What Is CUI? A Defense Contractor's Complete Guide

If you sell to the Department of Defense — or want to — you have run into the term CUI. It appears in contract clauses, in flow-down letters from primes, and at the center of every CMMC conversation. Yet plenty of contractors still cannot say with confidence what CUI actually is, whether they hold any, or what handling it obligates them to do.

This guide answers those questions in plain English: the definition of CUI, how it differs from FCI, what CUI Basic and CUI Specified mean, how the categories and markings work, who is responsible for marking, what proper handling and storage look like, and what all of it means for CMMC Level 2. By the end, you should be able to answer the most consequential scoping question in defense contracting: where does CUI actually live in your business?

What Is CUI? The Plain-English Definition

CUI stands for Controlled Unclassified Information. It is information the federal government creates or possesses — or that a contractor creates or receives on the government's behalf — that a law, regulation, or government-wide policy says must be safeguarded or have its dissemination controlled. It is sensitive enough to protect, but it is not classified.

The category exists because, before 2010, every agency invented its own labels for sensitive-but-unclassified information: For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and dozens more, each with different rules. Executive Order 13556 replaced that patchwork with a single government-wide program. The National Archives and Records Administration (NARA) serves as the program's Executive Agent, the implementing regulation lives at 32 CFR Part 2002, and the Department of Defense applies the program internally through DoD Instruction 5200.48.

For a defense contractor, the practical definition is simpler: CUI is the sensitive, unclassified information that flows to you — or is created by you — in the course of performing a defense contract. Common examples include engineering drawings and models, technical specifications, process documentation, test data, and export-controlled technical data. Individually, a single drawing may look unremarkable. Aggregated across thousands of suppliers, that same information describes weapons systems — which is exactly why the government requires everyone in the supply chain to protect it.

CUI vs. FCI: Two Tiers of Contract Information

The other acronym you will encounter is FCI — Federal Contract Information. FCI is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. If you hold a federal contract at all, you almost certainly hold FCI: statements of work, delivery schedules, contract correspondence, performance reports.

Think of the two as tiers of sensitivity, each mapping to a different set of obligations:

  • FCI is protected by the 15 basic safeguarding requirements in FAR 52.204-21, verified under CMMC Level 1 — 17 practices with an annual self-assessment and affirmation.
  • CUI is protected by the 110 security requirements of NIST SP 800-171, verified under CMMC Level 2 — with a triennial third-party (C3PAO) assessment for most contracts.

A useful rule of thumb: FCI is about the business of the contract; CUI is about the substance of the work — the technical and operational information the government most cares about protecting. CUI held under a federal contract will generally also meet the definition of FCI, but the reverse is not true, and the compliance gap between the two tiers is enormous. Getting this classification right is the first fork in the road, and it determines your entire compliance path. If you want the full picture of how the levels fit together, start with our plain-English overview of CMMC 2.0.

CUI Basic vs. CUI Specified

Within CUI, the program distinguishes two types, and the difference matters more than most primers let on.

CUI Basic

CUI Basic is the default. The underlying law or policy says the information must be protected but does not spell out how — so the standard handling controls in 32 CFR Part 2002 apply. Most CUI a typical contractor touches is Basic.

CUI Specified

CUI Specified is information whose underlying authority prescribes its own handling or dissemination controls — often stricter than the baseline. The classic defense example is export-controlled technical data under ITAR. ITAR does not just require you to protect the data; it restricts who may access it (broadly, U.S. persons) and where it may reside, which has direct consequences for your cloud choices. That is a large part of why environments like Microsoft GCC High exist for the defense industrial base.

You can spot the difference in markings: Specified categories carry an "SP-" prefix in the banner line (for example, CUI//SP-CTI). If you handle CUI Specified, treat the underlying regulation — not just NIST 800-171 — as part of your compliance scope.

CUI Categories and the CUI Registry

NARA maintains the authoritative CUI Registry, which organizes every approved category of CUI into groupings such as Defense, Export Control, Privacy, Procurement and Acquisition, and Critical Infrastructure. Each category entry identifies the authority that makes the information CUI and any special handling it requires.

Defense contractors most commonly encounter:

  • Controlled Technical Information (CTI) — technical data or computer software with military or space application: drawings, specifications, manuals, source code, test results.
  • Export Controlled — information subject to ITAR or EAR, frequently overlapping with CTI.
  • Procurement and acquisition information — source-selection-sensitive and similar contract data.
  • Privacy information — personnel and similar records handled under some contracts.

The registry tells you how a category must be handled; your contract tells you which categories to expect. On DoD work, look to the contract documents and your government customer to identify the CUI involved in performance — and when the paperwork is ambiguous, ask the contracting officer in writing. It is a routine question, and the answer defines your obligations.

Who Is Responsible for Marking CUI?

Marking causes more confusion than any other part of the program, so here is the clean division of labor:

  • The government designates. The agency that creates the information or lets the contract decides what qualifies as CUI and is supposed to identify it — in the contract and on the documents it provides. Within DoD, Instruction 5200.48 directs components to identify CUI in contract documentation.
  • Authorized holders mark what they create. When you generate CUI in performance of the contract — a derivative drawing, a test report, an analysis built on government technical data — you are responsible for marking it correctly.

Basic marking mechanics: a "CUI" banner at the top of the document; category markings where required (always for Specified); limited dissemination control markings where applicable (such as NOFORN or FEDCON); and a designation indicator block identifying who designated the information and a point of contact.

Now the reality check: marking practice across the defense industrial base is inconsistent. You will receive CUI that is unmarked, legacy documents stamped FOUO, and material over-marked out of caution. Two practical rules keep you safe. First, do not treat the absence of a marking as proof that information is not CUI — judge by the contract and the nature of the data. Second, do not invent restrictive markings for information that does not qualify; over-marking creates its own compliance drag. When in doubt, route the question to your contracting officer and document the answer.

How to Handle and Store CUI

Once CUI is in your possession, two DFARS-driven obligations follow you everywhere. Under DFARS 252.204-7012 you must provide adequate security for covered defense information — which the clause defines by pointing at NIST SP 800-171 — and you must report cyber incidents affecting it to DoD within 72 hours.

In day-to-day terms, sound CUI handling looks like this:

  • Access on a need-to-know basis. Only people supporting the lawful government purpose — the contract — should be able to reach CUI, and access should be reviewed and revocable.
  • Controlled digital storage. CUI belongs in systems that implement NIST 800-171: enforced access control, multifactor authentication, encryption using FIPS-validated cryptography in transit and at rest, audit logging, and monitored boundaries.
  • Careful cloud placement. If a cloud service stores, processes, or transmits CUI on your behalf, DFARS 7012 expects it to meet a FedRAMP Moderate baseline or equivalent — and paragraphs (c) through (g) of the clause add incident-response and data-access obligations that not every commercial cloud supports. This is the core reason GCC High comes up in nearly every CMMC conversation.
  • Physical control. Printed CUI stays under the control of authorized holders or locked away; screens and documents are shielded from casual view; visitors do not wander through CUI work areas.
  • Deliberate destruction. When CUI is no longer needed and retention rules allow, destroy it so it cannot be reconstructed — shredding for paper, sanitization for media.
  • No side channels. Personal email, consumer file-sharing tools, unmanaged personal devices, and — worth saying explicitly in 2026 — public AI tools are not places CUI belongs.

CUI Under CMMC Level 2

Everything above describes your obligations. CMMC is how the Department of Defense verifies you are meeting them. If your contract involves CUI, you should expect CMMC Level 2: implementation of all 110 NIST SP 800-171 requirements, assessed every three years by a certified third-party assessor organization (C3PAO) for most contracts, with a small subset of contracts eligible for self-assessment.

The enforcement machinery is now in place. The CMMC Program rule (32 CFR) took effect December 16, 2024, and the acquisition rule (48 CFR) took effect November 10, 2025 — meaning CMMC requirements are appearing in new DoD solicitations, with requirements expanding through the program's phase-in during 2026. For CUI-handling contractors, the question is no longer whether Level 2 applies, but how efficiently you can get there.

That starts with knowing where you stand. A structured CMMC readiness assessment scores your environment against all 110 requirements and tells you exactly what stands between you and a passing assessment — before a C3PAO finds out for you.

The Enclave Strategy: Control Where CUI Lives

Here is the insight that separates efficient CMMC programs from expensive ones: your assessment scope is defined by where CUI lives. Every system that stores, processes, or transmits CUI is in scope — along with the security systems that protect it and, in many configurations, the systems connected to it. Let CUI sprawl across your whole network, and your whole network must satisfy 110 requirements.

You have two strategic options:

  • Enterprise-wide compliance. Bring your entire environment up to NIST 800-171. Sensible when CUI genuinely touches most of the business — but it means every workstation, server, and SaaS tool is on the assessor's list.
  • The enclave strategy. Consolidate all CUI work into a purpose-built, isolated environment — a CMMC secure enclave, commonly built on Microsoft GCC High — and keep the rest of your business out of scope. Fewer systems to harden, fewer controls to evidence, and a cleaner boundary to defend in front of an assessor.

For small and mid-sized contractors whose CUI is concentrated in a handful of workflows — engineering, contracts, program management — the enclave approach usually wins on both cost and speed. The decision hinges on an accurate map of your CUI, which is precisely what a readiness engagement should produce first.

How Essendis Helps

Essendis puts cybersecurity advisory and cloud engineering under one roof: former Big Four auditors who can tell you exactly what the requirements mean, and engineers who build the environments that satisfy them. We help defense contractors locate their CUI, scope it tightly, stand up secure enclaves on Microsoft GCC High, and walk into assessments prepared — the way our client RPS Defense did when it earned a perfect 110/110 on its CMMC Level 2 assessment with A-LIGN, a C3PAO, with no POA&M, on an environment built with Essendis. Explore our CMMC compliance services, or Connect with an expert to talk through where CUI lives in your business.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.