Free IT tools for business owners — try them now, no sign-up
GovCon IT • 7 min read

CUI Handling Requirements: What Defense Contractors Must Know About Controlled Unclassified Information

Mishandling CUI is the most common compliance failure in the defense industrial base. Understanding what CUI is — and what your IT must do with it — is the foundation of CMMC compliance.

Quick Answer

Controlled Unclassified Information (CUI) is government information requiring safeguarding under law, regulation, or policy — but not classified. Defense contractors handling CUI must protect it according to NIST SP 800-171, which requires encryption at rest and in transit, access controls limiting CUI to authorized users, audit logging of access, and incident reporting to the government within 72 hours of discovery. Identifying which information in your possession is CUI is the essential first step.

What CUI Actually Is

CUI is information the federal government creates or possesses (or that contractors create on behalf of the government) that requires safeguarding but isn't classified. The CUI Registry (cui.gov) lists all approved CUI categories — there are over 125 categories covering areas including:

  • Defense: Controlled Technical Information (CTI), Naval Nuclear Propulsion Information, Operations Security
  • Export Controls: Export Controlled (EAR, ITAR)
  • Intelligence: Various intelligence-related categories
  • Privacy: PII collected by government, health information
  • Procurement and Acquisition: Source selection information, bid or proposal information
  • Law Enforcement: Sensitive investigative information

Defense contractors most commonly encounter two CUI categories: Controlled Technical Information (CTI) — technical data related to defense systems — and Export Controlled information under EAR or ITAR.

How to Identify CUI in Your Organization

One of the most common CMMC preparation failures is poor CUI identification. Contractors either over-identify (treating everything as CUI, creating an unmanageable scope) or under-identify (missing CUI in unexpected places). Steps:

  1. Review your contracts. CUI handling requirements in contracts typically appear in the DD Form 254 (Department of Defense Contract Security Classification Specification) and in DFARS clauses 252.204-7008 and 252.204-7012. These documents specify what categories of information are involved.
  2. Interview your program teams. Technical staff often receive CUI in emails, drawings, specifications, and technical documents from the contracting activity or prime contractor without recognizing it as CUI.
  3. Review the CUI Registry for your specific categories. Each category has specific identification guidance — what it is, what it isn't, and how it should be marked.
  4. Document where CUI flows. Map how CUI enters your organization (email, file transfers, physical documents), where it's processed (workstations, servers, cloud storage), and where it exits (to subcontractors, back to the government).

The CUI Environment: Defining Your Scope

Your CUI environment consists of all systems that process, store, or transmit CUI. Limiting scope reduces compliance burden:

  • Dedicated CUI workstations (separate from general business use) limit the number of endpoints requiring full 800-171 compliance
  • Network segmentation separating CUI systems from general IT reduces the scope of required controls
  • Limiting CUI email to a dedicated account or system reduces the scope of email archiving and security requirements

Document your CUI environment in your System Security Plan. The boundary of your CUI environment defines what requires CMMC/800-171 compliance.

Technical Controls Required for CUI

NIST 800-171 requires these technical controls specifically for systems handling CUI:

  • Encryption at rest: CUI must be encrypted when stored on workstations, servers, or portable media. BitLocker (Windows) or FileVault (Mac) for endpoints; AES-256 encryption for servers and cloud storage. FIPS 140-2 validated encryption modules are required for some programs — check your contract.
  • Encryption in transit: CUI transmitted over networks must be encrypted using TLS 1.2 or higher. This applies to email (use encryption or a secure portal for CUI, not plain email), file transfers, and web applications.
  • Access controls: Only personnel with a legitimate need for specific CUI may access it. Implement role-based access and review access quarterly.
  • Multi-factor authentication: Required for all remote access to CUI systems and for privileged accounts accessing CUI.
  • Audit logging: Log all access to CUI systems — who accessed what and when. Logs must be protected from modification and retained for a defined period.
  • Portable media: CUI on USB drives, external hard drives, or other portable media must be encrypted and handled according to your media protection policy.

Cloud Storage of CUI: FedRAMP Requirements

A critical and often misunderstood requirement: CUI stored in cloud environments must use cloud services that meet FedRAMP Moderate authorization or equivalent. This means:

  • Standard commercial Microsoft 365 is NOT authorized for CUI storage
  • Microsoft 365 Government Community Cloud (GCC) meets the requirement
  • Microsoft 365 GCC High provides additional protections for more sensitive CUI categories
  • Standard Google Workspace is NOT authorized for CUI
  • Google Workspace for Government (specific configurations) may be authorized
  • Standard Dropbox, Box, and similar commercial services are NOT authorized for CUI

Many defense contractors are storing CUI in standard commercial Microsoft 365 without realizing it doesn't meet the FedRAMP Moderate requirement. Migration to GCC is a significant IT project — plan for it. A GovCon IT provider can manage this migration.

CUI Marking Requirements

CUI must be marked with the designation "CUI" (or the specific category, e.g., "CUI//CTI") when created or when it's identified as CUI. Marking requirements:

  • Documents: "CUI" header and footer on each page
  • Emails containing CUI: "CUI" in the subject line
  • Files: Consistent naming conventions to identify CUI files (some organizations use folder structure rather than individual file marking)
  • Physical materials: CUI marking on covers and internal pages

Frequently Asked Questions

Is all technical data on a defense contract considered CUI?

Not automatically. Technical data must meet the definition of Controlled Technical Information to be CUI. Your contract's DD Form 254 specifies whether CTI is involved. Technical data created entirely by the contractor using private funds and not incorporating government data may not be CUI — but this determination requires careful review of your contract terms.

Can I store CUI on a personal computer?

No. CUI must be stored on systems within your CUI environment that meet 800-171 requirements. Personal computers lack the required access controls, audit logging, and management oversight. This is one of the most common violations — employees who work from home handling CUI on personal computers that aren't part of the controlled environment.

What happens if I accidentally send CUI to an unauthorized person?

Report it to your FSO (Facility Security Officer) and the contracting officer immediately. DFARS 252.204-7012 requires reporting cybersecurity incidents to DoD within 72 hours — accidental CUI disclosure may qualify as a reportable incident depending on the circumstances. Document the incident, contain it (request deletion if possible), and follow your incident response procedure.

Do You Know Where All Your CUI Is Stored?

Get a CUI environment assessment from a GovCon IT specialist and find out if your current setup meets DFARS and CMMC requirements.

Get GovCon IT Quote