Controlled Unclassified Information (CUI)
Controlled Unclassified Information, or CUI, is sensitive government information that isn't classified (not Secret or Top Secret) but still requires protection. Examples include technical drawings, engineering data, export-controlled information, personnel records, and contract performance data that the government shares with contractors.
CUI is marked or designated by the government and must be handled according to specific rules. If your company receives information marked as CUI, you're legally obligated to protect it — storing it securely, limiting who can access it, and ensuring it isn't leaked or stolen.
The entire CMMC framework exists primarily to protect CUI. If you handle CUI, you need CMMC Level 2 certification, which requires implementing all 110 security requirements from NIST SP 800-171.
Why It Matters
Understanding what CUI is and whether your company handles it determines your entire CMMC compliance path. Misidentifying or failing to protect CUI can lead to contract loss, financial penalties, and potential legal liability under the False Claims Act.