Companies working with the Department of Defense (DoD) regularly handle sensitive data. To maintain preferred contractor status, they must comply with cybersecurity frameworks such as the Cybersecurity Maturity Model Certification (CMMC). A key focus of CMMC is protecting Controlled Unclassified Information (CUI), a category of sensitive, unclassified data that requires careful handling.
Understanding Controlled Unclassified Information and implementing proper security measures is critical for compliance and safeguarding national security.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is one of the two primary types of sensitive information the Cybersecurity Maturity Model Certification (CMMC) is designed to protect, the other being Federal Contract Information (FCI). While both categories are essential to the Department of Defense’s (DoD) security, CUI is broader and can carry higher stakes if mishandled.
This guide will help you understand Controlled Unclassified Information, including:
- What CUI comprises, with practical examples you might encounter
- The specific CMMC controls designed to protect CUI
- Strategies and resources to safeguard CUI and other sensitive data in line with CMMC requirements
By the end of this guide, you’ll be better prepared to protect Controlled Unclassified Information and ensure compliance with DoD cybersecurity standards.
Controlled Unclassified Information 101
Controlled Unclassified Information (CUI) is so central to the Cybersecurity Maturity Model Certification (CMMC) that its definition appears in the introduction of the official framework. According to the most recent CMMC document, version 1.02 (March 2020), CUI refers to information that does not carry classified status but must be safeguarded due to specific government policies, laws, or regulations.
The other type of data protected under CMMC is Federal Contract Information (FCI), which pertains to information related to federal contracts. Some overlap exists between these categories: certain FCI may qualify as CUI, and vice versa.
Controlled Unclassified Information (CUI) Examples
The Defense Federal Acquisition Regulation Supplement (DFARS) serves as a primary source for the CMMC, outlining what qualifies as Controlled Unclassified Information (CUI). The updated CUI Categories list, maintained by the National Archives, provides detailed guidance.
Some of the main CUI categories and examples include:
- Critical Infrastructure Data: Defense systems, nuclear facilities, natural resource operations
- Financial Records: Procurement and acquisition documents, tax records, patents
- Regulatory and International Data: Immigration, transportation, export controls, and international agreements
- Defense and Law Enforcement Intelligence: Global and domestic security, law enforcement, privacy-related intelligence
- Governmental Statistical Data: Miscellaneous provisional, research, and statistical information from agencies
It’s important to note that the CUI categories are dynamic, not all information fits neatly into a single category. Additionally, while the sensitivity of CUI may vary, all CUI requires consistent safeguarding under CMMC guidelines.
Safeguarding Controlled Unclassified Information (CUI): CMMC Levels 1–3
The Cybersecurity Maturity Model Certification (CMMC) was designed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S) to unify best practices from multiple regulatory frameworks. This unified approach ensures Controlled Unclassified Information (CUI) is consistently protected across DoD contractors.
Unlike frameworks such as NIST SP 800-171, CMMC is structured into five Maturity Levels, allowing organizations to gradually adopt security controls. Across these levels, there are 171 Practices organized into 17 Domains, each targeting the safeguarding of sensitive information, including CUI and Federal Contract Information (FCI).
This article focuses on CMMC Levels 1, 2, and 3, which include a total of 130 controls specifically designed to protect Controlled Unclassified Information. For a full breakdown of all five levels, see our comprehensive CMMC assessment guide.
CMMC Level 1: Basic Protections for FCI and Controlled Unclassified Information (CUI)
CMMC Level 1 focuses on foundational cybersecurity practices, primarily safeguarding Federal Contract Information (FCI) while setting the groundwork for Controlled Unclassified Information (CUI) protection at higher levels. This level includes 17 Practices organized across six domains:
- Access Control (AC): Four practices to limit and monitor access to FCI and CUI
- Identification and Authentication (IA): Two practices specifying user identification requirements
- Media Protection (MP): One practice requiring secure data wiping before transport
- Physical Protection (PP): Four practices extending physical restrictions to CUI access
- Systems and Communications Protection (SC): Two practices protecting network traffic
- System and Information Integrity (SI): Four practices requiring ongoing system monitoring
These practices represent basic cyber hygiene. At Level 1, process maturity is minimal, meaning all practices must be performed, but none are formally measured or audited
CMMC Level 2: Preparing for Full Controlled Unclassified Information (CUI) Protection
CMMC Level 2 is a transitional stage, building upon Level 1 protections for Federal Contract Information (FCI) and laying the groundwork for full CUI protection at Level 3. At this level, 55 new Practices are introduced across multiple domains:
- Access Control (AC): 10 additional practices extending restrictions on FCI and CUI access
- Audit and Accountability (AA): 4 practices defining standards for regular auditing
- Awareness and Training (AT): 2 practices mandating training for all personnel
- Configuration Management (CM): 6 practices for replacing default system settings
- Identification and Authentication (IA): 5 additional practices strengthening identity controls
- Incident Response (IR): 5 practices specifying immediate actions for security incidents
- Maintenance (MA): 4 practices detailing maintenance schedules and protocols
- Media Protection (MP): 3 additional practices for secure media handling and storage
- Personnel Security (PS): 2 practices covering secure recruitment and hiring protocols
- Physical Protection (PP): 1 practice extending physical access controls to sensitive areas
- Recovery (RE): 2 practices covering backups, recovery testing, and confidentiality of CUI data locations
- Risk Management (RM): 3 practices outlining preventive measures to protect CUI
- Security Assessment (SA): 3 practices for internal system assessments
- Systems and Communications Protection (SC): 2 practices securing network traffic
- System and Information Integrity (SI): 3 additional practices ensuring system integrity
These practices represent intermediate cyber hygiene, and at Level 2, processes must be documented to demonstrate compliance and institutionalization.
CMMC Level 3: Full Protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)
CMMC Level 3 marks a major milestone in the framework, representing full adoption of NIST SP 800-171 and complete protection of FCI and CUI. At this level, 58 additional Practices are introduced to ensure robust cybersecurity across all critical areas:
- Access Control (AC): 8 additional practices finalizing safeguards for CUI and FCI access
- Asset Management (AM): 1 practice defining protocols for the secure handling of physical assets
- Audit and Accountability (AA): 7 additional practices establishing accountability standards
- Awareness and Training (AT): 1 practice detailing organization-wide cybersecurity awareness
- Configuration Management (CM): 3 additional practices controlling system and device settings
- Identification and Authentication (IA): 4 additional practices strengthening identity and access controls for CUI/FCI
- Incident Response (IR): 2 additional practices specifying response procedures for cyber incidents
- Maintenance (MA): 2 additional practices reinforcing routine and special maintenance protocols
- Media Protection (MP): 4 additional practices securing media during storage and transport
- Physical Protection (PP): 1 practice finalizing physical access controls for CUI/FCI
- Recovery (RE): 1 practice defining short- and long-term recovery protocols for sensitive data
- Risk Management (RM): 3 additional practices focused on risk monitoring and mitigation for CUI
- Security Assessment (SA): 2 additional practices refining internal assessment procedures
- Situational Awareness (SA): 1 practice establishing organization-specific cybersecurity awareness
- Systems and Communications Protection (SC): 15 additional practices strengthening network and communications security
- System and Information Integrity (SI): 3 additional practices ensuring system integrity and reliability
These practices represent good cyber hygiene, and at Level 3, all processes must be formally managed and institutionalized to achieve full compliance
Professional CMMC Compliance and Controlled Unclassified Information (CUI) Protection
Ensuring the complete protection of Controlled Unclassified Information (CUI) in accordance with DoD specifications starts with taking action toward CMMC compliance. RSI Security provides a comprehensive suite of CMMC advisory services designed to guide your organization, no matter your current compliance level.
With over a decade of experience delivering security solutions to organizations of all sizes, including DoD contractors, our expert team simplifies the path to CUI safeguarding and CMMC certification. Contact RSI Security today to get started and ensure your sensitive data is fully protected.
Download Our CMMC Checklist
