Controlled Unclassified Information — CUI Categories

Controlled Technical Information (CTI) includes technical data, computer software, and technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. CTI is one of the most commonly encountered CUI categories in defense contracting, covering engineering drawings, specifications, test results, and operational procedures for defense systems.

Unclassified Controlled Technical Information (UCTI) is the predecessor marking to CTI, used prior to the 2013 revision of DoD Instruction 5230.24. UCTI encompasses technical information that is not classified but requires safeguarding because of its potential military application. While the formal designation has been superseded by CTI, legacy UCTI markings remain on many existing technical data packages and contract deliverables.

For Official Use Only (FOUO) was a legacy marking used primarily by the Department of Defense and other federal agencies to protect unclassified information requiring controlled access. Under Executive Order 13556 establishing the CUI Program, FOUO is being phased out and replaced by specific CUI category markings. However, legacy FOUO markings still appear on many existing documents, technical orders, and contract deliverables throughout the federal government.

Sensitive But Unclassified (SBU) is a legacy catch-all marking used primarily by the Department of State, USAID, and other foreign affairs agencies for information that requires protection but is not classified. Like FOUO, SBU is being transitioned to specific CUI categories under Executive Order 13556, but legacy SBU markings remain prevalent on existing documents, cables, and reports related to diplomatic operations and international programs.

While SCI (Sensitive Compartmented Information) is a classified designation, SCI-related CUI markings apply to unclassified administrative, contractual, and logistical information pertaining to SCI programs, facilities, or accesses. This includes contract information about SCIFs (Sensitive Compartmented Information Facilities), personnel access rosters, SCI billet information, and program administrative data that does not contain classified content itself.

Naval Nuclear Propulsion Information (NNPI) is unclassified information concerning the design, arrangement, development, manufacture, testing, operation, administration, training, maintenance, and repair of the propulsion plants of naval nuclear-powered ships and prototypes. NNPI is managed by the Naval Nuclear Propulsion Program (Naval Reactors, NAVSEA 08) and has handling requirements that exceed standard CUI controls.

ITAR controls the export and import of defense-related articles and services listed on the United States Munitions List (USML). Technical data related to defense articles is strictly controlled under ITAR, and unauthorized export — including sharing with foreign nationals on U.S. soil (a "deemed export") — constitutes a violation. ITAR is administered by the State Department Directorate of Defense Trade Controls (DDTC).

The Export Administration Regulations control the export of dual-use items — commercial goods and technologies that have both civilian and military applications. Items are classified on the Commerce Control List (CCL) by Export Control Classification Number (ECCN). EAR is administered by the Bureau of Industry and Security (BIS) within the Department of Commerce and applies to a much broader range of items than ITAR.

Law Enforcement Sensitive (LES) information pertains to ongoing investigations, intelligence methods, confidential sources, and law enforcement techniques. This category protects information that could compromise law enforcement operations, endanger personnel, or reveal investigative methods if disclosed. LES is used by agencies including the FBI, DEA, ICE, CBP, Secret Service, and ATF.

Sensitive Security Information (SSI) is information obtained or developed in the conduct of security activities related to transportation. SSI is primarily regulated by TSA and covers security programs, vulnerability assessments, threat information, and screening procedures for aviation, maritime, rail, and pipeline transportation systems. SSI protection is mandated by statute and regulation.

Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. In federal contracting, PII includes Social Security numbers, financial records, medical information, biometric data, and personnel records of government employees, military members, and program beneficiaries.

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate. In federal contracting, PHI commonly appears in contracts supporting VA healthcare, the Military Health System (TRICARE), Indian Health Service, CMS programs, and federal employee health programs. PHI includes medical records, lab results, prescription data, and health insurance information.

Census and statistical data protected under Title 13 and the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) includes individual and business responses to Census Bureau surveys, American Community Survey (ACS) microdata, and other statistical data collected under a pledge of confidentiality. This data is used for statistical purposes only and cannot be used for law enforcement, taxation, or regulatory actions.

Federal Tax Information (FTI) is tax return and return information received from the IRS or derived from IRS data. FTI has some of the most stringent protection requirements of any CUI category because unauthorized disclosure is a federal felony under 26 U.S.C. 7213. FTI is commonly encountered in contracts supporting CMS, SSA, state Medicaid programs, and federal financial systems that verify income or tax compliance.

Budget CUI protects pre-decisional budget data, funding profiles, and resource allocation information that has not been publicly released. This includes draft budget submissions, internal agency funding priorities, program funding details, and future-year defense program (FYDP) data that could affect markets, influence competitor strategies, or create political complications if disclosed before official release through the President's Budget.

Proprietary Business Information (PROPIN) protects contractor trade secrets, commercial data, and business-confidential information submitted to the government. This includes proprietary technical data, manufacturing processes, cost and pricing data, and business strategies that companies provide as part of proposals, contract performance, and data deliverables. Protection is mandated by the Trade Secrets Act and FAR procurement integrity provisions.

Source Selection Information encompasses all data generated during the evaluation and selection of contractors, including evaluation criteria and ratings, competitive range determinations, source selection plans, technical and cost evaluation reports, and rankings of offerors. Unauthorized disclosure of source selection information is a criminal offense under the Procurement Integrity Act, carrying penalties of up to 5 years imprisonment.

Patent application data encompasses unpublished patent applications, invention disclosures, and related technical data submitted to the government under contract. Federal contractors are required to disclose inventions made during contract performance under the Bayh-Dole Act. This data is protected from public disclosure until the patent application is published, and premature disclosure could destroy patent rights for both the contractor and the government.

Protected Critical Infrastructure Information (PCII) is voluntarily submitted critical infrastructure information that is protected from public disclosure under the Critical Infrastructure Information Act of 2002. It covers vulnerabilities, threat assessments, security measures, and operational details for critical infrastructure sectors including energy, water, transportation, communications, financial services, and government facilities.

Safeguards Information (SGI) relates to the physical protection of nuclear materials, facilities, and shipments. Regulated by the Nuclear Regulatory Commission (NRC) and the Department of Energy (DOE), SGI includes security plans, vulnerability assessments, guard force deployment information, and details about protective systems at nuclear power plants, research reactors, and fuel cycle facilities.