Controlled Unclassified Information (CUI) refers to sensitive federal data that, while not classified, requires safeguarding under federal law and agency policies. As cyber threats continue to escalate, the U.S. Department of Defense (DoD) has prioritized CUI protection across its contractor ecosystem.
For organizations in the Defense Industrial Base (DIB), properly handling CUI is not optional—it’s a core requirement under the Cybersecurity Maturity Model Certification (CMMC). Failure to protect CUI can result in lost contracts and increased risk exposure.
In this guide, we’ll explain:
-
What Controlled Unclassified Information (CUI) is
-
Why it matters to DoD contractors
-
How CUI fits into the CMMC framework
-
What steps contractors must take to stay compliant
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) refers to sensitive government data that requires safeguarding but does not rise to the level of classified information. CUI was formally established by Executive Order 13556 in 2010 to standardize the handling of sensitive but unclassified information across federal agencies.
Examples of CUI include:
- Personal data (e.g., Social Security numbers)
- Proprietary business information
- Law enforcement or legal materials
- Critical infrastructure data
To help organizations identify and protect this information, the National Archives and Records Administration (NARA) maintains the official CUI Registry, which outlines the categories of CUI and associated safeguarding or dissemination rules.
CUI is broken into two subtypes: CUI Basic, which follows standard safeguarding protocols, and CUI Specified, which includes enhanced protections mandated by law or regulation.
FCI vs. CUI vs. Classified Information
Organizations working with the U.S. government—especially the Department of Defense (DoD)—must understand the distinctions between various types of sensitive information:
- Federal Contract Information (FCI): Defined by FAR 52.204-21, this includes information not intended for public release and provided or generated under a government contract. FCI triggers CMMC Level 1 requirements.
- Controlled Unclassified Information (CUI): Broader than FCI, CUI includes sensitive government data requiring protection but not classified by law. Handling CUI invokes CMMC Level 2 or higher, depending on the sensitivity and risk environment.
- Classified Information: National security information protected by law and accessible only with the appropriate security clearance.
Knowing which type of information your organization handles is critical for determining your CMMC obligations and ensuring ongoing DoD contract eligibility.
CUI in the CMMC Framework
The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s standardized framework for safeguarding sensitive information across the Defense Industrial Base (DIB). CUI is a core component, and protecting it requires implementation of CMMC Level 2 or 3 controls.
CMMC Levels at a Glance:
Level 1 – Foundational
For FCI
- 17 basic cybersecurity practices
- Self-assessment required annually
Level 2 – Advanced
For CUI
- 110 controls from NIST SP 800-171
- Third-party assessments required for most organizations
- Some self-assessment allowed if not handling critical national security data
Level 3 – Expert
For highly sensitive CUI in high-threat environments
- Based on NIST SP 800-172
- Government-led assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
CUI protection begins at Level 2. Contractors must demonstrate full implementation of all 110 NIST controls, including areas such as access control, incident response, and data integrity.
How to Achieve and Maintain CMMC Compliance
Preparing for CMMC certification involves more than just checking a box. It requires a structured, ongoing commitment to cybersecurity. Here’s how contractors can prepare effectively:
1. Assess Your Current Posture
Start with a gap assessment against your target CMMC level, identifying any policy or technical shortfalls. This should include:
- Reviewing your existing NIST 800-171 implementations
- Evaluating system documentation and user access
- Identifying missing controls or weak points
2. Remediate Gaps
Next, update your environment to close any gaps:
- Implement or upgrade technical controls
- Update cybersecurity policies and procedures
- Conduct user training and awareness sessions
3. Undergo Formal Assessment
If you’re seeking CMMC Level 2 certification, schedule an audit with a Certified Third Party Assessment Organization (C3PAO). These organizations are accredited by the Cyber AB to perform official evaluations.
⚠️ Only non-prioritized acquisitions at Level 2 may qualify for self-assessment. Most organizations handling CUI will require a third-party assessment by a C3PAO.
4. Maintain Compliance
Cybersecurity isn’t a one-time effort. Contractors must:
- Conduct ongoing monitoring and self-assessments
- Stay current with changes to CMMC 2.0
- Reassess and recertify every three years (for Levels 2 and 3)
Why CUI Compliance Matters
CUI may not be classified, but its protection is essential to national security. Unauthorized disclosure—whether due to weak access controls, lack of training, or poor system design—can have ripple effects across government operations and defense capabilities.
Contractors handling CUI must rise to the challenge with strong, NIST-aligned cybersecurity practices. With CMMC 2.0 Level 2 becoming a contractual requirement, failure to comply means losing DoD business opportunities.
Secure Your Future with RSI Security
CMMC compliance, especially for organizations managing CUI, requires precision, discipline, and experience. RSI Security is a Certified RPO with a proven track record of guiding DoD contractors through the CMMC process—from gap assessments to successful certification.
Get a clear roadmap to CMMC compliance, download our checklist and prepare for certification with confidence.