CUI

Controlled Unclassified Information (CUI) is a category of sensitive government information that is not classified but requires safeguarding or dissemination controls under law, regulation, or government-wide policy. The CUI program is defined in Executive Order 13556 and implemented by 32 CFR Part 2002.

CUI categories include things like: export-controlled information (ITAR/EAR), critical infrastructure data, defense research, financial information, law enforcement records, and many others. Each category has a specific marking and handling requirement.

For defense contractors, the most important consequence of handling CUI is that DFARS 252.204-7012 applies to your environment, which means NIST SP 800-171 must be implemented and CMMC Level 2 certification will be required for the contract.