Master this essential documentation concept
Controlled Unclassified Information - government-created or handled information that requires safeguarding but is not classified at the level of top secret or secret.
Controlled Unclassified Information - government-created or handled information that requires safeguarding but is not classified at the level of top secret or secret.
Many organizations rely on recorded walkthroughs and screen-capture videos to train staff on how to identify, label, store, and transmit Controlled Unclassified Information. This approach works well for onboarding, but it creates a real compliance gap over time. When an auditor asks how your team handles CUI, or when a new contractor needs to verify a specific step in your handling process, a 45-minute training video is not a practical reference.
The core challenge is discoverability. Staff under time pressure cannot efficiently search a video for the exact moment someone explains how to mark a document containing CUI before sharing it externally. Critical procedural details get buried, and teams either re-watch lengthy recordings or — worse — rely on memory.
Converting those process walkthrough videos into formal SOPs gives your team a structured, searchable record of exactly how CUI should be handled at each stage. For example, a video demonstrating your secure file transfer workflow can become a step-by-step SOP that staff can reference in seconds, and that compliance teams can audit against your CUI policy directly.
If your organization uses video to capture sensitive data handling procedures, learn how to turn those recordings into audit-ready documentation →
Defense contractors working with the DoD receive technical specifications, contract performance work statements, and export-controlled engineering drawings that mix CUI with publicly releasable content. Staff routinely email unmarked attachments or store files on personal cloud drives, creating DFARS 252.204-7012 violations and potential loss of contract eligibility.
CUI designation requirements force contractors to explicitly categorize each document under the appropriate CUI Registry category (e.g., CTI for controlled technical information, ITAR for export-controlled data), apply standardized markings, and route documents only through CMMC-compliant systems, creating an auditable chain of custody from receipt to destruction.
["Audit all incoming DoD contract documents and tag each with the correct CUI category from the National Archives CUI Registry, such as 'CUI//SP-CTI' for controlled technical information or 'CUI//SP-ITAR' for ITAR-restricted drawings.", 'Configure your document management system (e.g., SharePoint GCC High or DISA-approved cloud) to enforce access controls so only personnel with documented need-to-know and signed NDA can open CUI-tagged files.', "Train all staff using the DoD CUI training module (available at cdse.edu) and maintain training completion records tied to each employee's system access permissions.", 'Establish a quarterly CUI inventory review where the FSO or CUI Program Manager audits document logs, verifies markings are correct, and confirms no CUI has been stored in non-approved locations like personal Dropbox or Gmail.']
Contractors achieve CMMC Level 2 documentation compliance, pass DCSA audits without findings related to CUI handling, and reduce the risk of contract termination or suspension under DFARS 252.204-7012 incident reporting obligations.
FBI field offices, DHS investigators, and local fusion centers collaborating on joint investigations share witness statements, surveillance reports, and criminal intelligence that qualifies as Law Enforcement Sensitive (LES) CUI. Without consistent marking, recipients at partner agencies cannot determine whether documents can be shared further, printed, or discussed in open settings, leading to either over-restriction that stalls investigations or inadvertent public disclosure.
Applying CUI//LES markings with the originating agency identifier and any applicable limited dissemination controls (e.g., FEDONLY or NOFORN) gives every recipient immediate, unambiguous guidance on handling requirements, sharing boundaries, and destruction timelines without requiring a call back to the originating office.
['Standardize document templates in your case management system (e.g., Guardian, Axon Records) to auto-populate CUI//LES banners on headers and footers, pulling the originating office code and date from document metadata.', 'Define a dissemination control matrix specific to your joint task force: specify which CUI subcategories can be shared with state/local partners versus federal-only recipients, and embed these rules into the document routing workflow.', 'When transmitting CUI//LES files via email, require use of encrypted government email (e.g., .gov PKI-signed messages or DEOS) and prohibit forwarding to non-government addresses using DLP policy rules in Microsoft Purview or equivalent.', 'At case closure, generate a CUI disposition report listing all documents created, their retention schedule under the relevant NARA records schedule, and confirm either transfer to federal records center or destruction with witnessed certification.']
Joint investigations experience fewer information-sharing breakdowns, partner agencies report higher confidence in handling shared materials correctly, and the originating agency meets its 32 CFR Part 2002 CUI Program obligations with documented evidence of proper controls.
University research hospitals conducting NIH-funded clinical trials collect patient-identifiable data that is simultaneously subject to HIPAA, the Privacy Act, and CUI requirements when federally funded. Researchers store de-identification logs, IRB-approved consent forms with PII, and adverse event reports across personal laptops, institutional servers, and commercial cloud storage with no consistent marking or access logging, creating both regulatory and contractual violations.
Classifying federally funded patient research data as CUI//PRVCY (Privacy Act) or CUI//MED (Medical) requires institutions to implement the same safeguarding standards as federal agencies, including access logging, encrypted storage, and documented destruction, aligning HIPAA technical safeguards with federal CUI handling requirements in a single unified framework.
['Work with your IRB and research compliance office to map each data element in your clinical trial dataset to its CUI category: patient identifiers map to CUI//PRVCY, diagnosis and treatment records to CUI//MED, and financial assistance data to CUI//FICA if applicable.', 'Migrate all CUI research data to an institution-managed secure enclave (e.g., a FISMA Moderate-authorized cloud environment or on-premises system with FDE, MFA, and audit logging) and revoke access to personal devices and commercial consumer cloud services.', 'Embed CUI markings into your REDCap or similar research data platform so that every data export, report, or printed record automatically carries the appropriate CUI banner, limiting manual marking errors by researchers unfamiliar with federal requirements.', 'Submit annual CUI self-assessments to your NIH program officer as part of your progress report, documenting your safeguarding measures, any incidents, and training completion rates for all personnel with data access.']
The institution avoids NIH grant suspension or termination for data management failures, passes HHS Office for Civil Rights audits by demonstrating alignment between HIPAA and CUI controls, and builds a reusable compliance framework applicable to future federally funded research contracts.
State DOTs collaborating with private engineering firms on bridge and tunnel projects share vulnerability assessments, structural inspection reports, and SCADA system configurations that qualify as Critical Infrastructure Information (CII) CUI. These documents frequently appear in public bid packages or are emailed to subcontractors without restriction markings, inadvertently exposing infrastructure vulnerabilities to adversaries who monitor public procurement portals.
Marking structural vulnerability data and SCADA configurations as CUI//PCII (Protected Critical Infrastructure Information) or CUI//CRIT triggers specific federal protections under the Critical Infrastructure Information Act of 2002, restricts FOIA disclosure, and requires the state agency and all contractors to implement access controls and handling procedures that prevent public exposure of exploitable infrastructure details.
['Conduct a document review of all active infrastructure project files and identify which records contain vulnerability data, attack surface assessments, or operational system details that meet PCII or CUI//CRIT criteria, then apply retroactive markings and restrict access in your project management platform (e.g., Procore, Bentley ProjectWise).', 'Modify your procurement process so that bid packages are split into a public portion with general project scope and a CUI-marked restricted portion containing sensitive infrastructure details, released only to pre-qualified contractors who have signed a CUI Non-Disclosure Agreement.', 'Require all engineering subcontractors to submit a CUI handling plan as part of contract award, demonstrating they have encrypted storage, access logging, and trained personnel before receiving any CUI//CRIT documents.', 'Establish an incident response protocol specifically for CUI exposure events: if a CUI document is inadvertently posted publicly or sent to an unauthorized party, the agency must notify CISA within 24 hours and document remediation steps per DHS PCII Program requirements.']
The agency eliminates inadvertent public disclosure of infrastructure vulnerabilities through procurement portals, meets CISA's voluntary PCII program standards, and demonstrates due diligence in protecting critical infrastructure that reduces liability exposure in the event of a security incident.
Marking only the document header with a CUI designation leaves recipients unable to determine which specific sections contain sensitive information, leading to over-restriction of the entire document or unsafe extraction of sensitive paragraphs. The 32 CFR Part 2002 framework allows and encourages portion marking so that each paragraph, figure, or table is individually labeled, enabling precise sharing decisions. This is especially critical for documents that mix CUI with publicly releasable content, such as technical reports with both sensitive specifications and general background.
Agencies and contractors frequently invent informal labels like 'Sensitive But Unclassified' or 'For Official Use Only' that have no legal standing under Executive Order 13556 and create confusion about required safeguarding measures. The National Archives CUI Registry at archives.gov/cui is the only authoritative list of approved CUI categories, each with a specific authority document, handling requirements, and approved markings. Using registry-approved categories ensures your markings are legally defensible and universally understood by other federal agencies and contractors.
Relying solely on written policies and employee training to protect CUI creates a compliance posture that fails the moment an employee makes a mistake or leaves the organization. Technical controls such as data loss prevention rules, encrypted storage enforcement, and access logging provide a defense-in-depth layer that catches violations before they become incidents. NIST SP 800-171, which governs CUI protection for non-federal systems, explicitly requires both administrative and technical safeguards, and auditors increasingly expect to see automated enforcement rather than honor-system compliance.
When CUI is inadvertently disclosed, emailed to an unauthorized recipient, or posted publicly, most organizations discover they have no documented procedure for who to notify, what to preserve, and how to remediate within the required timeframe. For federal contractors, DFARS 252.204-7012 requires reporting cyber incidents involving CUI to DoD within 72 hours, and failure to report is itself a contract violation. Having a tested, role-specific incident response runbook eliminates the confusion and delay that turns a manageable disclosure into a reportable compliance failure.
CUI must be destroyed in a manner that makes it unrecoverable, but the timing of destruction must comply with the applicable NARA records retention schedule for that document type, which varies by CUI category and originating program. Destroying CUI too early violates federal records law; retaining it beyond the approved retention period creates unnecessary risk and storage costs. A documented destruction log that captures what was destroyed, when, by whom, and using what method (cross-cut shredding for paper, DoD 5220.22-M or NIST 800-88 for digital media) provides the audit trail required by 32 CFR Part 2002.
Join thousands of teams creating outstanding documentation
Start Free Trial