Controlled Unclassified Information, or CUI, is sensitive government-related data that is not formally classified but still must be protected. It can include technical drawings, contract details, personal data, or operational information shared with contractors and vendors under specific handling rules.
CUI matters because attackers often target it for espionage, supply-chain compromise, or later abuse in phishing and fraud. In defense environments, CUI is a core focus of CMMC and similar security programs: organizations must control access, encrypt data where appropriate, log activity, and limit sharing to approved systems and personnel. A leak of CUI can create mission risk even without reaching classified material. Defenders treat CUI carefully because protecting it reduces the chance that an adversary can map systems, learn procurement plans, or exploit trusted relationships inside the supply chain.