The One-Sentence Answer
Controlled Unclassified Information (CUI) is government-created or government-provided information that isn't classified but still requires specific safeguarding and dissemination controls under 32 CFR Part 2002.
That's the textbook answer. Here's the practical one: CUI is the reason you need CMMC.
If your company touches DoD contracts and handles any information beyond what's publicly available, you almost certainly handle CUI. And under CMMC 2.0, that means you need to meet NIST SP 800-171 Rev 2 controls — all 110 of them — to keep winning work.
Why CUI Exists
Before 2010, every federal agency had its own system for handling sensitive-but-unclassified information. DoD had "FOUO." DHS had "SBU." The intelligence community had its own labels. It was chaos.
Executive Order 13556 (2010) created the CUI Program to standardize all of it under one framework managed by the National Archives (NARA). One set of rules. One registry. One marking system.
The goal was simple: stop treating the same type of information differently depending on which agency created it.
CUI Categories That Matter to Defense Contractors
The CUI Registry lists over 100 categories across 20 groupings. Most defense contractors will encounter these:
Most Common in DoD Contracts
| Category | What It Looks Like |
|---|---|
| Controlled Technical Information (CTI) | Engineering specs, drawings, technical data with military application |
| Export Controlled (ITAR/EAR) | Anything on the USML or CCL — hardware specs, software, technical data |
| Procurement & Acquisition | Source selection info, proposals, cost/pricing data |
| Critical Infrastructure | Physical security plans, vulnerability assessments |
| Privacy (PII) | Employee records, personnel data in contract deliverables |
| OPSEC | Operations security assessments, vulnerability data |
The One Most People Miss
Controlled Technical Information (CTI) catches contractors off guard because it's broad. If you receive technical drawings, specifications, or data with a distribution statement (Statements B through F on the cover page), that's CTI. That's CUI. That triggers NIST 800-171.
Many small contractors think "we don't handle classified, so we're fine." They're wrong. That engineering drawing your prime emailed you? CUI. The test results in the shared portal? CUI. The cost proposal sitting in someone's personal Gmail? CUI — and a compliance violation.
How to Know If You Handle CUI
Three questions:
- Do you have a DoD contract or subcontract? If yes, keep going.
- Does your contract include DFARS 252.204-7012? This is the clause that requires NIST 800-171 compliance for CUI. Check your contract — it's probably there.
- Does the government (or your prime) send you information that isn't publicly available? Technical data, drawings, specs, personnel info, source selection documents, vulnerability data? All CUI.
If you answered yes to all three: you handle CUI. Full stop.
CUI vs. Classified vs. Public Information
| Public | CUI | Classified | |
|---|---|---|---|
| Access restrictions | None | Need-to-know + lawful purpose | Security clearance required |
| Marking required | No | Yes — "CUI" or "CONTROLLED" banner | Yes — classification level |
| Storage requirements | None | NIST 800-171 controls | SCIFs, approved containers |
| Spillage = incident? | No | Yes | Yes (more severe) |
| CMMC level | Level 1 (FCI only) | Level 2 | Level 3+ |
The critical distinction: CUI doesn't require a clearance to access, but it does require proper safeguarding. That's the gap most small contractors fall into — they treat CUI like regular business data because "it's not classified."
CUI Marking Requirements
When you create documents containing CUI, they must be marked:
- Banner marking: "CUI" or "CONTROLLED" at the top and bottom of each page
- Designation indicator: Which CUI category applies (e.g., "CUI//CTI" or "CUI//SP-EXPT")
- Dissemination controls: Who can access it (e.g., "NOFORN," "FEDCON")
- Portion marking: Optional but recommended — mark individual paragraphs
Most contractors receive CUI that's already marked by the government or their prime. The challenge is when you create derivative documents — reports, analyses, deliverables — that contain CUI data. Those need marking too.
What Happens If You Mishandle CUI
This isn't theoretical. The consequences are real and escalating:
- DFARS 252.204-7012 requires you to report cyber incidents involving CUI to the DoD within 72 hours
- False Claims Act liability if you self-assessed NIST 800-171 compliance but weren't actually compliant
- Loss of contracts — primes are increasingly flowing CMMC requirements down and verifying compliance before awarding subcontracts
- CMMC 2.0 makes third-party assessment mandatory for Level 2 — self-attestation isn't enough for CUI anymore
The DoJ's Civil Cyber-Fraud Initiative is actively pursuing contractors who misrepresent their cybersecurity posture. If your SPRS score says 110 but your actual implementation says 47, that's a problem.
CUI and CMMC 2.0: The Direct Connection
Here's how CUI maps to CMMC:
- No CUI, only FCI (Federal Contract Information): CMMC Level 1 — 17 security requirements, self-assessment
- CUI present: CMMC Level 2 — 110 practices (NIST 800-171 Rev 2), third-party assessment by a C3PAO
- CUI with critical national security programs: CMMC Level 3 — 110+ practices, government-led assessment
Most defense contractors handling CUI will need Level 2. The CMMC Final Rule (32 CFR Part 170) went into effect December 16, 2024, and DoD has begun including CMMC requirements in new contracts.
Practical Steps: What to Do Right Now
If you're a defense contractor who just realized "wait, we handle CUI":
- Identify your CUI. Review contracts for DFARS 252.204-7012. Map where CUI enters, flows through, and leaves your organization.
- Scope your environment. Which systems, people, and processes touch CUI? That's your assessment boundary.
- Run a gap assessment against NIST 800-171. All 110 controls. Be honest — an inflated SPRS score helps no one and creates legal risk.
- Calculate your actual SPRS score. Submit it to the Supplier Performance Risk System.
- Build a remediation plan. Prioritize: access control, multi-factor authentication, encryption, and incident response are where most small contractors have the biggest gaps.
- Get help if needed. A CMMC Registered Practitioner can guide your assessment and remediation. Look for someone who's actually done ATOs and built compliant environments — not someone who read the standard last week.
Free CUI Readiness Assessment
Not sure whether you handle CUI or where to start? Take our complimentary readiness assessment to get clarity on your requirements and next steps.
Take the Assessment →Or contact us directly: mission@corneliusdigitalsolutions.com
Frequently Asked Questions
Is all government information CUI?
No. Only information that falls within a CUI Registry category and is marked or identified as CUI. Publicly released government information is not CUI. Federal Contract Information (FCI) — basic contract data like delivery schedules and contract terms — is also not CUI, though it still requires Level 1 protections.
Who decides what's CUI?
The government agency that creates or provides the information designates it as CUI. As a contractor, you don't get to decide whether information is CUI — the government tells you through contract clauses, markings, and the CUI Registry.
Can CUI be stored in the cloud?
Yes, but only in a cloud environment that meets FedRAMP Moderate baseline (or equivalent). This is explicitly required by DFARS 252.204-7012. Commercial cloud services like standard Microsoft 365, Google Workspace, and Dropbox do not meet this requirement. You need GCC High or a similarly authorized environment.
What's the difference between CUI and FOUO?
FOUO (For Official Use Only) was the predecessor marking used by DoD. It's been phased out and replaced by CUI. If you see FOUO on older documents, treat them as CUI until the originating agency re-marks or declassifies them.
Does every employee need CUI training?
Anyone who handles, accesses, or could reasonably encounter CUI needs training. NIST 800-171 control 3.2.1 requires security awareness training, and 3.2.2 requires role-based training for personnel with security responsibilities. Annual training is the standard.