Controlled Unclassified Information

Controlled Unclassified Information (CUI) defined:

CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide polices. CUI is not classified information. It is not corporate intellectual property unless created for or included in the requirements related to a government contract.

CUI is divided into two categories: CUI Basic and CUI Specified

CUI Basic must be safeguarded, handled, disseminated, marked, and destroyed in accordance with the basic requirements within the Code of Federal Regulations at 32 CFR Part 2002.

CUI Specified is CUI for which there are laws, regulations or government-wide policies that address specific safeguarding and handling. CUI Specified is not necessarily a higher level of CUI. Being categorized as “CUI Specified” means that certain requirements for handling and protecting such CUI are set forth in specific regulations or policies.

CUI Regulations and Resources

Security protocols for CUI must be in compliance with federal regulations specified 32 CFR Part 2002, and the National Archives and Records Administration (NARA). Frequently utilized CUI requirements and information can be found at the following locations:

National Institute of Standards and Technology (NIST) Special Publication (SP)

NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-171 – Protecting CUI in the Nonfederal Systems and Organizations

NIST SP 800-172 – Enhancing Security Requirements for Protecting CUI: Supplement to 800-171 Rev 2


Department of Defense Federal Acquisition Regulation (DFARS)

DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS 252.204-7020 – NIST SP-171 DoD Assessment Requirements

DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements

"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI).  FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.


Federal Acquisition Regulation (FAR) Security Requirements

FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems

CUI Training

CUI training can be found at the Defense Counterintelligence and Security Agency (DCSA), Center for Development and Security Excellence (CDSE). CUI training consists of initial and annual refresher CUI education and training for industry personnel as required by Government Contracting Activities (GCA) for contracts with CUI requirements.

Computer-based training may be found at To schedule an in-person training session, please contact the university CUI Manager.  

** Principal Investigators (PI) may have additional training requirements as directed in agency-specific regulations and contractual obligations.

Additional Training and Information

NIST Protecting Controlled Unclassified Information

CUI Program Blog

CUI Cover Sheet

CUI Quick Marking Tips

CUI Distribution Statements

Destruction of CUI materials

Researcher Roles and Responsibilities

If CUI compliance is required for a research project, the PI will work with the Office of Research Security Compliance to:

  • Verify the research project will receive, possess, and/or create CUI, or is otherwise required to implement security controls based on the CUI regulations.
  • Faculty researchers will identify information systems, devices, and technologies used to store, process, and share CUI, and coordinate with the Office of Research Security Compliance to ensure conformance with government requirements and standards.
  • Create the required Technology Control Plan (TCP) for the research project. The TCP establishes the controls, policies, and procedures the PI and associated research team will follow to comply with CUI and other federal statutory requirements.
  • Identify all project members to ORSC that will have or may have access to CUI and/or the information systems used to receive, transmit, generate, or maintain CUI for any given research project.
  • Be available to assist with internal (Auburn University) and external (federal and/or third-party) audits of CUI and CUI designated information systems under their purview for any given contract.
  • Complete required training and renew that training as dictated by contact specifications.


CUI Registries

The CUI Registry is the government-wide online repository for federal level guidance regarding CUI policy and practice.

Department of Defense CUI Registry

NARA CUI Registry  


For questions related to CUI, please contact Kevin Briggins, CUI Manager at or (334) 844-0266.