Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

controlled unclassified information (CUI)

Abbreviation(s) and Synonym(s):

CUI

Definition(s):

  A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.
Source(s):
NIST SP 800-53 Rev. 4 under Controlled Unclassified Information (E.O. 13556)

  Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Source(s):
NIST SP 800-171 Rev. 2 under controlled unclassified information (E.O. 13556)
NIST SP 800-171 Rev. 1 under controlled unclassified information [Superseded] (E.O. 13556)

  Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Source(s):
NIST SP 800-150 under Controlled Unclassified Information (NIST SP 800-171)

  Information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
Source(s):
NIST SP 800-37 Rev. 2 under controlled unclassified information

  Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. Note: The CUI categories and subcategories are listed in the CUI Registry, available at www.archives.gov/cui.
Source(s):
CNSSI 4009-2015 (NIST SP 800-37 Rev. 1)

  A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces Sensitive But Unclassified (SBU).
Source(s):
NIST SP 800-53A Rev. 4 under Controlled Unclassified Information