Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526,Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
The CUI Executive Agent can be reached at
Information Security Oversight Office - Controlled Unclassified Information
National Archives and Records Administration700 Pennsylvania Ave, N.W., Room 100Washington, DC 20408-0001
E-mail: cui@nara.gov
NIST does not have a role in implementation, assessment, or oversight of the DFARS Clause 252.204-7012. The following resources are available from the Department of Defense (DoD).
Cybersecurity in DoD Acquisition Regulations page at for Related Regulations, Policy, Frequently Asked Questions, and Resources (June 26, 2017)
DPAP Website for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions
DoDI 5230.24, Distribution Statements on Technical Documents
DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)
Questions can be submitted to: osd.dibcsia@mail.mil
The DOD Supplier Performance Risk System (SPRS) provides access to the NIST SP 800-171 Assessment scoring information. Questions about conducting your NIST SP 800-171 Assessment should be directed to your DCMA representative.
For more information, please see: https://www.sprs.csd.disa.mil/default.htm
The "NIST Score" is actually in reference to the Department of Defense (DOD) Assessment of NIST SP 800-171. NIST does not have a role in setting or determining a vendor's score or completing the assessment.
DOD uses NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, as part of their acquisition process to set cybersecurity requirements for DOD suppliers that store, transmit, or process CUI.
Refer to the FAQ (above) about assistance on conducting a NIST SP 800-171 assessment.
CMMC requirements are determined by the DOD CMMC Program Office. Specifics on the requirements, assessments and maintenance for those should be directed to DOD
For information about the CMMC program, please see: https://www.acq.osd.mil/cmmc/index.html
NARA and NIST objected to DFARS’ use of selected subset of 800-53 controls
There was broader stakeholder concern regarding implementation challenges for non-Federal systems
The solution was to develop a separate NIST SP for protection of CUI in nonfederal organizations.
Based on FIPS 200 with control language from 800-53 to meet moderate impact level
Performance-based to be applicable to existing nonfederal systems
Eliminate Federal-centric requirements
Focus on providing confidentiality protection for CUI
Relevant Publications:
Relevant Templates:
Additional Resources
Security and Privacy: risk management