What is the difference between Controlled Unclassified Information (CUI) and classified information?
Controlled Unclassified Information (CUI) and classified information are both kinds of sensitive government information, but they sit at very different levels of protection and follow separate legal frameworks. Understanding the distinction helps records and information governance professionals apply the right markings, handling rules, and disposition.
Classified information
Classified information is national security information that has been formally determined to require protection against unauthorized disclosure because its release could damage national security. It is assigned a classification level — commonly Confidential, Secret, or Top Secret — based on the degree of expected harm.
Key characteristics:
- Access requires both an appropriate security clearance and a demonstrated need to know.
- It must be created, stored, transmitted, and destroyed under strict, prescribed safeguards.
- An original classification authority decides what is classified, and the information is eventually subject to declassification review.
Controlled Unclassified Information (CUI)
CUI is information that is not classified but still requires safeguarding or dissemination controls under law, regulation, or government-wide policy. Examples of categories include certain privacy, law enforcement, financial, and infrastructure information.
Key characteristics:
- It does not carry a national security classification level and does not, by itself, require a clearance to access.
- Handling is governed by a standardized, government-wide CUI program intended to replace the older patchwork of agency-specific labels (such as “For Official Use Only”).
- Controls focus on limiting access and dissemination to authorized purposes rather than on clearance-based compartmentation.
The practical difference
Think of it as a spectrum of sensitivity. Classified information carries the highest protections, clearance requirements, and the most rigorous storage and destruction rules. CUI is sensitive but unclassified — it must still be marked and safeguarded, yet under lighter, standardized controls.
For recordkeeping, the distinction drives how a record is marked, who may access it, how it is stored and transmitted, and how it is dispositioned. Misidentifying one as the other can lead to over-protection (locking away releasable information) or under-protection (mishandling sensitive material).
For more foundational concepts, see the fundamentals topic hub. When in doubt about a specific category or marking, consult your agency’s security and records officials, since requirements vary by category and authority.
Sources & further reading
Authoritative government and non-profit references.
- Controlled Unclassified Information (CUI) — National Archives (NARA)
- Information Security Oversight Office (ISOO) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). What is the difference between Controlled Unclassified Information (CUI) and classified information?. Records Management University. https://www.recordsmgmt.org/questions/difference-between-cui-and-classified-information/
MLA
RM University Editorial. "What is the difference between Controlled Unclassified Information (CUI) and classified information?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/difference-between-cui-and-classified-information/.
Related questions
- An employee left and had work records saved only on their personal phone or laptop — how do we recover them?
- Are the outputs of generative AI tools like ChatGPT and Copilot considered records that have to be retained?
- Can a company use a single global retention schedule across multiple countries or do different national laws force separate ones?
- Can an employee be personally fined or fired for deleting records they were supposed to keep?
- Can blockchain make records tamper-proof, and does an immutable ledger satisfy recordkeeping and retention requirements?