What will I learn from "CUI Categories & Subcategories Explained"?

Tell CUI Basic apart from CUI Specified — and why mis-classifying Specified is automatic under-protection. Read the family → subcategory → authority structure of the registry without getting lost. Recognize the most common subcategories your team will actually touch. Cite the legal authority behind a marking when challenged. Convert legacy FOUO material into the correct modern CUI category. Run any artifact through a two-minute decision flowchart.

Who is "CUI Categories & Subcategories Explained" for?

Engineers and PMs interpreting contract clauses. Security officers and compliance leads mapping artifacts to authorities. HR, finance, and procurement teams handling category-specific CUI. Auditors and reviewers verifying category accuracy.

What are the key takeaways from "CUI Categories & Subcategories Explained"?

Read a contract clause and identify the implied CUI category. Cite the legal authority behind every marking. Default to higher protection whenever the category is ambiguous.

Guide · Registry

CUI Categories & Subcategories Explained

Basic vs. Specified, authority citations, registry interpretation.

All guides

About this guide

14 min read40 pages · category flowchart

The CUI Registry organizes every kind of controlled material into families and subcategories — each one tied to a specific law, regulation, or government-wide policy. Pick the wrong category and you under-protect the artifact by definition.

This is the plain-English companion to the registry, written for engineers, PMs, and back-office staff who need to read a contract clause and immediately know how to handle the material.

“Every CUI category traces back to a law. The category IS the handling rule.”

What you'll learn

✓Tell CUI Basic apart from CUI Specified — and why mis-classifying Specified is automatic under-protection.
✓Read the family → subcategory → authority structure of the registry without getting lost.
✓Recognize the most common subcategories your team will actually touch.
✓Cite the legal authority behind a marking when challenged.
✓Convert legacy FOUO material into the correct modern CUI category.
✓Run any artifact through a two-minute decision flowchart.

Inside this guide

01
Chapter 1 — Basic vs. Specified
The one distinction that drives every other decision in CUI.
02
Chapter 2 — Family structure
Defense, Privacy, Procurement, Critical Infrastructure, Export Control, Proprietary.
03
Chapter 3 — Subcategory deep-dives
CTI, PRVCY, PROCURE, SP-EXPT, SP-PROP, OPSEC and friends — definitions, examples, markings.
04
Chapter 4 — Authority citations
The statute, regulation, or policy behind each subcategory.
05
Chapter 5 — Real contract examples
Mapping common DoD and federal clauses to the right category.
06
Appendix — Decision flowchart
Run any artifact through a two-minute flowchart to land on the correct category.

Who it's for

•Engineers and PMs interpreting contract clauses.
•Security officers and compliance leads mapping artifacts to authorities.
•HR, finance, and procurement teams handling category-specific CUI.
•Auditors and reviewers verifying category accuracy.

Key takeaways

→Read a contract clause and identify the implied CUI category.
→Cite the legal authority behind every marking.
→Default to higher protection whenever the category is ambiguous.

Parabl says: every CUI category traces back to a law, regulation, or government-wide policy. The category IS the handling rule.

CUI is organized by category in the National Archives CUI Registry. Each category carries its own handling baseline. Knowing the category tells you who can see it, how it ships, and what marking it deserves.

Basic vs. Specified

CUI Basic uses the baseline handling rules in 32 CFR 2002. CUI Specified comes with extra rules in the underlying law. Misclassifying Specified as Basic means under-protection by default.

Families and subcategories

Common families include Defense, Procurement & Acquisition, Privacy, Export Control, Critical Infrastructure, and Proprietary Business Information.

CUI//SP-EXPT — Export Controlled (ITAR/EAR adjacent)
CUI//PRVCY — Personally Identifiable Information
CUI//PROCURE — Procurement & source selection
CUI//CTI — Controlled Technical Information
CUI//SP-PROP — Proprietary Business Information
CUI//OPSEC — Operations Security

Authority citations

Every subcategory traces to a statute, regulation, or government-wide policy. The authority is what makes the rule enforceable — and what auditors expect you to cite.

Real-world examples

Engineering drawings shipped to a fab → CTI. Personnel files in HR → PRVCY. Source selection memos → PROCURE. ITAR-controlled tech data → SP-EXPT.

Registry interpretation

Read the registry from the bottom up: subcategory → family → authority. Confirm against your contract DD-254 or program SOW. When categories overlap, the higher protection wins.

Do

✓ Mark the specific category beside the [CUI] banner.
✓ Map every CUI artifact you own to a category in writing.
✓ Cite the legal authority when challenged in review.
✓ Treat unknown sensitivity as the highest category until reviewed.

Don't

✗ Lump every CUI item under one generic 'CUI' label.
✗ Assume legacy 'FOUO' material is exempt — most became CUI.
✗ Forward Export Controlled CUI without confirming recipient eligibility.

Take it further

Convert to training module Animated Parabl instructor version Talk to an expert

This guide is managed and controlled. Our team reviews each request and sends the guide via email.