CUI Explained

What is CUI? Controlled Unclassified Information explained

CUI stands for Controlled Unclassified Information. If your contract includes a DFARS 252.204-7012 clause or a CMMC requirement, you almost certainly handle CUI, and how you handle it determines your CMMC scope. Here is how to identify it, mark it, and protect it.

The short answer

CUI stands for Controlled Unclassified Information. It is information the government considers sensitive but does not classify. If your contract includes a DFARS 252.204-7012 clause or a CMMC Level 2 requirement, you almost certainly handle CUI, and how you handle it determines your CMMC assessment scope. Mishandling CUI can fail an audit, void a contract, and expose your company to civil liability.

What CUI is in one sentence

CUI is unclassified information the federal government has identified as needing protection (because of laws, regulations, or government wide policies) and has marked or designated as controlled.

Common types of CUI defense contractors actually see

  • Controlled technical information (CTI). Technical drawings, specifications, manufacturing processes, source code, test results for defense related items.
  • Critical infrastructure information. Details about energy, water, communications, or other critical infrastructure.
  • Export controlled information. Items subject to ITAR or EAR controls. (Note: ITAR data has its own additional handling rules on top of CUI.)
  • Performance specifications. Detailed performance and operational requirements not publicly released.
  • Procurement and acquisition data. Source selection, proposal information, contractor performance assessments.
  • Information systems vulnerability information. Pen test results, internal security assessments, vulnerability scans of government adjacent systems.

The full taxonomy is maintained on the National Archives CUI Registry. There are several dozen categories. Most defense contractors only encounter four or five.

What is NOT CUI

  • Public information. Marketing materials, your website, general capabilities statements, anything already publicly released.
  • Classified information. Classified (Secret, Top Secret) has its own much stricter handling regime. CUI is for unclassified data only.
  • Your own proprietary information. Trade secrets and proprietary IP that the government has not designated belongs to you, not the CUI program.
  • Routine business communications. Internal HR, finance, and operations data not derived from a contract.

How CUI is identified

CUI does not announce itself unless someone marks it. There are three signals to watch for:

  1. Contract clauses. DFARS 252.204-7012 and the CMMC clause are the most common. If they appear in your contract, you are expected to encounter CUI.
  2. Markings on the document or file itself. CUI items should be marked at the top and bottom of every page with "CUI" plus the relevant category (such as "CUI//SP-CTI" for Specified Controlled Technical Information).
  3. The Statement of Work. If the SOW describes the work product as sensitive, controlled, or related to a defense system, treat it as CUI until proven otherwise.

When in doubt, ask your contracting officer. Treating something as CUI when it is not is far cheaper than treating CUI as ordinary information.

How CUI must be marked

Per the CUI program (32 CFR 2002), CUI markings include:

  • A banner at the top of each page or screen that begins with "CUI" and lists the category or categories.
  • A footer repeating the marking at the bottom of each page.
  • A portion marking next to individual paragraphs or sections if only some content is CUI.
  • A designation indicator showing who designated the information as CUI and how to contact them.

If you generate CUI as part of contract performance (drawings, reports, test results), you are responsible for marking it properly before transmitting or storing it.

How CUI must be stored and transmitted

The full requirements are in NIST SP 800-171 Rev 2, but the practical short list is:

  • Access controlled storage. Only people with a need to know can reach it. Multi factor authentication required for privileged and remote access.
  • FIPS validated encryption in transit and at rest. Not just TLS; the cryptographic module itself must be on the FIPS validation list.
  • Encrypted email when transmitting. Office 365 GCC High, AWS GovCloud email, or another DoD compatible solution.
  • No personal devices or unmanaged cloud storage. Personal Gmail, Dropbox personal accounts, and consumer file sharing are not CUI compliant.
  • Audit logging. You must be able to show who accessed CUI, when, and what they did with it.
  • Destruction protocols. Old hard drives, paper, and removable media that touched CUI are destroyed per NIST SP 800-88 guidelines.

The relationship between CUI, NIST 800-171, and CMMC

The three are intentionally linked:

  • CUI is the data the government cares about protecting.
  • NIST SP 800-171 Rev 2 is the set of 110 security controls that protect CUI in non federal systems (like your contractor environment).
  • CMMC is the DoD's program for assessing whether you actually meet NIST 800-171 (and for Level 3, NIST 800-172). For most contractors handling CUI, this means CMMC Level 2 with a C3PAO assessment.

So: CUI is what you protect, NIST 800-171 is how, and CMMC is the proof.

Common CUI handling mistakes

  • Treating contract data as routine. If the contract has a DFARS 7012 clause, any deliverable derived from it should be treated as CUI until you confirm otherwise.
  • Sending CUI from a personal account "just this once." The audit trail makes that one email a finding.
  • No marking on derived work. If you generate a drawing for a CUI program, you must mark it.
  • Sub contractors who do not know. Your flow downs make subs accountable, but you should verify, not assume.
  • Confusing CUI with classified. CUI is unclassified. Treating it like classified data is overkill; treating it like ordinary data is a violation.

Frequently asked questions

What does CUI stand for?

CUI stands for Controlled Unclassified Information. It is unclassified information the federal government has identified as needing protection because of laws, regulations, or government wide policies, and has marked or designated as controlled.

How do I know if I have CUI?

Three signals: your contract includes DFARS 252.204-7012 or a CMMC clause, the data is marked with "CUI" or a specific CUI category, or the Statement of Work describes the deliverable as sensitive or controlled. When in doubt, ask the contracting officer.

Is CUI the same as classified?

No. CUI is unclassified information that still requires protection. Classified information (Confidential, Secret, Top Secret) has its own much stricter handling regime managed under different authorities. CUI is the layer between classified and ordinary unclassified.

Can I store CUI in regular Microsoft 365 or Google Workspace?

No. Commercial Microsoft 365 and standard Google Workspace are not authorized for CUI. You need Microsoft 365 GCC High (or DoD), Google Workspace Government, AWS GovCloud, or another FedRAMP authorized environment that meets the CUI handling requirements in NIST SP 800-171.

What is the penalty for mishandling CUI?

Penalties range from contract termination and being barred from future DoD awards to civil liability under the False Claims Act, especially if you certified compliance to win the contract. The DoJ has pursued multi million dollar settlements against contractors who misrepresented their cybersecurity posture.

Get started

Ready to build your System Security Plan?

Verdiex walks you through the questionnaire, generates your SSP, calculates your SPRS score, and tracks your POA&M. Get on the early access list and we will notify you when it opens.

Get early access Free readiness checklist

Verdiex prepares you for assessment. A C3PAO performs the assessment and issues certification.