CUI vs classified information: what is the difference and do they get handled differently?
Controlled Unclassified Information (CUI) and classified information are both sensitive, but they sit at different levels of protection and follow different rules. Confusing them can lead to over-restricting routine records or, worse, under-protecting national security material.
What each term means
Classified information is information the government has formally determined, under national security authorities, could damage national security if disclosed without authorization. It is assigned a level — generally Confidential, Secret, or Top Secret — based on the degree of expected harm. Access requires a security clearance and a demonstrated need to know.
Controlled Unclassified Information (CUI) is information that is sensitive and requires safeguarding or dissemination controls under law, regulation, or government-wide policy, but that does not meet the threshold for classification. Examples often include certain privacy, law enforcement, financial, or critical-infrastructure information. CUI replaced an inconsistent patchwork of older agency labels (such as “For Official Use Only”) with a single standardized program.
Are they handled differently?
Yes — meaningfully.
- Authority: Classification flows from national security authorities; CUI flows from the laws and regulations that already require protecting that specific category of information.
- Access: Classified material requires an appropriate clearance plus need to know. CUI generally does not require a clearance, but access is still limited to those with a lawful purpose.
- Marking: Both use prescribed markings, but the systems are distinct. Classified records carry classification levels and declassification instructions; CUI carries CUI banner markings and category designations.
- Storage and transmission: Classified information demands accredited facilities, approved containers, and secure channels. CUI safeguarding is risk-based and typically less stringent, though still controlled.
- Disposition: Both remain subject to records retention schedules and approved disposition. Classified records may also require formal declassification review before release.
Why it matters for records professionals
Marking, storing, and dispositioning these records correctly is a core information-governance responsibility. Misclassification — in either direction — creates legal exposure and undermines transparency obligations like FOIA. When in doubt, consult your agency’s security or records officials rather than guessing.
For related guidance, see the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Controlled Unclassified Information (CUI) — National Archives (NARA)
- Information Security Oversight Office (ISOO) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). CUI vs classified information: what is the difference and do they get handled differently?. Records Management University. https://www.recordsmgmt.org/questions/cui-vs-classified-information-difference-and-how-they-are-handled/
MLA
RM University Editorial. "CUI vs classified information: what is the difference and do they get handled differently?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/cui-vs-classified-information-difference-and-how-they-are-handled/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?