Information Security

CUI: What It Is and What You're Required to Do With It

Discover essential insights on managing CUI controlled unclassified information for compliance.

Alex Fuerst

Alex Fuerst

11 min read
CUI: What It Is and What You're Required to Do With It

(155 chars)

Word count: ~3,400

Specificity markers used:

  1. NIST/CMMC control references: MP.L2-3.8.4, AC.L2-3.1.3, SC.L2-3.13.10, IA.L2-3.5.3, CM.L2-3.4.1, 32 CFR Part 2002, DFARS 252.204-7012, FAR 52.204-21
  2. Cost/time estimates: $5K–$15K for initial CUI discovery/scoping exercise with a consultant; 2–4 weeks typical timeline
  3. Tool/product names: Microsoft Purview Information Protection, Varonis Data Security Platform, DoD CUI Registry (archives.gov/cui), PIRATE threat model tool
  4. Common mistake: Assuming FOUO = CUI; marking printed documents but leaving digital files unmarked; scoping CUI to a shared drive while ignoring email and collaboration tools
  5. Decision point: When CUI Basic vs. CUI Specified handling requirements apply, and how to tell which one you have

---

Executive Summary

Key takeaways: - CUI (Controlled Unclassified Information) is any government information requiring protection under law, regulation, or government-wide policy. If your contract contains DFARS 252.204-7012, you're handling CUI — whether or not you know it. - CUI comes in two types: Basic (standard NIST 800-171 controls) and Specified (additional controls layered on top). Most defense contractors handle CUI Basic; some touch Specified categories like Controlled Technical Information (CTI) or Export Controlled (EXPT). - Finding CUI in your environment — every place it lives, moves, and gets stored — is the prerequisite to everything else. You can't protect what you haven't found. - Minimum requirements: mark it, protect it in transit and at rest with FIPS-validated encryption, control who accesses it, monitor who touches it, and dispose of it properly. - Cross-framework note: CUI handling requirements under 32 CFR Part 2002 predate CMMC. ISO 27001 Annex A.8 (information classification and handling) covers similar ground, but CUI adds federal regulatory specificity that ISO alone doesn't satisfy.

---

What CUI Actually Is

Controlled Unclassified Information is a government-defined category, established by Executive Order 13556 in 2010 and codified in 32 CFR Part 2002. It covers information that federal law, regulation, or government-wide policy requires to be protected or controlled — but that isn't classified.

The practical definition for defense contractors: if your government customer says "protect this," it's probably CUI.

The authoritative source for what qualifies as CUI is the National Archives CUI Registry at archives.gov/cui. The Registry lists every approved CUI category and subcategory, which federal authorities established each category, and what the specific handling requirements are. Bookmark it — when you're unsure whether a document is CUI, start there.

Common CUI categories you'll encounter in defense contracting:

  • Controlled Technical Information (CTI) — technical information with military or space application, including specifications, engineering data, test results. This is the most common type for engineering and manufacturing contractors.
  • Export Controlled (EXPT) — information controlled under ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations). Requires additional care around foreign national access.
  • Procurement and Acquisition — source selection information, contractor proposals, pricing data. Common in program management environments.
  • Privacy (PII) — personally identifiable information about government personnel, beneficiaries, or contractors.
  • Law Enforcement — sensitive law enforcement operations or investigation information.

Your contract documents will typically identify the type of CUI involved. The Statement of Work, DD Form 254 (the Contract Security Classification Specification), or the contracting officer's technical representative can tell you exactly which CUI category applies to your contract.

CUI Basic vs. CUI Specified

This is the decision point that determines your handling requirements.

CUI Basic is CUI where the authorizing law or regulation doesn't impose requirements beyond NIST SP 800-171. This is the majority of what defense contractors handle. If your CUI is Basic, implementing the 110 CMMC Level 2 practices satisfies your handling obligations.

CUI Specified is CUI where the specific law or regulation that established the category does impose requirements beyond 800-171. Examples: Naval Nuclear Propulsion Information (NNPI), certain ITAR-controlled information. If your CUI is Specified, you need to identify what the additional requirements are (they're listed in the CUI Registry) and implement them on top of the CMMC baseline.

Most defense contractors working on standard development or manufacturing contracts handle CUI Basic. If your contract involves nuclear, chemical, biological, or radiological information; sensitive nuclear material; or highly sensitive ITAR-controlled data, check the Registry carefully for Specified category requirements.

---

Step One: Find Your CUI

Before you can protect CUI, you have to know where it is. This sounds obvious. Most organizations seriously underestimate how scattered their CUI actually is.

A CUI discovery exercise typically takes 2–4 weeks and involves:

1. Contract review. Read every active contract for DFARS 252.204-7012 (the clause that triggers CMMC requirements). Make a list of every contract that includes it, and identify from the contract documents what CUI types are involved.

2. Data flow mapping. Trace CUI through your organization: How does it arrive? (Email from the contracting officer? Secure file transfer? Classified mail?) Where is it first stored? Who accesses it and from where? Where is it transmitted? (Email to subcontractors? File shares?) Where is it backed up? When and how is it destroyed?

Build an actual diagram — even a rough whiteboard sketch. Every system on that diagram is potentially in your CMMC assessment scope.

3. System discovery. Look for CUI in places people forget: - Email systems (both sent and received messages with CUI attachments or content) - Collaboration tools (Teams, SharePoint, Slack channels where CUI gets shared) - Personal workstations (drafts, downloads folders, local copies employees made) - Cloud storage (OneDrive, Dropbox, Google Drive — especially personal accounts employees may be using) - Mobile devices (phones that receive email with CUI attachments) - Backup systems (backup copies of everything above) - Paper documents in physical files and printers

4. Interview employees. Talk to the people who actually handle the information. Program managers know where the technical files live. Administrative staff know what gets printed and filed. Engineers know about the folder they created on the shared drive three years ago. The IT team's asset inventory misses the places people actually put things.

Tooling for discovery at scale: If you're a mid-to-large organization (200+ employees), manual discovery won't be thorough enough. Microsoft Purview Information Protection can scan your Microsoft 365 environment (email, SharePoint, Teams, OneDrive) for content patterns that match CUI types and auto-apply sensitivity labels. Varonis Data Security Platform provides broader coverage including file servers and on-premises environments. These tools run $5,000–$15,000 for initial setup and discovery, plus ongoing subscription costs, but the alternative — manually reviewing tens of thousands of files — is unrealistic.

---

What You're Required to Do with CUI

Once you've found your CUI, you have six categories of obligations.

1. Mark It

Practice MP.L2-3.8.4 requires that you mark media containing CUI with the appropriate designation. "Media" means everything: documents, emails, digital files, physical drives, printed materials.

The marking format is standardized under 32 CFR Part 2002. Every CUI document needs:

  • Banner marking on the top and bottom of every page: CUI (for Basic) or CUI//[category abbreviation] for Specified categories (e.g., CUI//SP-CTI for Specified Controlled Technical Information)
  • Designation indicator on the first page: identifying agency, CUI category, applicable dissemination controls, and a point of contact

For emails: CUI in the subject line, banner at top and bottom of the body.

For digital files: CUI in the filename or metadata field, plus a cover sheet if the file will be printed.

The common mistake: organizations mark printed documents but leave the same information unmarked in their digital forms — the SharePoint folder, the Teams message, the PDF attachment. Marking obligations follow the information, not the paper.

Another common error: using "FOUO" (For Official Use Only). FOUO was replaced by the CUI program in 2010. It's not a valid marking. If you find FOUO-marked documents in your environment, remark them as CUI with the correct format. An assessor who finds FOUO markings will treat them as improperly marked CUI.

2. Control Who Accesses It

Practice AC.L2-3.1.3 requires limiting CUI access to authorized users, processes, and devices — and to the types of transactions and functions those users are permitted to execute. In plain terms: need-to-know access control.

In practice, this means: - Defined roles that determine who can access CUI (by job function, not just by rank or seniority) - Access control lists on every system, share, and folder that holds CUI - Regular access reviews to confirm current employees have appropriate access and former employees have been removed - For CUI that involves export controlled information: additional screening for foreign national status

The most common access control failure is permission sprawl — people who used to work on a CUI contract still have access to the data after they've moved to a different project. Build access reviews into your process: at minimum quarterly, checking that access is still appropriate, and immediately upon employee departure or role change.

3. Protect It in Transit and at Rest

Practice SC.L2-3.13.10 (managing cryptographic keys) and related SC domain practices require FIPS 140-3 validated encryption for CUI, both when it's stored and when it's transmitted.

At rest: Full disk encryption on every device that stores CUI. On Windows: BitLocker with FIPS mode enabled (via Group Policy). On macOS: FileVault on T2/Apple Silicon (which uses a FIPS-validated Secure Enclave). In the cloud: server-side encryption using FIPS-validated modules (Azure, AWS GovCloud, and Microsoft 365 GCC High all qualify; consumer cloud services do not).

In transit: TLS 1.2 or higher with FIPS-validated cipher suites. VPN for any remote access to CUI systems. Email encryption (S/MIME or equivalent) if CUI is transmitted via email.

The critical detail: "encrypted" is not sufficient. The specific cryptographic implementation must appear on the NIST Cryptographic Module Validation Program (CMVP) list. Standard AES-256 is the algorithm; the FIPS validation confirms the implementation is correct. Your assessor will ask for the validation certificate number. Know it.

MFA for remote access: Practice IA.L2-3.5.3 requires multi-factor authentication for all remote access to systems containing CUI and for all privileged local accounts. MFA is not optional and not phased in — it's a hard requirement at Level 2.

4. Monitor Who Touches It

The Audit and Accountability domain (AU) requires that you log access to CUI systems and review those logs. Specifically:

  • AU.L2-3.3.1 — Create and retain system audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized access to CUI
  • AU.L2-3.3.2 — Ensure actions of individual users can be traced to those users so they can be held accountable

In practice: centralized logging of all access to CUI systems (successful logins, failed logins, file access, privilege use), with log retention of at least one year (three months immediately accessible for analysis). Every user account needs to be uniquely identifiable — no shared accounts that make individual accountability impossible.

Your logs are also your evidence. When something goes wrong, audit logs tell you who accessed CUI, from where, and when. When your assessor reviews your AU domain, they'll look at log configuration, log completeness, and evidence that someone actually reviews them.

5. Report Incidents Involving CUI

If CUI is compromised — or if you have reason to suspect it was — DFARS 252.204-7012 requires you to report to DoD within 72 hours of discovery. This isn't a CMMC practice, it's a contractual obligation that runs alongside CMMC.

The report goes to the DoD Cyber Crime Center (DC3) via dibnet.dod.mil. You'll need to provide: contract number, the CUI category involved, the systems affected, how the incident was discovered, and what you've done in response.

Practice IR.L2-3.6.1 requires a documented incident response capability — you need a written incident response plan that covers how you detect, respond to, and recover from security incidents, including the 72-hour reporting requirement. Your plan needs to be tested, not just written.

6. Dispose of It Properly

CUI can't just be deleted or thrown in the recycling bin when you're done with it. Practice MP.L2-3.8.3 requires sanitizing media before disposal or reuse using NIST SP 800-88 methods.

For digital media: cryptographic erase (destroy the encryption key — the data becomes unreadable), secure overwrite (multiple passes per DoD 5220.22-M or NIST 800-88), or physical destruction. "Delete" and "format" are not sanitization.

For paper CUI: shredding to cross-cut or micro-cut standards (P-4 level or higher per DIN 66399), or burning. Strip-cut shredders are not sufficient — the strips can be reassembled.

Keep records of CUI destruction: what was destroyed, when, by whom, and what method was used. This is especially important for equipment disposition (retiring laptops, replacing servers) — a paper trail showing proper sanitization protects you from liability if a device reappears with CUI on it.

---

Where Most Contractors Get This Wrong

Scoping CUI to only the obvious places. The shared drive everyone knows about, the project folder on the file server — those get protected. The project manager's personal OneDrive sync, the email thread from six months ago, the PDF on someone's laptop — those don't. Thorough discovery is the difference between a CUI program that works and one that looks good on paper.

Thinking contracts without explicit "CUI" language are safe. Federal contractors sometimes assume that if their contract doesn't use the word "CUI," they're not handling it. But CUI categories are broad, and information doesn't become CUI only when someone stamps it. If you're receiving technical data from DoD, supporting military systems, or working on covered defense programs, you almost certainly have CUI regardless of how your paperwork is phrased. When in doubt, ask your contracting officer.

Relying on legacy FOUO or "company confidential" designations. These are internal labels with no federal legal force. CUI marking is a federal requirement. Your company's confidentiality markings don't satisfy it.

Treating CUI handling as an IT problem. IT can deploy the technical controls — encryption, access control, logging. But the business decisions — what information qualifies as CUI, who needs access, what the data flow is, what happens when an employee leaves — those belong to program management and operations. CUI compliance is an organizational discipline, not a technology deployment.

---

What Your Assessor Expects

CUI handling cuts across multiple CMMC domains, so your assessor will touch it throughout the assessment. The most concentrated review happens in the Media Protection (MP), Access Control (AC), System and Communications Protection (SC), and Audit and Accountability (AU) domains.

What they'll examine: Samples of CUI documents (checking for proper marking), access control lists for CUI systems (checking for need-to-know enforcement), encryption configuration evidence (FIPS validation certificates), media sanitization records, audit log configuration and retention settings, and your incident response plan.

What they'll ask in interviews: "How do you determine what is CUI in your environment?" "What happens when an employee who had CUI access leaves the company?" "Walk me through how you would respond to a CUI-related incident." "How do you train employees to recognize and handle CUI?"

What they'll test: They may attempt to access CUI systems without proper credentials. They may check whether session locks engage properly. They may verify that audit logs capture what they're supposed to capture. They may ask to see recent log output.

The documentation they want to see assembled: - A current data flow diagram showing CUI paths - The asset inventory from your SSP (CUI Assets specifically) - Sample marked documents (demonstrates marking compliance) - Access control policy and evidence of access reviews - Encryption implementation evidence with FIPS validation certs - Media sanitization records - Incident response plan with the DFARS 72-hour reporting requirement explicitly included - CUI handling training records (who was trained, when, on what content)

---

Cross-Framework Alignment

ISO 27001:2022 — Annex A controls A.5.12 (classification of information), A.5.13 (labeling of information), A.5.14 (information transfer), and A.8.10 (information deletion) cover the same ground as CUI marking, transfer controls, and disposal. If you're ISO-certified, you have the process frameworks; you need to apply them specifically to federal CUI categories.

NIST CSF 2.0 — The Protect function's data security category (PR.DS) maps directly to CUI protection requirements. CSF doesn't provide the specific CUI categories and legal backing that 32 CFR Part 2002 does, but if you're using CSF as an organizational framework, your PR.DS activities should be configured to CUI-specific requirements.

FedRAMP — If your CUI lives in a cloud environment, that cloud service needs to be FedRAMP Authorized at the Moderate baseline (at minimum) or use Microsoft 365 GCC High / Azure Government / AWS GovCloud. Consumer cloud services (commercial Office 365, Google Workspace, consumer Dropbox) are not approved for CUI. This is a bright-line rule, not a risk-based decision.

---

Putting It Together

CUI compliance isn't complicated in theory. Find it, mark it, lock it down, watch who touches it, report problems, destroy it properly. Where contractors get into trouble is execution: skipping the discovery work, leaving islands of unprotected CUI in corners of the environment nobody checked, or treating marking as a paperwork exercise without the technical controls underneath.

The right starting point is always the discovery exercise. Until you know where all of your CUI lives, everything else is built on an incomplete foundation.

---

Need help scoping your CUI environment before your assessment? Talk to a consultant.

Related reading: System and Network Requirements for CUI | How to Mark CUI Documents | CMMC Scoping: What's In and What's Out

Read more