CUI Lifecycle Management

Word count: ~1,850 Specificity markers: (1) NIST/CMMC references — MP.L2-3.8.1 through 3.8.9, SC.L2-3.13.8, SC.L2-3.13.11, AC.L2-3.1.3; (2) Cost/time — 90-day POA&M timeline for storage controls, $200–$600/user/year for managed storage; (3) Tool/product names — SharePoint GCC High, Azure Information Protection, Varonis; (4) Common mistake — treating lifecycle as a single event instead of continuous process; (5) Decision point — which lifecycle phase is your weakest link

---

CUI Lifecycle Management

CUI doesn't appear in your environment, sit in one place, and stay there. It moves — created by an engineer, emailed to a subcontractor, stored on a server, backed up to the cloud, printed for a review meeting, and eventually either retained per your contract or destroyed. Each step in that path has specific requirements. If any step is uncontrolled, you have a gap.

Lifecycle management is the practice of applying the right controls at each phase. It's not a separate program — it's the thread that runs through your entire NIST 800-171 implementation.

Phase 1: Creation

The moment CUI is created, your obligations begin. "Creation" includes generating new CUI (an engineer writes a specification that qualifies as Controlled Technical Information) and receiving CUI (a contracting officer emails you a statement of work with sensitive acquisition information).

What happens at creation:

• Identify it. The person creating or receiving CUI must recognize that it qualifies as CUI. This requires training — people who create or handle CUI need to know what their contracts designate as CUI and how to recognize it.
• Categorize it. Is it CUI Basic (standard 800-171 protections) or CUI Specified (additional category-specific controls from a law or regulation)?
• Mark it. Apply the correct CUI banner (at minimum, "CUI" at the top and bottom of every page). If the category is Specified, include the category abbreviation (e.g., CUI//SP-CTI for Controlled Technical Information). Add the designation indicator block to the first page.
• Route it into your controlled environment. CUI created on or received by systems outside your CUI boundary is a problem from the start. Employees who draft CUI in personal Google Docs, save it to personal OneDrive, or email it from personal accounts have violated the handling requirements before the document is finished.

The most common creation-phase failure: the engineer who drafts a design document with CUI on a laptop that's not in the CUI environment, then transfers it manually. By the time it reaches the CUI system, it may have already been synced to a cloud backup service, shared via an unencrypted channel, or emailed to someone who has no CUI handling obligations.

Controls in play at creation: AT.L2-3.2.1 (awareness training), MP.L2-3.8.4 (media marking), AC.L2-3.1.3 (information flow enforcement).

Phase 2: Use

"Use" covers everything that happens between creation and final disposition — working with CUI, accessing it, processing it, modifying it.

Access controls: Only authorized users with a need-to-know access CUI. Under AC.L2-3.1.3 (control information flows) and AC.L2-3.1.5 (least privilege), you define roles, document who has access, and review that list regularly. A quarterly access review that produces an artifact — a signed list, a system-generated report — is the kind of evidence your assessor wants.

System controls: CUI processing must happen on systems inside your CUI boundary. Those systems require the full set of 800-171 controls: FIPS-validated encryption at rest, endpoint protection, MFA for access, session timeouts, audit logging. Every user accessing CUI gets a unique account — no shared logins, no generic accounts.

Physical use: When CUI is accessed on paper or displayed on screens, physical controls apply. CUI shouldn't be visible on unattended screens. Printed CUI documents must be kept in controlled areas, marked correctly, and not left in conference rooms, printers, or on desks overnight.

Collaboration: If you share CUI with colleagues or subcontractors during the use phase, you're in the transmission phase simultaneously (see below). The two often overlap — a collaboration session that transmits CUI over email or a file-sharing platform triggers the transmission requirements.

Phase 3: Storage

CUI at rest requires FIPS 140-3 validated encryption on every storage system in scope — servers, workstations, laptops, portable drives, and cloud storage (SC.L2-3.13.8).

Storage requirements by location:

• On-premises servers: Full disk encryption or volume-level encryption using FIPS-validated modules. BitLocker on Windows Server with FIPS mode enforced via Group Policy. Verify the module validation certificate number in the NIST CMVP list.
• Workstations and laptops: BitLocker (Windows) or FileVault (macOS with T2/M-series chip). Laptops are high-risk — portable devices leave the physical perimeter. FIPS-validated encryption on every laptop is non-negotiable.
• Portable media: Encrypted USB drives (IronKey, Kingston DataTraveler Vault Privacy) or prohibition on portable media containing CUI. MP.L2-3.8.1 requires you to protect system media both physically and logically.
• Cloud storage: If you store CUI in cloud services, the cloud service must be authorized for CUI under FedRAMP Moderate or DoD IL2/IL4 equivalent. Microsoft 365 GCC High and SharePoint GCC High are commonly used by defense contractors. Commercial Microsoft 365 is not authorized for CUI without additional controls. Azure Information Protection (now Microsoft Purview Information Protection) can enforce labeling and encryption on files stored in SharePoint GCC High.
• Backup systems: Backups are in scope. The backup system stores copies of CUI data. MP.L2-3.8.9 requires that CUI in backup storage be protected with appropriate controls. Encrypted backups to an authorized cloud service or encrypted on-premises backup target. Your assessor will ask about your backup systems — many contractors forget them.

Cost context: Moving from commercial Microsoft 365 to GCC High runs $22–$38/user/month (Microsoft 365 Business Premium GCC High tier, approximate 2025 pricing) versus $22/user/month for the commercial equivalent. Over 50 users for a year, that's roughly $6,000–$9,600 in additional annual cost — not massive, but it requires tenant migration, which takes 2–4 months.

Managed security services that include CUI storage management run $200–$600/user/year for smaller contractors, covering the storage encryption, access control, and monitoring components.

Phase 4: Transmission

Every time CUI moves — emailed, shared via file transfer, transmitted over a VPN, sent to a subcontractor — the transmission requirements apply.

SC.L2-3.13.11 requires FIPS 140-3 validated cryptography for CUI in transit. In practice:

• Email: Encrypted email (S/MIME, Microsoft 365 Message Encryption using GCC High, or a secure email gateway). Standard SMTP email is not adequate. Many contractors use Microsoft 365 GCC High with message encryption policies applied automatically to messages identified as containing CUI.
• File transfer: SFTP, HTTPS file portals with TLS 1.2+, or encrypted file sharing platforms authorized for CUI (SharePoint GCC High, DoD SAFE). Not regular FTP, not consumer Dropbox, not unencrypted email attachments.
• VPN: Remote workers connecting to the CUI environment must use a VPN client with FIPS-validated modules. Split tunneling to non-CUI networks is prohibited (SC.L2-3.13.7).
• Physical mail/courier: Printed CUI documents sent by mail require opaque packaging, addressed to a named individual, via traceable carrier. Consider using encrypted digital transmission instead where possible.

Subcontractor transmission: When you send CUI to a subcontractor, you're transmitting it to another organization. Verify that your sub has adequate controls — encryption on their end, authorized systems — before the first transmission. Your contract should include flow-down requirements (DFARS 252.204-7012), and you should verify they're actually implemented, not just contractually required.

Phase 5: Retention and Records Management

Not all CUI can be destroyed the moment you're done with a contract. Federal records regulations and contract terms often require retention for specified periods:

• DFARS clause 252.215-7000 requires contractors to retain records supporting pricing and cost data for three years after final payment.
• Technical data and deliverables under research and development contracts may have retention requirements of five to seven years.
• Personnel records, certain financial records — various periods.

Your CUI lifecycle policy needs to address retention. The decision point is: what's the retention period for each CUI type you handle, and what triggers destruction eligibility?

Varonis and similar data governance tools can help track file ages, access patterns, and classify aging CUI for scheduled review. This is useful for large organizations managing hundreds of CUI documents across multiple contracts — automated disposition scheduling versus manual file audits.

Phase 6: Destruction

When CUI reaches the end of its retention period (or is otherwise authorized for destruction), MP.L2-3.8.3 requires sanitization or destruction using NIST SP 800-88 methods. The destruction phase is discussed in detail in a companion article on CUI destruction procedures, but the lifecycle integration point is this: you need a formal disposition process that triggers destruction at the right time, documents what was destroyed and how, and removes the disposed-of media from your asset inventory.

Common Mistakes in Lifecycle Management

Treating lifecycle as a one-time event. CUI lifecycle is continuous. New CUI enters your environment with every contract deliverable, every DoD email, every design iteration. Lifecycle controls need to be embedded in daily operations — templates that automatically apply banners, automated data loss prevention (DLP) policies that flag CUI moving to unauthorized locations, regular access reviews.

Not tracking CUI media inventory. MP.L2-3.8.1 requires protecting CUI media, which implies you know where it is. An untracked USB drive with CUI is a gap waiting to become a breach. Every device or media item that stores CUI should appear in your asset inventory with the CUI status noted.

Forgetting derived CUI. If your engineer reads a CUI document and then writes a new analysis document that incorporates information from it, that new document is also CUI. The CUI designation follows the information, not the original file. Organizations frequently generate derivative documents without applying proper markings.

What Your Assessor Expects

The assessor evaluates lifecycle controls across multiple CMMC domains — Media Protection (9 controls), System and Communications Protection (16 controls), and Access Control (22 controls). They'll look at whether your SSP describes lifecycle controls for each phase, not just whether technical controls are in place.

During the assessment, expect questions like: - "Walk me through what happens when an employee receives a CUI email from the government." - "How does CUI get from a remote worker's laptop to your file server?" - "What happens to a laptop when an employee leaves?" - "How do you know when CUI on a project is authorized for destruction?"

These questions span the entire lifecycle. If you can answer each one with a documented procedure and a supporting piece of evidence, you're in good shape. If you're improvising answers, the assessor notices.

Organize your SSP with lifecycle in mind — a section that describes each phase, the controls in place, and the evidence locations. This makes the assessor's job easier and demonstrates that you've thought through the full picture rather than just individual technical controls.