CUI (Controlled Unclassified Information)
CUI is information the US Government creates or possesses, or that an entity creates or possesses for the Government, that requires safeguarding consistent with the law and policies cataloged in 32 CFR Part 2002.
CUI is the unifying framework that replaced legacy markings like FOUO, SBU, and LES. It is not classified, but it has handling requirements that apply across federal civilian and defense work.
For AI, the relevant standard is NIST SP 800-171 — the controls a non-federal system must implement to process CUI. The DoD's CMMC program audits compliance with those controls for defense industrial base contractors.
A CUI-capable AI deployment requires controlled access, FIPS-validated cryptography, comprehensive audit logging, and an environment that maps cleanly to the 800-171 control families. Backplain's sovereign deployment is built around that mapping.
Sovereign compute is AI infrastructure where the hardware, network, and operational staff all sit inside a single jurisdiction's legal control — typically dedicated bare-metal servers in a domestically owned and operated data center.
An ITAR-compliant AI deployment processes International Traffic in Arms Regulations data on infrastructure that is owned, operated, and physically located inside the United States and accessed only by US persons.