How does CUI differ from Federal Contract Information (FCI)?

While both CUI and Federal Contract Information (FCI) are protected under CMMC, FCI primarily pertains to information related to federal contracts, whereas CUI covers a broader range of sensitive information that may include financial records, defense-related data, immigration or export controls, and other regulated data. Some FCI may qualify as CUI, but not all CUI is FCI.

What are examples of Controlled Unclassified Information?

Examples of CUI include data related to critical infrastructure such as defense, nuclear, and natural resources; financial records like procurement, tax documents, and patents; immigration, transportation, and export control information; global and domestic defense or law enforcement intelligence; and miscellaneous statistical data from government agencies.

How does CMMC protect Controlled Unclassified Information?

CMMC protects CUI by implementing a tiered approach through five Maturity Levels. Levels 1-3 progressively introduce practices that safeguard CUI, including access control, identification and authentication, media protection, incident response, risk management, and system integrity. Level 3 achieves full compliance with NIST SP 800-171 standards for complete CUI protection.

What are the differences between CMMC Levels 1, 2, and 3 for CUI protection?

Level 1 establishes basic cybersecurity hygiene primarily for FCI but lays the foundation for CUI protection. Level 2 is transitional, adding intermediate practices to prepare for full CUI protection. Level 3 achieves complete protection for CUI and FCI, fully adopting NIST SP 800-171 practices and incorporating 58 additional practices covering all critical security domains.

Why is CUI protection important for DoD contractors?

Protecting CUI is essential for DoD contractors to maintain preferred contractor status, comply with federal regulations, and safeguard sensitive information that could affect national security. Failure to properly protect CUI can lead to compliance violations, loss of contracts, and reputational damage.

How can RSI Security help with CUI and CMMC compliance?

RSI Security provides comprehensive CMMC advisory services, helping organizations of all sizes—including DoD contractors—achieve compliance and fully protect CUI. Their expert team guides companies through all CMMC levels, implements best practices, and ensures processes are documented, managed, and aligned with regulatory standards.

What is Controlled Unclassified Information?

Q: What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is a category of sensitive but unclassified information that requires safeguarding in accordance with government policies, laws, or regulations. It is commonly encountered by Department of Defense (DoD) contractors and is protected under frameworks like the Cybersecurity Maturity Model Certification (CMMC).

RSI Security

2 weeks ago

Companies working with the Department of Defense (DoD) regularly handle sensitive data. To maintain preferred contractor status, they must comply with cybersecurity frameworks such as the Cybersecurity Maturity Model Certification (CMMC). A key focus of CMMC is protecting Controlled Unclassified Information (CUI), a category of sensitive, unclassified data that requires careful handling.

Understanding Controlled Unclassified Information and implementing proper security measures is critical for compliance and safeguarding national security.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is one of the two primary types of sensitive information the Cybersecurity Maturity Model Certification (CMMC) is designed to protect, the other being Federal Contract Information (FCI). While both categories are essential to the Department of Defense’s (DoD) security, CUI is broader and can carry higher stakes if mishandled.

This guide will help you understand Controlled Unclassified Information, including:

What CUI comprises, with practical examples you might encounter
The specific CMMC controls designed to protect CUI
Strategies and resources to safeguard CUI and other sensitive data in line with CMMC requirements

By the end of this guide, you’ll be better prepared to protect Controlled Unclassified Information and ensure compliance with DoD cybersecurity standards.

Controlled Unclassified Information 101

Controlled Unclassified Information (CUI) is so central to the Cybersecurity Maturity Model Certification (CMMC) that its definition appears in the introduction of the official framework. According to the most recent CMMC document, version 1.02 (March 2020), CUI refers to information that does not carry classified status but must be safeguarded due to specific government policies, laws, or regulations.

The other type of data protected under CMMC is Federal Contract Information (FCI), which pertains to information related to federal contracts. Some overlap exists between these categories: certain FCI may qualify as CUI, and vice versa.

Controlled Unclassified Information (CUI) Examples

The Defense Federal Acquisition Regulation Supplement (DFARS) serves as a primary source for the CMMC, outlining what qualifies as Controlled Unclassified Information (CUI). The updated CUI Categories list, maintained by the National Archives, provides detailed guidance.

Some of the main CUI categories and examples include:

Critical Infrastructure Data: Defense systems, nuclear facilities, natural resource operations
Financial Records: Procurement and acquisition documents, tax records, patents
Regulatory and International Data: Immigration, transportation, export controls, and international agreements
Defense and Law Enforcement Intelligence: Global and domestic security, law enforcement, privacy-related intelligence
Governmental Statistical Data: Miscellaneous provisional, research, and statistical information from agencies

It’s important to note that the CUI categories are dynamic, not all information fits neatly into a single category. Additionally, while the sensitivity of CUI may vary, all CUI requires consistent safeguarding under CMMC guidelines.

Safeguarding Controlled Unclassified Information (CUI): CMMC Levels 1–3

The Cybersecurity Maturity Model Certification (CMMC) was designed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S) to unify best practices from multiple regulatory frameworks. This unified approach ensures Controlled Unclassified Information (CUI) is consistently protected across DoD contractors.

Unlike frameworks such as NIST SP 800-171, CMMC is structured into five Maturity Levels, allowing organizations to gradually adopt security controls. Across these levels, there are 171 Practices organized into 17 Domains, each targeting the safeguarding of sensitive information, including CUI and Federal Contract Information (FCI).

This article focuses on CMMC Levels 1, 2, and 3, which include a total of 130 controls specifically designed to protect Controlled Unclassified Information. For a full breakdown of all five levels, see our comprehensive CMMC assessment guide.

CMMC Level 1: Basic Protections for FCI and Controlled Unclassified Information (CUI)

CMMC Level 1 focuses on foundational cybersecurity practices, primarily safeguarding Federal Contract Information (FCI) while setting the groundwork for Controlled Unclassified Information (CUI) protection at higher levels. This level includes 17 Practices organized across six domains:

Access Control (AC): Four practices to limit and monitor access to FCI and CUI
Identification and Authentication (IA): Two practices specifying user identification requirements
Media Protection (MP): One practice requiring secure data wiping before transport
Physical Protection (PP): Four practices extending physical restrictions to CUI access
Systems and Communications Protection (SC): Two practices protecting network traffic
System and Information Integrity (SI): Four practices requiring ongoing system monitoring

These practices represent basic cyber hygiene. At Level 1, process maturity is minimal, meaning all practices must be performed, but none are formally measured or audited

CMMC Level 2: Preparing for Full Controlled Unclassified Information (CUI) Protection

CMMC Level 2 is a transitional stage, building upon Level 1 protections for Federal Contract Information (FCI) and laying the groundwork for full CUI protection at Level 3. At this level, 55 new Practices are introduced across multiple domains:

Access Control (AC): 10 additional practices extending restrictions on FCI and CUI access
Audit and Accountability (AA): 4 practices defining standards for regular auditing
Awareness and Training (AT): 2 practices mandating training for all personnel
Configuration Management (CM): 6 practices for replacing default system settings
Identification and Authentication (IA): 5 additional practices strengthening identity controls
Incident Response (IR): 5 practices specifying immediate actions for security incidents
Maintenance (MA): 4 practices detailing maintenance schedules and protocols
Media Protection (MP): 3 additional practices for secure media handling and storage
Personnel Security (PS): 2 practices covering secure recruitment and hiring protocols
Physical Protection (PP): 1 practice extending physical access controls to sensitive areas
Recovery (RE): 2 practices covering backups, recovery testing, and confidentiality of CUI data locations
Risk Management (RM): 3 practices outlining preventive measures to protect CUI
Security Assessment (SA): 3 practices for internal system assessments
Systems and Communications Protection (SC): 2 practices securing network traffic
System and Information Integrity (SI): 3 additional practices ensuring system integrity

These practices represent intermediate cyber hygiene, and at Level 2, processes must be documented to demonstrate compliance and institutionalization.

CMMC Level 3: Full Protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)

CMMC Level 3 marks a major milestone in the framework, representing full adoption of NIST SP 800-171 and complete protection of FCI and CUI. At this level, 58 additional Practices are introduced to ensure robust cybersecurity across all critical areas:

Access Control (AC): 8 additional practices finalizing safeguards for CUI and FCI access
Asset Management (AM): 1 practice defining protocols for the secure handling of physical assets
Audit and Accountability (AA): 7 additional practices establishing accountability standards
Awareness and Training (AT): 1 practice detailing organization-wide cybersecurity awareness
Configuration Management (CM): 3 additional practices controlling system and device settings
Identification and Authentication (IA): 4 additional practices strengthening identity and access controls for CUI/FCI
Incident Response (IR): 2 additional practices specifying response procedures for cyber incidents
Maintenance (MA): 2 additional practices reinforcing routine and special maintenance protocols
Media Protection (MP): 4 additional practices securing media during storage and transport
Physical Protection (PP): 1 practice finalizing physical access controls for CUI/FCI
Recovery (RE): 1 practice defining short- and long-term recovery protocols for sensitive data
Risk Management (RM): 3 additional practices focused on risk monitoring and mitigation for CUI
Security Assessment (SA): 2 additional practices refining internal assessment procedures
Situational Awareness (SA): 1 practice establishing organization-specific cybersecurity awareness
Systems and Communications Protection (SC): 15 additional practices strengthening network and communications security
System and Information Integrity (SI): 3 additional practices ensuring system integrity and reliability

These practices represent good cyber hygiene, and at Level 3, all processes must be formally managed and institutionalized to achieve full compliance

Professional CMMC Compliance and Controlled Unclassified Information (CUI) Protection

Ensuring the complete protection of Controlled Unclassified Information (CUI) in accordance with DoD specifications starts with taking action toward CMMC compliance. RSI Security provides a comprehensive suite of CMMC advisory services designed to guide your organization, no matter your current compliance level.

With over a decade of experience delivering security solutions to organizations of all sizes, including DoD contractors, our expert team simplifies the path to CUI safeguarding and CMMC certification. Contact RSI Security today to get started and ensure your sensitive data is fully protected.