What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to information that requires safeguarding or dissemination controls according to laws, regulations, or government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act.

CUI is a designation used primarily in the U.S. federal government to better protect sensitive data that isn’t considered classified but still needs to be shielded from unauthorized access or distribution.

Why CUI Matters

Organizations that contract with the U.S. government—especially the Department of Defense (DoD), General Services Administration (GSA), and NASA—are required to properly handle and protect CUI. Failing to do so can lead to:

• Contract non-compliance

• Legal or financial penalties

• Increased risk of data breaches

Examples of CUI

Examples of Controlled Unclassified Information include:

• Engineering specifications

• Export-controlled information (ITAR, EAR)

• Legal documents

• Health-related data (non-HIPAA covered)

• Financial records

• Personally Identifiable Information (PII)

• Proprietary business information under NDA

A complete list of CUI categories is available on the National Archives CUI Registry.

CUI and Compliance Frameworks

If your organization handles CUI, you're likely required to follow specific compliance frameworks, such as:

• NIST SP 800-171: Outlines security requirements for protecting CUI in non-federal systems.

• CMMC (Cybersecurity Maturity Model Certification): A Department of Defense framework that incorporates NIST 800-171 and other cybersecurity best practices.

These frameworks mandate controls such as:

• Access control and user authentication

• Encryption at rest and in transit

• Audit logging and monitoring

• Regular risk assessments

How to Use Secureframe for CMMC Prep (Safely)

Frequently Asked Questions (FAQ)

Is Secureframe authorized to store or process Controlled Unclassified Information (CUI)?

• Although Secureframe is designed to meet or exceed the security requirements outlined in NIST SP 800-171, it is important to note that Secureframe functions as a Security Protection Asset (SPA). SPAs are assets that provide security functions or capabilities within an organization’s assessment scope, irrespective of whether they process, store, or transmit Controlled Unclassified Information (CUI).
• The data handled by Secureframe is primarily Security Protection Data (SPD), which refers to security-relevant information used to protect an organization’s assessed environment. Therefore, Secureframe is not intended to store or process U.S. Government information, including classified information or data subject to export controls (e.g., ITAR, EAR, CUI with NOFORN or RELTO markings).
• Clients are responsible for ensuring that the information submitted to Secureframe aligns with these stipulations. In summary, there should be no need to use Secureframe to store CUI.

Can Secureframe be used to prepare for CMMC if we have CUI?

• Yes — Secureframe can absolutely support your preparation for CMMC compliance, including environments that process CUI.
• The key is that Secureframe helps with compliance management and evidence organization, but is not designed to store or transmit CUI.

Do SSPs and POAMs contain CUI?

• Not always but depends what’s in them. When they are first generated as stand alone documents they do not contain CUI and are considered SPD.
• Only once a customer puts CUI into them do they have CUI.

What is Secureframe’s CMMC categorization? Is Secureframe a CUI asset?

• Secureframe is a Security Protection Asset (SPA). This is a specific CMMC categorization and is the level underneath of CUI asset. This means Secureframe does not store CUI but SPD and does not need to be FedRAMP moderate authorized.

Is there more information I can read about CUI?

• Yes, we have recently published a blog regarding what you need to know about CUI. Some topics include the evolution of CUI program, qualifications, ISOO and DoD CUI registries, safeguarding and more.