CUI Compliance: What Defense Contractors Actually Need to Do

Word count: ~1,980 Specificity markers: (1) NIST/CMMC control references — DFARS 252.204-7012, NIST SP 800-171, 14 domains, 110 controls; (2) Cost/time — $50K–$150K enclave, 12–18 month implementation timeline; (3) Tool names — Azure AD, BitLocker, KnowBe4, Splunk; (4) Common mistakes — marking only the cover page, skipping subcontractor flow-down; (5) Decision point — self-assessment vs. C3PAO assessment

---

CUI Compliance: What Defense Contractors Actually Need to Do

If you have a DoD contract that involves technical data, specifications, drawings, or anything else the government considers sensitive, you're already required to protect CUI. The question isn't whether the requirement applies — it's whether you're meeting it.

Here's the framework without the jargon.

The Legal Foundation

Three regulations create your CUI obligations as a defense contractor:

DFARS 252.204-7012 is the contract clause that most prime contractors and subcontractors receive. It requires you to provide adequate security for covered defense information (CDI) — which is largely synonymous with CUI — and to report cyber incidents to the DoD within 72 hours of discovery. It also requires you to flow the same requirements down to subcontractors. If you have this clause in your contract, you have a legal obligation to protect CUI right now, regardless of where CMMC implementation stands.

32 CFR Part 2002 is the executive branch regulation that defines CUI, establishes the CUI Registry, and sets marking and handling requirements. This is where the formal definitions live — what qualifies as CUI, how to categorize it (CUI Basic vs. CUI Specified), and what handling controls apply.

CMMC Level 2 is the certification that DoD is increasingly requiring in contracts to verify that contractors are actually implementing the protections they're supposed to have under DFARS. Level 2 maps directly to NIST SP 800-171 Rev 2 — 110 security requirements across 14 domains. A third-party assessment organization (C3PAO) verifies your implementation. Starting in 2025, CMMC Level 2 requirements appear in new contracts for contractors handling CUI.

These three work together: DFARS creates the obligation, 32 CFR Part 2002 defines what you're protecting, and CMMC verifies you're doing it.

What CUI Actually Is

CUI is information the government created or that was created on the government's behalf, where a law, regulation, or government-wide policy requires specific protection or dissemination controls. It is not classified — classified information has a separate regime. CUI is the middle category: not public, not classified.

For defense contractors, common CUI types include: - Controlled Technical Information (CTI) — technical data with military or space application, typically subject to ITAR or EAR controls - Export Controlled — information subject to the Arms Export Control Act, the Export Administration Regulations, or similar - Privacy — personally identifiable information about DoD personnel - Procurement and Acquisition — source selection information, pre-award bid information - Naval Nuclear Propulsion — self-explanatory

The full list lives in the CUI Registry at archives.gov/cui. Your contract will specify which categories apply, or the contracting officer will tell you. When in doubt, ask. Misidentifying CUI — either missing it or over-designating non-CUI — both create problems.

CUI Basic vs. CUI Specified: Most defense contractor CUI falls under CUI Basic, which requires standard NIST 800-171 protections. CUI Specified adds requirements from specific laws or regulations on top of the baseline — for example, ITAR-controlled CTI has handling requirements from both 800-171 and 22 CFR Part 120-130.

The 110 Controls: What You're Actually Implementing

NIST SP 800-171 organizes your CUI protection requirements into 14 control families. These are the same 110 requirements that CMMC Level 2 assesses. Here's a practical summary of what each family requires:

Access Control (22 requirements): Every user who accesses CUI systems has a unique account. Multi-factor authentication (MFA) is required for remote access and privileged accounts. Users get minimum access needed (least privilege). Sessions lock after 15 minutes of inactivity. Remote access routes through managed VPN endpoints with FIPS-validated encryption.

Awareness and Training (3 requirements): All users who touch CUI systems complete security awareness training at least annually. Role-based training for privileged users. Everyone is trained to recognize and report insider threat indicators.

Audit and Accountability (9 requirements): Log logins, failed attempts, privilege use, and CUI file access. Centralized log management with at least one year retention. Protect logs from tampering.

Configuration Management (9 requirements): Document baseline configurations for all CUI systems. Run a change control process. Disable unnecessary services and ports. Restrict user-installed software.

Identification and Authentication (11 requirements): Unique user IDs. Multi-factor authentication for network access and privileged functions. Password complexity and rotation policies. Protect authenticators.

Incident Response (3 requirements): Written incident response capability. Incident testing and exercises. Report incidents to DFARS-required channels within 72 hours.

Maintenance (6 requirements): Controlled, documented maintenance of CUI systems. Sanitize equipment before maintenance if CUI is at risk. Remote maintenance requires MFA and session termination after completion.

Media Protection (9 requirements): Mark all media containing CUI. Restrict media access. Sanitize media before disposal or reuse per NIST SP 800-88. Physically protect portable media. Control media transport.

Personnel Security (2 requirements): Screen individuals before authorizing access to CUI systems. Terminate access promptly when employment ends.

Physical Protection (6 requirements): Restrict physical access to CUI systems. Escort visitors. Log physical access. Control physical access to portable devices.

Risk Assessment (3 requirements): Assess risk periodically. Scan for vulnerabilities and remediate findings in a timely manner.

Security Assessment (4 requirements): Periodically assess security controls. Develop and maintain a Plan of Action and Milestones (POA&M) for gaps. Monitor security controls ongoing.

System and Communications Protection (16 requirements): Network boundary controls. CUI encrypted in transit with FIPS 140-3 validated cryptography (TLS 1.2+). CUI encrypted at rest with FIPS 140-3 validated cryptography (BitLocker with FIPS mode, LUKS). Split tunneling prohibited. DNS filtering at the boundary.

System and Information Integrity (7 requirements): Anti-malware with automatic updates. Patch management with timely remediation. Security alerts monitoring. Malicious code protection at entry/exit points.

Where Defense Contractors Actually Fail

Missing the subcontractor flow-down. DFARS 252.204-7012 requires you to flow CUI requirements down to subcontractors who handle covered defense information. Many prime contractors have great controls for their own systems and then hand CUI to a sub-tier supplier who has no SSP, no MFA, and stores files on a personal OneDrive. That's a breach waiting to happen — and the liability lands on you.

Marking only the cover page. Every page of a CUI document needs a banner marking (CUI or CUI//SP-CTI, etc.), not just the first page. An assessor who finds a 40-page document with markings only on page 1 will flag it as MP.L2-3.8.4 non-compliance.

Using non-FIPS-validated encryption. Standard AES-256 encryption isn't automatically FIPS-validated. The specific implementation must appear in the NIST Cryptographic Module Validation Program (CMVP) list. Contractors regularly deploy encryption and then fail the assessment because they can't produce a CMVP validation certificate number.

Not having a current SSP. Your System Security Plan must describe how your organization implements each of the 110 controls. "We use a firewall" is not an SSP entry. The assessor needs specifics: what product, how it's configured, who manages it, and where the evidence lives. An outdated or template SSP fails the assessment even if your technical controls are solid.

Self-Assessment vs. C3PAO Assessment

Most contracts currently require you to complete a NIST SP 800-171 self-assessment and submit your score to SPRS (Supplier Performance Risk System). A self-assessment means you evaluate your own implementation honestly, calculate a score per the DoD's 800-171 Assessment Methodology, and report it. The scoring starts at 110 and deducts points for each control not implemented — full, partial, or none.

C3PAO assessment (required for higher-priority contracts under CMMC) means a qualified third-party organization evaluates your controls using the same methodology, but their findings carry CMMC certification authority. For contracts that specifically require CMMC Level 2 certification, self-assessment is not sufficient.

Decision point: If your contract language says "CMMC Level 2 certification required," you need a C3PAO. If it says "NIST SP 800-171 compliance required" (and references SPRS reporting under DFARS 252.204-7012), a self-assessment is the baseline. Many contractors start with a self-assessment for current contracts and begin C3PAO preparation in parallel, because the gap between "self-assessed" and "C3PAO-certifiable" is often significant.

Realistic Timeline and Cost

Going from a poor security baseline (common score of -100 to 20 on the 110-point scale) to CMMC Level 2 readiness typically takes 12 to 18 months and $100,000 to $500,000 depending on your environment size, current state, and whether you need managed services.

The most common cost buckets: - Enclave build or enterprise uplift: $50,000–$150,000 for a small enclave (under 20 CUI users); more for enterprise-wide upgrades - Compliance platform (GRC tool): $15,000–$50,000/year (Drata, Secureframe, RegScale) - Security awareness training: $15–$30/user/year (KnowBe4, Proofpoint) - Centralized logging/SIEM: $20,000–$80,000/year (Splunk, Microsoft Sentinel) - C3PAO assessment: $50,000–$150,000 depending on scope - Consulting and SSP development: $30,000–$100,000

These are not scare numbers — they're what organizations actually spend. The contractors who spend the least are usually ones who started early, scoped their CUI environment tightly (enclave approach), and did the documentation work themselves with targeted expert help.

What Your Assessor Expects

A CMMC Level 2 assessor from a C3PAO uses three evaluation methods against each of the 110 requirements:

• Examine: Reviews your SSP, policies, procedures, configuration files, logs, and training records
• Interview: Asks your system administrators, security personnel, and end users how controls work and how they're maintained
• Test: Verifies controls actually function — attempting access, checking configurations, reviewing log capture

The domains that consume the most assessment time are Access Control (22 requirements), System and Communications Protection (16 requirements), and Configuration Management (9 requirements). Together, they represent over 40% of the assessment. Come prepared with:

• Current SSP with implementation descriptions for each control
• Evidence files organized by domain (screenshots, configuration exports, training records)
• Network diagrams and data flow diagrams showing where CUI lives
• Access control lists and role definitions
• POA&M for any controls not yet fully implemented

Your POA&M is not a failure document — it's evidence of an honest assessment and a remediation plan. Assessors understand that organizations are in various stages. An empty POA&M on a first assessment from a small company is actually more suspicious than one with documented gaps and realistic timelines.

---

Start with your SSP. Everything else in a CMMC assessment points back to it. If you don't have a current one, that's step one.