How the CUI Program Reaches Contractors

Word count: ~980 Specificity markers hit: (5) Decision point — understanding where your CUI obligation actually comes from; (4) Common mistake — assuming CUI obligations are self-evident rather than contract-specific; (1) NIST/regulatory reference — EO 13556, 32 CFR Part 2002, DFARS 252.204-7012

---

If you're a defense contractor and someone hands you a document marked "CUI," your first question probably isn't "how did this program get created?" It's "what do I have to do with this?" Fair. But understanding how the CUI (Controlled Unclassified Information) program reaches you — the actual legal chain — tells you something important: your obligations are contract-driven, not just general law. That shapes what you're required to protect and when.

Where the CUI Program Started

The CUI program was created by Executive Order 13556, signed in 2010. Before that, every federal agency had its own informal system for marking and handling sensitive unclassified information — For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Law Enforcement Sensitive, and dozens of similar labels. None of them were consistent. Information marked FOUO by one agency might be handled completely differently by another.

EO 13556 directed the National Archives and Records Administration (NARA) to establish a single, government-wide program: the CUI program. NARA published the implementing regulation at 32 CFR Part 2002, which defines CUI categories, marking requirements, and handling standards. NARA also maintains the CUI Registry — the authoritative list of what qualifies as CUI and under which category.

That's the federal foundation. But federal regulations apply to federal agencies. So how do they reach you, a private contractor?

The Contract Bridge

Federal agencies flow CUI obligations to contractors through contracts. This is the mechanism. If you have a federal contract, the contract clauses specify what CUI you may encounter, how you're required to handle it, and what security standards apply.

For Department of Defense (DoD) contractors, the key clause is DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause appears in DoD contracts where CUI (specifically what DoD calls "Covered Defense Information" or CDI) is involved. When you sign a contract containing DFARS 252.204-7012, you are legally obligated to:

• Implement security requirements from NIST SP 800-171 (the National Institute of Standards and Technology special publication covering protection of CUI in nonfederal systems)
• Report cyber incidents to DoD within 72 hours
• Preserve and submit malware and cyber incident artifacts as required
• Flow these same requirements down to your subcontractors

The clause is the bridge. Without it in your contract, NIST 800-171 doesn't apply to you — not because CUI isn't present, but because the obligation hasn't been formally imposed.

How It Flows to Subcontractors

The flowdown requirement in DFARS 252.204-7012 is important. If you're a prime contractor and you subcontract work that involves CUI, you must include equivalent CUI protection obligations in your subcontract. Your subcontractor has to meet the same security standards you do.

This means a small company doing subcontracted work for a prime may have full CMMC (Cybersecurity Maturity Model Certification) obligations even if they never directly interacted with the DoD. Their obligation came from the prime's flowdown clause, which came from the prime's DoD contract.

The flowdown requirement applies to the specific work involving CUI. If a subcontractor only provides a commodity service (raw materials, generic logistics) with no access to CUI, the clause doesn't need to flow down. But if the subcontractor handles technical drawings, specifications, engineering data, or anything that qualifies as CUI, they're in scope.

The CUI Registry: Where Categories Are Defined

Not everything sensitive is CUI. The CUI Registry defines exactly what qualifies — currently around 100 categories organized under broader groupings like Defense, Privacy, Legal, Finance, Intelligence, and Critical Infrastructure.

Defense contractors most commonly encounter:

• CTI (Controlled Technical Information) — technical information with military application. Engineering drawings, specifications, technical data packages.
• ITAR-related categories — information subject to International Traffic in Arms Regulations
• Export Controlled — information regulated under Export Administration Regulations (EAR)
• Privacy — personally identifiable information subject to federal privacy requirements

Whether a piece of information is CUI depends on its category designation, which comes from the originating agency. The contractor doesn't decide what's CUI — the government does. You receive CUI because an authorized agency official designated it as such.

The Common Mistake

Assuming that all sensitive-looking information in your environment is CUI — or conversely, that nothing is CUI unless you've been explicitly told so.

CUI designation comes from the originating agency. If information arrives without a CUI marking, the safest approach is to ask. Contact your contracting officer and ask whether the information requires CUI handling. Don't assume the lack of a marking means the information is uncontrolled — some agencies are inconsistent about marking. And don't assume that applying CUI handling to everything is always safe — overmarking creates compliance burden and can obscure what's actually sensitive.

Your contract is the starting point. What does your contract say about CUI? Which clauses are included? What categories of information are referenced? That's your roadmap for what you're obligated to protect.

Why This Structure Matters

The contract-driven structure of the CUI program has a practical implication: your obligations are specific to your contract and your work scope, not to some general definition of "defense work."

Two contractors in the same industry, doing similar work, may have very different CUI obligations depending on their contracts. One prime's contract may contain DFARS 252.204-7012 and impose full NIST 800-171 requirements. Another's may not — especially if the work doesn't involve technical data or sensitive program information.

This is also why CMMC requirements are tied to contract clauses, not company size or industry. CMMC certification is required when the DoD includes it as a contract requirement. If your contract doesn't include a CMMC requirement, you're not currently obligated to pursue certification — though that may change with contract renewals as CMMC requirements become more widespread.

The Practical Takeaway

Read your contracts. Find your DFARS clauses. Understand what CUI categories you handle and where that designation came from. If you're a subcontractor, get the relevant contract clauses from your prime. Don't rely on informal conversations about "what we need to do" — the written contract is what your assessor and the DoD will reference if there's ever a question.

The CUI program is systematic. Your place in it is defined by the documents you signed.

---

Want to understand what specific NIST 800-171 controls apply once CUI lands in your environment? Our Tier 2 article on system and network requirements for CUI walks through the technical baseline — what every in-scope system needs to have in place.