Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526,Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
The CUI Executive Agent can be reached at
Information Security Oversight Office - Controlled Unclassified Information
National Archives and Records Administration700 Pennsylvania Ave, N.W., Room 100Washington, DC 20408-0001
E-mail: cui@nara.gov
NIST does not have a role in implementation, assessment, or oversight of the DFARS Clause 252.204-7012. The following resources are available from the Department of Defense (DoD).
Cybersecurity in DoD Acquisition Regulations page at for Related Regulations, Policy, Frequently Asked Questions, and Resources (June 26, 2017)
DPAP Website for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions
DoDI 5230.24, Distribution Statements on Technical Documents
DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)
Questions can be submitted to: osd.dibcsia@mail.mil
CMMC requirements are determined by the DOD CMMC Program Office. Specifics on the requirements, assessments and maintenance for those should be directed to DOD
For information about the CMMC program, please see: https://www.acq.osd.mil/cmmc/index.html
NARA and NIST objected to DFARS’ use of selected subset of 800-53 controls
There was broader stakeholder concern regarding implementation challenges for non-Federal systems
The solution was to develop a separate NIST SP for protection of CUI in nonfederal organizations.
Based on FIPS 200 with control language from 800-53 to meet moderate impact level
Performance-based to be applicable to existing nonfederal systems
Eliminate Federal-centric requirements
Focus on providing confidentiality protection for CUI
Relevant Publications:
Relevant Templates:
Additional Resources
Security and Privacy: risk management