If you sell to the Department of Defense — or want to — you have run into the term CUI. It appears in contract clauses, in flow-down letters from primes, and at the center of every CMMC conversation. Yet plenty of contractors still cannot say with confidence what CUI actually is, whether they hold any, or what handling it obligates them to do.
This guide answers those questions in plain English: the definition of CUI, how it differs from FCI, what CUI Basic and CUI Specified mean, how the categories and markings work, who is responsible for marking, what proper handling and storage look like, and what all of it means for CMMC Level 2. By the end, you should be able to answer the most consequential scoping question in defense contracting: where does CUI actually live in your business?
CUI stands for Controlled Unclassified Information. It is information the federal government creates or possesses — or that a contractor creates or receives on the government's behalf — that a law, regulation, or government-wide policy says must be safeguarded or have its dissemination controlled. It is sensitive enough to protect, but it is not classified.
The category exists because, before 2010, every agency invented its own labels for sensitive-but-unclassified information: For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and dozens more, each with different rules. Executive Order 13556 replaced that patchwork with a single government-wide program. The National Archives and Records Administration (NARA) serves as the program's Executive Agent, the implementing regulation lives at 32 CFR Part 2002, and the Department of Defense applies the program internally through DoD Instruction 5200.48.
For a defense contractor, the practical definition is simpler: CUI is the sensitive, unclassified information that flows to you — or is created by you — in the course of performing a defense contract. Common examples include engineering drawings and models, technical specifications, process documentation, test data, and export-controlled technical data. Individually, a single drawing may look unremarkable. Aggregated across thousands of suppliers, that same information describes weapons systems — which is exactly why the government requires everyone in the supply chain to protect it.
The other acronym you will encounter is FCI — Federal Contract Information. FCI is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. If you hold a federal contract at all, you almost certainly hold FCI: statements of work, delivery schedules, contract correspondence, performance reports.
Think of the two as tiers of sensitivity, each mapping to a different set of obligations:
A useful rule of thumb: FCI is about the business of the contract; CUI is about the substance of the work — the technical and operational information the government most cares about protecting. CUI held under a federal contract will generally also meet the definition of FCI, but the reverse is not true, and the compliance gap between the two tiers is enormous. Getting this classification right is the first fork in the road, and it determines your entire compliance path. If you want the full picture of how the levels fit together, start with our plain-English overview of CMMC 2.0.
Within CUI, the program distinguishes two types, and the difference matters more than most primers let on.
CUI Basic is the default. The underlying law or policy says the information must be protected but does not spell out how — so the standard handling controls in 32 CFR Part 2002 apply. Most CUI a typical contractor touches is Basic.
CUI Specified is information whose underlying authority prescribes its own handling or dissemination controls — often stricter than the baseline. The classic defense example is export-controlled technical data under ITAR. ITAR does not just require you to protect the data; it restricts who may access it (broadly, U.S. persons) and where it may reside, which has direct consequences for your cloud choices. That is a large part of why environments like Microsoft GCC High exist for the defense industrial base.
You can spot the difference in markings: Specified categories carry an "SP-" prefix in the banner line (for example, CUI//SP-CTI). If you handle CUI Specified, treat the underlying regulation — not just NIST 800-171 — as part of your compliance scope.
NARA maintains the authoritative CUI Registry, which organizes every approved category of CUI into groupings such as Defense, Export Control, Privacy, Procurement and Acquisition, and Critical Infrastructure. Each category entry identifies the authority that makes the information CUI and any special handling it requires.
Defense contractors most commonly encounter:
The registry tells you how a category must be handled; your contract tells you which categories to expect. On DoD work, look to the contract documents and your government customer to identify the CUI involved in performance — and when the paperwork is ambiguous, ask the contracting officer in writing. It is a routine question, and the answer defines your obligations.
Marking causes more confusion than any other part of the program, so here is the clean division of labor:
Basic marking mechanics: a "CUI" banner at the top of the document; category markings where required (always for Specified); limited dissemination control markings where applicable (such as NOFORN or FEDCON); and a designation indicator block identifying who designated the information and a point of contact.
Now the reality check: marking practice across the defense industrial base is inconsistent. You will receive CUI that is unmarked, legacy documents stamped FOUO, and material over-marked out of caution. Two practical rules keep you safe. First, do not treat the absence of a marking as proof that information is not CUI — judge by the contract and the nature of the data. Second, do not invent restrictive markings for information that does not qualify; over-marking creates its own compliance drag. When in doubt, route the question to your contracting officer and document the answer.
Once CUI is in your possession, two DFARS-driven obligations follow you everywhere. Under DFARS 252.204-7012 you must provide adequate security for covered defense information — which the clause defines by pointing at NIST SP 800-171 — and you must report cyber incidents affecting it to DoD within 72 hours.
In day-to-day terms, sound CUI handling looks like this:
Everything above describes your obligations. CMMC is how the Department of Defense verifies you are meeting them. If your contract involves CUI, you should expect CMMC Level 2: implementation of all 110 NIST SP 800-171 requirements, assessed every three years by a certified third-party assessor organization (C3PAO) for most contracts, with a small subset of contracts eligible for self-assessment.
The enforcement machinery is now in place. The CMMC Program rule (32 CFR) took effect December 16, 2024, and the acquisition rule (48 CFR) took effect November 10, 2025 — meaning CMMC requirements are appearing in new DoD solicitations, with requirements expanding through the program's phase-in during 2026. For CUI-handling contractors, the question is no longer whether Level 2 applies, but how efficiently you can get there.
That starts with knowing where you stand. A structured CMMC readiness assessment scores your environment against all 110 requirements and tells you exactly what stands between you and a passing assessment — before a C3PAO finds out for you.
Here is the insight that separates efficient CMMC programs from expensive ones: your assessment scope is defined by where CUI lives. Every system that stores, processes, or transmits CUI is in scope — along with the security systems that protect it and, in many configurations, the systems connected to it. Let CUI sprawl across your whole network, and your whole network must satisfy 110 requirements.
You have two strategic options:
For small and mid-sized contractors whose CUI is concentrated in a handful of workflows — engineering, contracts, program management — the enclave approach usually wins on both cost and speed. The decision hinges on an accurate map of your CUI, which is precisely what a readiness engagement should produce first.
Essendis puts cybersecurity advisory and cloud engineering under one roof: former Big Four auditors who can tell you exactly what the requirements mean, and engineers who build the environments that satisfy them. We help defense contractors locate their CUI, scope it tightly, stand up secure enclaves on Microsoft GCC High, and walk into assessments prepared — the way our client RPS Defense did when it earned a perfect 110/110 on its CMMC Level 2 assessment with A-LIGN, a C3PAO, with no POA&M, on an environment built with Essendis. Explore our CMMC compliance services, or Connect with an expert to talk through where CUI lives in your business.

