CUI is the reason CMMC exists. If your organization handles Controlled Unclassified Information on behalf of the federal government, you're subject to NIST SP 800-171, DFARS 252.204-7012, and potentially CMMC Level 2 certification. Here's what CUI actually is, how to identify it, and what it requires from you.
Under 32 CFR Part 2002 and Executive Order 13556, CUI is defined as information the federal government creates or possesses, or that an entity creates or possesses on behalf of the government, that a law, regulation, or government-wide policy requires or permits safeguarding or dissemination controls.
In plain English: CUI is sensitive government information that isn't classified but still needs to be protected. It's the middle ground between publicly available government information and classified national security information. Not classified, but still don't post it on Reddit.
The National Archives and Records Administration (NARA), the federal agency responsible for managing the CUI program, maintains the authoritative CUI Registry at archives.gov/cui, which lists every approved CUI category, the laws or regulations that require protection, and the handling requirements for each. Think of it as the government's official master list of what counts as sensitive.
CUI is not just technical data. Many contractors assume CUI only means technical drawings or export-controlled engineering data. In reality, CUI includes personnel information, procurement data, legal and law enforcement information, financial data, and many other categories, any of which may appear in your day-to-day contract work.
CUI is frequently confused with classified information, they are fundamentally different:
CMMC distinguishes between two types of sensitive federal information:
Every contractor who receives CUI also receives FCI, but not vice versa. If you're only receiving FCI, invoices, contract administrative information, scheduling data, you may only need CMMC Level 1. If you receive CUI, CMMC Level 2 obligations apply.
There are over 20 CUI category groups in the NARA registry. These are the ones most commonly encountered by defense contractors:
Technical data with military or space application, engineering drawings, software source code, technical manuals, research data. The most common CUI category for defense prime and sub-tier contractors. Governed by DFARS 252.204-7012.
Information controlled under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). Sharing with foreign nationals, even inside your own company, without proper authorization is a federal violation with severe criminal penalties.
Personally Identifiable Information about government employees, contractors, or individuals that appears in government records. Common in contracts involving personnel support, HR systems, benefits administration, or any work involving government workforce data.
Source selection information, bid and proposal data, cost and pricing data, and contractor proposals before award. If you work in contract management or business development support for a government agency, this category likely applies.
Information about vulnerabilities, security measures, or operations of critical infrastructure systems, power grids, water systems, financial systems, transportation networks. Relevant for contractors supporting DHS, DoE, or infrastructure protection programs.
Our free CMMC Scope Definition Worksheet walks you through identifying your CUI environment, defining your system boundary, and mapping which of your systems are in scope for CMMC. No email required.
Get the Free WorksheetIdentifying CUI is the critical first step before you can protect it. Here's a practical approach:
Your contracts are the primary source of CUI identification. Look for DFARS 252.204-7012 (which references CUI), DD Form 1423 (Contract Data Requirements List), or any contract language specifying data handling requirements or referencing specific CUI categories. If your contract includes these clauses, you are handling CUI.
Map where government-provided data goes in your organization. Which systems store it? Who has access? What gets emailed, shared, or transferred to subcontractors? Your System Security Plan (SSP) must document this, it's called the system boundary and is one of the first things a CMMC assessor reviews.
For any information you're uncertain about, look up the relevant CUI category at archives.gov/cui. Each category entry lists the authorizing law or regulation, the required handling protections, and whether it's basic CUI or CUI-Specified (which has additional controls beyond the baseline).
When in doubt, ask. Your Contracting Officer or Contracting Officer's Representative (COR) can confirm which information in your contract is designated CUI and what marking requirements apply. Getting written confirmation protects you.
Under 32 CFR Part 2002.20, agencies are required to mark CUI when they create it or when they determine existing information meets CUI criteria. Documents you create that contain CUI must be marked with the CUI designation.
The standard CUI marking is: CUI as a header/footer, with the applicable category designation if required (e.g., CUI//CTI for Controlled Technical Information). Export-controlled CUI must include the export control designation.
In practice, much government-furnished information arrives unmarked or improperly marked. Somehow, the government's own documents don't always comply with the government's own labeling rules. This does not remove your obligation to protect it, if information meets a CUI category definition, it must be handled as CUI regardless of whether the government marked it correctly.
Once you've identified CUI in your environment, your obligations under NIST SP 800-171 and DFARS 252.204-7012 include:
Your SSP must define your CUI boundary, every system that touches CUI, how it flows, and who has access. Our CMMC Level 2 SSP Template includes the system boundary, data flow, and CUI environment sections that C3PAO assessors expect.
Get the SSP Template, $67No spam. Just practical guidance on CMMC compliance and new resources when we publish them.