• Wednesday, April 15, 2026
ISOO CUI Registry vs. DOD CUI Registry: What’s the Difference?
Payam Pourkhomami / LinkedIn

ISOO CUI Registry vs. DOD CUI Registry: What’s the Difference?

    Author: Isaac Martin || Date Published: March 7, 2025

    By Payam Pourkhomami, President & CEO of OSIbeyond

    Controlled unclassified information, or CUI, is of paramount importance to government contractors because their ability to achieve compliance with regulations often hinges on how it is handled, stored and protected.

    However, many contractors struggle to navigate the complexities surrounding CUI, especially when it comes to the difference between the Information Security Oversight Office, or ISOO, CUI Registry and the Department of Defense CUI Registry.

    What Is Controlled Unclassified Information?

    CUI refers to sensitive information that, while not secret enough to be classified, still needs special handling and protection. In other words, it represents the middle ground between publicly available records and top-secret data.

    This category of information was established to standardize the way the executive branch handles sensitive information that doesn’t meet the criteria for classification under Executive Order 13526 or the Atomic Energy Act, but still requires protection from unauthorized disclosure.

    The importance of properly handling CUI cannot be overstated, as any failure to do so can lead to serious consequences, including compromised national security, violations of individual privacy and loss of competitive advantage. That’s why the federal government created two registries to define, categorize and guide the protection of CUI.

    What Is the Purpose of the ISOO CUI Registry?

    The main purpose of the ISOO CUI Registry is to standardize the way executive branch agencies handle unclassified information that requires protection. It is also at the heart of the ISOO’s CUI-related responsibilities.

    The registry is essentially a comprehensive reference guide that lists and defines all the approved categories and subcategories of CUI across the federal government. These categories range from personally identifiable information, or PII, and health records to financial data, proprietary business information, law enforcement data and defense-related information.

    The registry also provides detailed guidance on how to properly mark CUI documents using banner markings, portion markings, designation indicators, etc. in the ISOO CUI Marking Handbook (Version 1.1).

    However, contractors must also be aware that while the ISOO Registry sets the general framework for CUI management, specific agencies, such as the DOD, will impose additional requirements. This is where the distinction between the ISOO Registry and the DOD CUI Registry becomes significant.

    Before the establishment of the CUI Program under EO 13556 in 2010, agencies used various markings like “for official use only,” a.k.a. FOUO, or “sensitive but unclassified,”  or SBU, without any uniform standards. This patchwork of labels led to inconsistent protection and sharing practices, which created security risks and communication barriers.

    ISOO, an entity within the National Archives and Records Administration, was tasked with implementing and overseeing the CUI Program established by Executive Order 13556. As part of this responsibility, ISOO created and maintains the CUI Registry.

    The DOD CUI Registry

    The DOD CUI Registry is the Pentagon’s tailored implementation of the ISOO CUI program. It is largely built upon and mirrors the ISOO CUI Registry — covering essentially the same CUI categories — but with additional information that aligns each category to DOD-specific authorities and needs.

    In practice, the DOD CUI Registry contains all the relevant CUI categories (with one notable omission being the immigration category, which does not apply to DOD) and incorporates DOD policy references and examples for each one​. This means the fundamental definition of each CUI category is the same as the ISOO registry, but the DOD registry adds notes on how that category is handled within DOD (such as citing DOD directives or giving defense-related examples).

    For anyone working under DOD contracts, the DOD CUI Registry is the authoritative source for CUI requirements. DOD personnel and contractors must follow DOD’s registry and marking rules when dealing with CUI on a DOD program. By contrast, those who are not contracting with DOD, should follow the ISOO registry.

    The DOD CUI Registry also supports the Department’s cybersecurity initiatives, particularly the Cybersecurity Maturity Model Certification program, a comprehensive framework designed to protect sensitive unclassified information that resides on the Department of Defense’s industry partners’ networks.

    The CMMC program requires defense contractors to implement and maintain specific cybersecurity practices and processes based on the type of information they handle. The level of certification required depends on the sensitivity of the information involved, with CUI being a key factor in determining the necessary CMMC level.

    ISOO CUIDOD ICU
    Purpose

    Lists and defines all the approved categories and subcategories of CUI across the federal government

    Contains all the relevant CUI categories and incorporates DOD policy references and examples for each one

    How do I Determine If I am Handling CUI?

    Determining whether information you possess is CUI is an important step for compliance. However, not all unclassified information is CUI—it must fall into a defined category and be designated as such by the government. Below are steps and best practices to help you figure out if you are handling CUI:

    1. Determine which type of protected information you are handling. Examples of protected information that are being replaced by CUI include Sensitive But Unclassified, or SBU; Private; For Official Use Only, aka FOUO; and other less common markings that may be in use. Personally Identifiable Informatino, or PII, now a subset of CUI, may still be referred to as PII in accordance with the Privacy Act.
    2. Check for CUI markings on the information: The most straightforward indicator is the presence of CUI markings on documents or files. If the government (or a prime contractor) provides you with a document that contains CUI, it is required to be marked clearly as “CUI.” For example, a cover page or header might say “CUI” and may include a category label and dissemination controls. In DOD documents, you will often see a banner like “CUI” at the top and bottom. According to DOD rules, if you receive information from a DOD source without any CUI markings or labels, then that information is not considered CUI.
    3. Review your contract and related documentation: Your contract is a key source of information about CUI handling requirements because agencies are obligated to notify contractors in the contract when CUI is involved. In DOD contracts, look for specific clauses like DFARS 252.204-7012 (Safeguarding Covered Defense Information) and related clauses 252.204-7019, -7020, -7021. If your contract includes one or more of these clauses, it is a strong sign that you will handle CUI.
    4. Consult with your prime contractor (if applicable): If you are a subcontractor, or part of a supply chain under a prime contractor, then your prime contractor is responsible for flowing down CUI requirements and should know exactly what information is considered CUI in the project. Don’t hesitate to ask your prime whether the data you’re working with is CUI. In many cases, a prime or a higher-tier contractor will proactively inform subcontractors about CUI content or provide marking guidance to them.
    5. Ask the contracting officer or agency representative: When in doubt, go straight to the source. It is absolutely acceptable—and often encouraged—to ask your government contracting officer, or CO, for clarification about CUI in your contract. Getting a definitive answer will protect you from making wrong assumptions as it’s far better to get official clarification than to risk mishandling sensitive data due to uncertainty.

    How do I Safeguard CUI?

    Here are some steps to safeguard CUI and ensure you protect this sensitive information:

    1. Be extremely careful to not expose CUI to unauthorized users. Use a cover sheet on top of documents to protect their contents from casual viewing.
    2. Secure CUI documents in a locked location, such as a desk drawer or file cabinet, when not in use.
    3. Treat all sensitive informaiton as CUI. Some sensitive information may not be marked properly, or marked at all, due to varied time spans of agencies transitioning from legacy markings to CUI. Anyone finding an incorrectly marked document should notify the disseminating individual or agency and request a properly-marked document, or have them confirm that it is not CUI.
    4. Ensure only authorized holders have access to CUI.
    5. Electronic CUI shall only be stored in properly encrypted systems such as database, email, website, or similar.
    6. Use a disclaimer as a “splash screen” for any IT system containing CUI. Please view GSA’s CUI Program Guide for the most up-to-date wording for this splash screen.

    How do I Safely Share CUI?

    Safely sharing CUI is essential to protecting this sensitive information. Here are some tips for safely sharing CUI while facilitating your business practices:

    1. Be aware of your surroundings when discussing CUI over the phone so that unauthorized persons are not within hearing distance.
    2. Ensure CUI on Google sites or GSA webpages are only on a restricted site and are password protected.
    3. Use an encrypted attachment when sending CUI via email outside the GSA network.
    4. Do not put CUI markings on the outside of a package or envelope.
    5. Do not leave CUI documents unattended in an open environment, such as on a printer that unauthorized people can access.

    Remember to always verify CUI status early on so that you can implement the necessary security controls (such as those in NIST SP 800-171) and comply with all CUI handling rules.

    How do I Avoid Mistakes When Handling CUI?

    Handling CUI properly is an essential mission. Here are some tips for avoiding mistakes when handling CUI:

    1. Do not view CUI on public transportation or other open areas where others may be exposed to it.
    2. When traveling in a motor vehicle, it’s best to lock CUI in a trunk, if available, to ensure there is a barrier between the CUI and others.
    3. Do not transmit CUI via nonsecured commercial cloud computing services.
    4. Get to know your proper CUI markings. CUI markings listed in the CUI Registry are the only markings authorized to designate unclassified information requiring safeguarding or dissemination controls.
    5. Unsure? Ask! Anyone finding an incorrectly marked document should notify the disseminating individual or agency and request a properly marked document or have them confirm that it is not CUI.

    How the CUI Registry Connects to NIST 800-171 and CMMC

    The CUI Registry is connected to NIST 800-171 and CMMC in a few ways. NIST 800-171 provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is on nonfederal systems and organizations. CMMC is the Pentagon’s program to help industry meet adequate cybersecurity requirements. The ISOO CUI Registry, for its part, lists and defines approved categories and subcategories across the federal government.

    We at OSIbeyond have extensive experience in this area and are happy to provide assistance. Our team of experts can help you conduct thorough assessments of your information systems and processes to identify CUI, develop and implement robust CUI handling procedures that align with the latest requirements, and even prepare your organization for CMMC certification.

    Conclusion

    Proper identification and handling of CUI is essential for national security and the protection of sensitive information. While the ISOO CUI Registry provides a comprehensive framework for handling CUI across all executive branch agencies, the DOD CUI Registry offers specific guidance tailored to the defense sector’s unique requirements. With the help of these resources, contractors can better meet their compliance requirements and ultimately contribute to a more secure and efficient GovCon ecosystem.

    For more information on CMMC compliance and how OSIbeyond can support your organization, contact us today or download the DOD Contractor’s Guide to CMMC Compliance to get started.

    Originally written by Payam Pourkhomami, president & CEO of OSIbeyond. Updated on April 8, 2026, by the GovConWire editorial team to reflect recent regulatory changes.

    Sponsor

    Related Articles

    Executive Interviews