Ready to get compliant?

Show Me How
Linkedin Youtube
Contact Us

What is CUI? Controlled Unclassified Information

CUI is the broader category of the two, that includes many different types of sensitive information.
Picture of Patrick Colantonio

Patrick Colantonio

Vice President | Compliance Therapist

What is CUI?

“Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” Basically, what this means, is that controlled unclassified information is data that must be specifically protected within an information system. This controlled unclassified information can be found in government contracts or provided to a contractor by the Department of Defense, as well as passed to any vendors that these contractors are working with. There are many regulations in place that specify how each of the CUI Specified information types must be controlled.

CUI is a broad category of information and includes many different types of sensitive information.

CUI Examples

  • any personally identifiable information such as legal material or health documents
  • technical drawings and blueprints
  • intellectual property
  • many other types of data.

The purpose of the rule is to make sure that all organizations are handling the information in a uniform way. Documents that are labeled: “Proprietary” or “Official Use Only” should be labeled: “CUI.” The NIST SP 800-171 focuses on standardizing the way that things are done.

Classified information, on the other hand, is much more serious and can also be identified as “Top Secret” or “Secret.” Classified information is considered sensitive information that has to be protected as outlined under NIST SP 800-53, no matter what. This type of information is only to be handled by professionals with specific security clearances, and if this information is mishandled, there will be criminal charges imposed.

How Do I Know If I Have CUI?

If your organization holds a Department of Defense contract, does work for the Department of Defense, or is a vendor/supplier to a DoD Contractor or supplier, then you likely maintain, process or store CUI. It is important that your organization understands how to classify and protect this information. If you are unsure about whether or not CUI is present in your organization, please visit the CUI Registry: https://www.archives.gov/cui/registry/category-list, to find out what is considered CUI.

How Do CMMC, NIST, and DFARS Protect CUI?

CUI protection isn’t optional; it’s enforced through multiple frameworks:

DFARS

DFARS 252.204-7012 legally requires DoD contractors to protect CUI and report cyber incidents.

NIST SP 800-171

Defines 110 security controls contractors must implement to safeguard CUI in non-federal systems.
This is the technical “how” behind protection.

CMMC

The Cybersecurity Maturity Model Certification (CMMC) verifies that contractors are actually implementing NIST controls.

  • Level 2 = required for handling CUI

  • Certification is mandatory to win or renew many DoD contracts

Learn more about CMMC here. 

Together, these frameworks ensure CUI is protected consistently, verifiably, and enforceably.

Contractor Obligations for Handling CUI

If you handle Controlled Unclassified Information (CUI), you are required to understand where CUI exists within your environment, including the systems, users, and processes that store, process, or transmit it. This visibility is critical to ensuring the right safeguards are applied consistently across your organization.

Organizations handling CUI must implement the security controls defined in NIST SP 800-171 to protect that information from unauthorized access, disclosure, or loss. These controls cover areas such as access control, incident response, system monitoring, and risk management.

You are also required to maintain a System Security Plan (SSP) that documents how your organization meets each applicable security requirement. Any gaps or deficiencies must be formally tracked through a Plan of Action & Milestones (POA&M), showing how and when those gaps will be addressed.

CUI obligations extend beyond your own organization. Contractors must flow down CUI protection requirements to subcontractors and ensure that any third parties handling CUI meet the same security expectations. Additionally, organizations must report cybersecurity incidents within required timelines, as outlined in DFARS and related regulations.

Finally, companies handling CUI must be prepared to demonstrate compliance during CMMC assessments, particularly at Level 2, where independent verification is required.

Failing to meet these obligations can carry serious consequences, including contract termination, legal and financial liability, exposure under the False Claims Act, and loss of eligibility for future Department of Defense contracts.

Final Thoughts

CUI is one of the most misunderstood and most enforced areas of federal contracting. Knowing whether you handle it, how it’s marked, and how it must be protected is no longer optional.

At NeQter Labs, we help organizations that handle CUI simplify their cybersecurity tech stack, map compliance gaps, and operationalize CMMC and NIST requirements, without the confusion.

If you’re unsure whether you handle CUI or how prepared you really are, it’s better to find out now than during an assessment.