Trusted Internet Blog

Thoughts, Guidance, Musings

What is Controlled Unclassified Information?

Posted by Jeff Stutzman, Founder | Oct 31, 2019, 12:40:00 PM

Controlled Unclassified Information (CUI) is a category of unclassified categories issued in a directive on May 9, 2008, by President George W. Bush. CUI replaces categories such as For Official Use Only, Sensitive But Unclassified and Law Enforcement Sensitive categories. The CUI Program was originally developed for all Executive Branch Agencies but there are dozens (hundreds?) of older markings used to identify what’s now considered CIU, and the category of information is (intentionally?) defined in VERY broad terms.

There is dense on government-speak and probably understandable to those who drafted it, as the distance grows around DC, the intent, the need for this, the why, go-forward planning and standardization of the program become less and less understood by business owners. So, before this program careens out of control and begins to what will, by many (including me) become as clear as the tax code, I’m going to try and make it more clear, offering simplified, low-cost high pay-off ways of protecting yourself from the wrath of the government if/when you lose data that might be associated with, or is, considered Controlled Unclassified Information.

There are 24 categories and 83 subcategories of information that currently define CUI.

The following is a quick reference list of common categories of CUI Specified subsets. This table resides at the National Archives. Please be sure to search the original database for the most up-to-date information.

Please be sure to check for updates to these categories. As this process rolls out, you can be certain that other government stakeholders will begin to include their own CUI Categories and subcategories.

CUI Categories

Critical Infrastructure


Export Control




International Agreements

Law Enforcement


Natural and Cultural Resources

North Atlantic Treaty Organization (NATO)




Procurement and Acquisition

Proprietary Business Information





The categories are broad. I'm certain by design.  Any of these kinds of information, regardless of who, or which agency, or which organization considers it to be sensitive, offers risks to the United States if stolen. And if it is, and you’ve been found to not have adequate protection, you could find yourself at the stinky end of the government stick.

Search the database at the National Archives to find out if your information might be considered CUI. The catalog can be found here:


Topics: Cyber, Information Security, critical infrastructure, DoD, Defense Industrial Base, 800-171

Written by Jeff Stutzman, Founder

Mr. Stutzman personally operates as the CISO to the head coach of an NBA team, a $3.5 billion Houston oil and gas engineering and services company, a northern Virginia physical security company, and Wall Street CEO while supervising Virtual CISOs responsible for protecting executive homes and their companies around the world. He has been cited in the Wall Street Journal, Wired Magazine, NH Public Radio, and numerous trade publications. He holds a BS from Excelsior College, an MBA from Worcester Polytechnic Institute, and is a Harvard Kennedy School Senior Executive Fellow.