Many defense contractors know they’re required to protect Controlled Unclassified Information (CUI), but aren’t always sure what counts as CUI, where it comes from, or how to handle it correctly. With federal requirements tightening and CMMC now a standard part of contract eligibility, understanding CUI is now essential for every organization in the Defense Industrial Base (DIB).
At Total Assure, we work with companies every day who ask the same question: “Is this data CUI… or not?” This guide breaks down the fundamentals so you can answer that confidently, and build a compliance strategy that protects your business.
What Exactly Is CUI?
CUI is sensitive information that isn’t classified but still requires protection or safeguarding under federal law, regulation, or government policy. CUI is created or possessed by the U.S. Government and can also be shared with non-federal partners (such as defense contractors) when necessary to perform work. Think of CUI as information that’s not top secret, but still highly regulated because mishandling it could harm national interests, privacy, or government operations.
Why Does CUI Exist?
Before CUI was established, every federal agency had its own way of marking and protecting sensitive information. The result? Inconsistency, confusion, and major security gaps. To fix this, the federal government created the CUI Program, led by the National Archives and Records Administration (NARA).
The goals:
- Standardize how sensitive information is marked, protected, and shared
- Ensure contractors follow the same rules as federal agencies
- Reduce risk across the entire government ecosystem
Today, CUI is the authoritative standard for safeguarding unclassified, sensitive information across federal agencies, including the Department of Defense (DoD).
Two Types of CUI: Basic vs. Specified
Not all CUI is the same. There are two categories, and understanding the difference is critical for compliance.
1. CUI Basic This is the default category. You’ll see CUI Basic most often in DoD contracts. It requires the standard set of controls defined in NIST SP 800-171, including:
- Access controls
- Audit logging
- Configuration management
- Encryption in transit and at rest
- Multi-factor authentication
- Incident response
2. CUI Specified This category has additional protections defined by specific laws or regulations. If your data is governed by a specific statute or regulation, it’s likely CUI Specified. CUI Specified almost always comes with stricter handling, storage, or dissemination rules. Examples include:
- Export-controlled information (ITAR/EAR)
- Health information governed by HIPAA
- Criminal justice information (CJIS)
How Do You Know If You Have CUI?
This is the #1 point of confusion for most contractors. Here’s the key: You have CUI if the government (or a prime contractor) gives it to you or requires you to create it under a contract. Look for:
- Contract clauses requiring NIST SP 800-171
- DFARS 252.204-7012, which almost always indicates CUI is present
- Markings such as “CUI,” “CUI//SP-EXPT,” or category-specific labels
- Work products you generate for a government customer that contain sensitive data
If it comes from a federal agency or if it’s created as a result of work for that agency, it likely is CUI.
Common Examples of CUI
CUI covers a wide range of information categories. If the information could put people, systems, or missions at risk if exposed, it’s probably CUI. Some of the most common in DoD environments include:
- Technical drawings, schematics, or engineering data
- Contract performance details
- Intellectual property shared for contract execution
- Maintenance or logistics data
- Controlled technical information (CTI)
- Export-controlled information
- Personnel or security information
- Military or critical infrastructure data
Why Not Treat All Data like CUI?
Treating all data as CUI may sound like the safer option, but in reality it creates more problems than it solves. When organizations assume everything is CUI, they inflate the scope of their CMMC and NIST SP 800-171 obligations. This drives up costs, complicates workflows, and overwhelms already-limited resources. Over-classification leads to unnecessarily restrictive controls, slows down daily operations, and makes it harder for teams to focus on the information that actually requires protection.
Worse, it can dilute awareness and desensitize employees to real CUI, increasing the risk of mistakes. Properly identifying and marking CUI ensures your security efforts are targeted, efficient, and aligned with federal requirements, rather than wasting time and money securing data that doesn’t need it.
Who Sets the Rules for Protecting CUI?
CUI rules come from two main sources:
1. NIST SP 800-171 This publication defines how CUI must be protected in non-federal systems, meaning your company network. It lays out 110 mandatory security controls across 14 families and it's the foundation for DFARS 7012, CMMC Level 2, and most federal contract requirements.
2. DoD Instruction 5200.48 This instruction governs how the DoD handles, marks, and disseminates CUI, and how contractors must follow suit. Together, they create the framework that every DoD contractor must follow to protect CUI.
Why CUI Matters for CMMC and DoD Contract Eligibility
If you handle CUI, you’re required to:
- Implement all 110 NIST SP 800-171 controls
- Maintain a System Security Plan (SSP)
- Host documented processes and policies
- Prepare for CMMC Level 2 certification
Failing to protect CUI isn’t just a compliance issue, it can result in lost contracts, liability under False Claims Act, reputational damage, and security risks to the nation.
Still Unsure if You Handle CUI? Total Assure Can Help.
You’re not alone. CUI identification is one of the biggest challenges for small- and mid-sized businesses. If you’re unsure about any of your data, we’ll walk you through it—step by step.
Total Assure specializes in helping defense contractors:
- Identify whether they process, store, or transmit CUI
- Distinguish between CUI Basic and CUI Specified
- Review contracts and data flows
- Build a compliant strategy based on NIST SP 800-171
- Prepare for CMMC Level 2 with confidence
CUI isn’t meant to confuse contractors. It's meant to protect sensitive government information in a consistent, enforceable way. Total Assure is here to make that process simpler, faster, and stress free. Reach out for a free consultation.
About Total Assure
Total Assure, an IBSS spin-off, provides uninterrupted business operations with our dedicated 24/7/365 in-house SOC, robust managed security solutions, and expert consulting services. Total Assure provides cost-efficient, comprehensive, and scalable cybersecurity solutions that leverage 30 years of experience and expertise from IBSS. Total Assure partners with its customers to identify security gaps, develop attainable cybersecurity objectives, and deliver comprehensive cybersecurity solutions that protect their businesses from modern cybersecurity threats.
Contact our team today for more information on how Total Assure can assist your organization.
