Understanding CUI Specified: Navigating CUI Categories and Compliance

If your organization handles sensitive information on behalf of a federal agency—especially the Department of Defense (DoD)—you’ve likely heard the term "Controlled Unclassified Information," or CUI. The CUI designation is part of a government-wide initiative to standardize how sensitive but unclassified data is handled and protected.

While CUI is often treated as a single category, it actually comes in two forms: CUI Basic and CUI Specified. Knowing the difference between them—and understanding what "CUI Specified" actually requires—is essential for federal contractors, especially those working toward compliance with frameworks like the Cybersecurity Maturity Model Certification (CMMC).

CUI 101: The Foundation

Controlled Unclassified Information refers to unclassified federal information that requires safeguarding or dissemination controls consistent with laws, regulations, and government-wide policies. It’s information that doesn’t qualify as classified (Top Secret, Secret, etc.) but is still sensitive enough to warrant protection.

The CUI Program was established by Executive Order 13556, and the National Archives and Records Administration (NARA) was tasked with overseeing it. NARA maintains the CUI Registry, which provides details on how different types of CUI must be handled.

The Two Types of CUI: Basic vs. Specified

CUI Basic

CUI Basic refers to information that requires protection but does not have specific handling instructions outlined in its governing law or policy. For this type of CUI, agencies must apply the standardized safeguarding requirements listed in 32 CFR Part 2002.

These are general controls such as:

• Limiting access to authorized users

• Using secure storage (both physical and digital)

• Implementing basic cybersecurity protections

  
  

CUI Specified

CUI Specified is a sub-category of CUI that does have specific handling or dissemination instructions dictated by law, regulation, or government-wide policy. These additional controls often go beyond the general baseline protections of CUI Basic.

In short: CUI Specified means the government has laid out exactly how you must handle that type of information.

Examples of CUI Specified Categories

Here are a few common examples of CUI Specified and the legal authorities that govern them:

• Controlled Technical Information (CTI)CTI involves military or space technology-related information that requires restrictions on sharing and use.→ Governing regulation: DFARS 252.204-7012

• Export-Controlled InformationIncludes technical data restricted by the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).→ Governing regulations: 22 CFR Parts 120-130 and 15 CFR Parts 730-774

• Sensitive Personally Identifiable Information (SPII)Refers to data that could lead to harm or identity theft if improperly disclosed, such as Social Security numbers or financial records.→ Governing guidance: OMB Memorandum M-17-12

Full list available at: CUI Registry

How Do You Handle CUI Specified?

Because CUI Specified comes with unique handling and dissemination rules, your organization must take care to apply controls tailored to the specific category in question. These rules often include—but are not limited to:

• Limiting DisseminationCertain CUI Specified types may only be shared with U.S. citizens or may be restricted from foreign nationals.

• Encryption RequirementsSome CUI Specified data must be encrypted both in transit and at rest, using FIPS-validated algorithms.

• Access and Storage ControlsPhysical and digital systems may require enhanced protections such as biometric access, isolated networks, or dedicated secure enclaves.

• Retention and Destruction ProceduresSpecific timelines and methods may be required for retaining or destroying information.

What About Markings?

While you don’t need to remember the technical codes, it’s important to know that CUI Specified must be clearly marked in all documents, emails, and systems that contain it. This helps prevent accidental disclosure and ensures all users understand their responsibilities when handling that data.

Basic marking guidelines include:

• A banner indicating the information is CUI

• A reference to the applicable category (e.g., Controlled Technical Information)

• Any limited dissemination controls (e.g., "No Foreign Nationals")

Detailed guidance can be found in the CUI Marking Handbook (PDF).

Compliance Frameworks and CUI Specified

If your organization is working toward compliance with NIST SP 800-171 or the Cybersecurity Maturity Model Certification (CMMC), then handling CUI—especially CUI Specified—comes with high stakes.

• CMMC Level 2 compliance requires organizations to implement the full set of 110 NIST SP 800-171 controls, many of which are directly applicable to CUI Specified.

• These include technical requirements such as multifactor authentication, audit logging, access controls, and secure communication channels.

• You may also need to demonstrate proper marking, training, and incident response capabilities during a CMMC assessment.

Related: NIST SP 800-171

Practical Advice for Contractors

Here are a few best practices to help your organization manage CUI Specified effectively:

1. Know What You Have

Do a data inventory. Understand what categories of CUI your organization touches and which are Specified.

2. Review the CUI Registry

Bookmark the CUI Registry and consult it regularly. It's the official source for all CUI categories and rules.

3. Train Your Team

Every employee who handles CUI should understand their responsibilities and the consequences of noncompliance. Training should be specific to the types of CUI they interact with.

4. Implement Role-Based Access Controls

Not everyone in your organization needs access to CUI. Limit exposure by role and enforce it with technology.

5. Don’t Assume One-Size-Fits-All

Different CUI Specified categories come with different rules. Tailor your protections accordingly.

Final Thoughts

CUI Specified isn’t about a higher level of classification—it’s about precision. When a law or regulation outlines exactly how a type of CUI must be handled, your organization has a legal and contractual obligation to follow those instructions to the letter.

Failure to do so can jeopardize your contracts, expose sensitive data, and invite penalties or loss of future business. But with a clear understanding of your obligations, the right tools and training, and a commitment to compliance, managing CUI Specified doesn’t have to be overwhelming.

Stay proactive, stay informed, and build a culture of security around your sensitive data.

Resources and References

• National Archives CUI Program

• CUI Registry

• 32 CFR Part 2002 – Controlled Unclassified Information

• NIST SP 800-171 Rev. 2