unclassified Information. CUI is defined as government-related information that needs to be protected and transmitted using controls compatible with government laws, regulations, and policies. A document marked with CUI markings

indicates that it requires protection of the information contained in it.

The CUI Program was established to standardize the way the government and its contracted companies handle information that requires protection and is not classified. The program was introduced with Obama’s Executive Order 13556 in 2010 to create a streamlined process for information sharing and safeguarding of controlled unclassified information.

Before the DoD’s concerted effort to standardize policies related to information security in 2010, CUI was loosely termed as information that was “for official use only” (FOUO) or “sensitive but unclassified” (SBU). With no standardized guidelines for CUI, the onus of determining the level of protection needed and implementing secure practices to protect this broad category of information fell on each individual firm. As the responsibility for cyber security moved up in the corporate hierarchy due to its direct impact on national security, ambiguous security standards became a thing of the past. 

Addressing a dramatic and continuous upward trend in cyber attacks on government agencies and contracted firms, the DoD (Department of Defense) has regulated the CUI security classification and handling processes in the mandated CMMC certification.

CUI is a broad category that encompasses several different information types. DoD contractors should be able to identify information that is not classified but that still requires protection like CUI. This is a critical part of doing work for the DoD and maintaining good standing within the defense industrial base.

There are 20 organizational CUI categories. These CUI classifications are further broken down into the type of CUI commonly found in each of these categories. You can read the full breakdown in the federal CUI registry.

Organizational Index Groups

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • North Atlantic Treaty Organization (NATO)
  • Nuclear
  • Patents
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax
  • Transportation

Looking to learn more about What are the 19 categories of CUI?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content