What is CUI? Definition, Examples & Compliance Requirements

You've been awarded a government contract—congratulations! But now you're facing an unfamiliar term: CUI. Your contract mentions "safeguarding CUI" and implementing "NIST SP 800-171 controls." As you dig deeper, you find yourself overwhelmed with acronyms, regulations, and compliance requirements that seem both critical and confusing.

If this scenario sounds familiar, you're not alone. Many professionals, especially in the Defense Industrial Base (DIB), struggle with identifying what constitutes Controlled Unclassified Information and how to properly protect it.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is information created or possessed by the federal government—or by an entity on the government's behalf—that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies.

In simpler terms, CUI is sensitive information that, while not classified, still requires protection due to its potential impact on national security, government interests, or individual privacy if improperly disclosed.

The CUI program was established in 2010 through Executive Order 13556 to address inconsistent marking and safeguarding of unclassified but sensitive government information. Before the CUI program, agencies used various designations such as "For Official Use Only" (FOUO), "Sensitive But Unclassified" (SBU), and "Law Enforcement Sensitive" (LES), creating confusion and ineffective protection.

According to the Defense Counterintelligence and Security Agency (DCSA), CUI is legally defined under Title 32 Code of Federal Regulations (CFR) Part 2002 as:

"Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."

Key Characteristics of CUI

• Not classified but still sensitive and requiring protection
• Requires safeguarding from unauthorized access and disclosure
• Subject to specific handling, marking, and dissemination controls
• Exists in both digital and physical forms (electronic files, paper documents, etc.)
• Governed by a unified set of standards across all federal agencies

The Difference Between CUI and Classified Information

Understanding the distinction between CUI and classified information is crucial for proper compliance:

Characteristic	Classified Information	Controlled Unclassified Information (CUI)
Sensitivity Level	Top Secret, Secret, Confidential	Sensitive but unclassified
Legal Basis	Executive Order 13526	Executive Order 13556
Access Requirements	Security clearance and need-to-know	Lawful government purpose
Potential Harm from Disclosure	"Exceptionally grave damage," "serious damage," or "damage" to national security	Adverse effects on organizational operations, assets, or individuals
Marking Requirements	Classification level must be clearly marked	CUI banner marking and limited dissemination control markings as applicable
Storage Requirements	Approved containers, facilities with strict access controls	Controlled access, protection commensurate with risk

Types and Categories of CUI

The CUI program establishes a uniform system for categorizing sensitive information. While there are numerous specific categories, CUI generally falls into two main types:

1. CUI Basic

CUI Basic includes information that requires protection under laws, regulations, or government-wide policies, but isn't subject to the specific handling controls of CUI Specified. This type requires standard safeguarding measures described in the CUI Federal Regulation and Registry.

2. CUI Specified

CUI Specified refers to information that requires additional handling controls pursuant to law, regulation, or government-wide policy. These additional requirements take precedence over the baseline CUI requirements when there's a conflict.

Common Categories of CUI

According to the National Archives and Records Administration (NARA), which oversees the CUI program, there are over 100 categories of CUI organized into 20 groupings. Some of the most common include:

1. Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, such as name, social security number, biometric records, etc.
2. Sensitive Personally Identifiable Information (SPII): A subset of PII that if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
3. Proprietary Business Information (PBI): Confidential business information that could cause competitive harm if disclosed.
4. Unclassified Controlled Technical Information (UCTI): Technical information with military or space application that is subject to export controls.
5. Sensitive But Unclassified (SBU): Information that is not classified but is sensitive in nature and must be protected from public disclosure.
6. Privacy Information: Information covered by the Privacy Act of 1974 and other privacy-related laws.
7. Critical Infrastructure Information: Information related to critical infrastructure such as power grids, water supplies, and telecommunications networks.
8. Export Controlled Information: Information subject to export controls under laws like the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).
9. Law Enforcement Sensitive (LES): Information that could compromise law enforcement activities if disclosed.
10. Financial Information: Non-public information related to financial institutions or financial regulations.

Examples of CUI in Different Contexts

To better understand what constitutes CUI, let's look at some specific examples across different sectors:

Defense Contracts:

• Engineering drawings and specifications for military equipment
• Technical data covered by ITAR
• Contract-specific requirements and statements of work
• Research findings related to defense applications
• Test and evaluation results for defense systems

Healthcare:

• Patient records containing protected health information
• Medical research data involving human subjects
• Healthcare security vulnerability assessments
• Non-public health emergency preparedness plans

Infrastructure:

• Detailed infrastructure vulnerability assessments
• Critical infrastructure security plans
• Non-public emergency response procedures
• Specific locations of critical infrastructure components

Information Technology:

• System security plans for federal information systems
• Vulnerability assessment information
• Specific configuration details of federal systems
• Cybersecurity incident information

One Reddit user in the Defense Industrial Base described their confusion:

"I work with DIB subcontractors and we often struggle with identifying what is and isn't CUI. It's quite vague. We are assuming our CUI would be contracts, invoices and sales info."

This sentiment reflects a common challenge—even experienced professionals can find it difficult to identify CUI correctly without proper guidance and training.

Compliance Requirements for CUI

Handling CUI comes with significant compliance obligations, particularly for organizations working with the Department of Defense (DoD) and other federal agencies. Understanding these requirements is essential for maintaining contractual compliance and avoiding potential penalties.

Key Regulations Governing CUI Handling

1. NIST Special Publication 800-171

The National Institute of Standards and Technology (NIST) Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," establishes the primary security requirements for protecting CUI. This publication outlines 110 security controls across 14 families that organizations must implement when handling CUI.

The control families include:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

2. Defense Federal Acquisition Regulation Supplement (DFARS)

For DoD contractors, several DFARS clauses govern CUI protection:

• DFARS Clause 252.204-7012: Requires contractors and subcontractors to implement NIST SP 800-171 security requirements to protect CUI and report cyber incidents within 72 hours.
• DFARS Clause 252.204-7019: Requires contractors to complete a basic assessment of their implementation of NIST SP 800-171 and submit the results to the Supplier Performance Risk System (SPRS).
• DFARS Clause 252.204-7020: Allows the DoD to access contractor facilities to verify the implementation of NIST SP 800-171 security requirements.
• DFARS Clause 252.204-7021: Requires contractors to achieve certification under the Cybersecurity Maturity Model Certification (CMMC) framework at the appropriate level.

3. Cybersecurity Maturity Model Certification (CMMC)

The CMMC framework builds upon NIST SP 800-171 and establishes different maturity levels for cybersecurity practices. It aims to verify that contractors have implemented appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and CUI.

The framework consists of five maturity levels, with Level 1 focusing on basic safeguarding practices and Level 5 incorporating advanced and progressive cybersecurity capabilities. The specific level required will depend on the sensitivity of information that will be handled under a particular contract.

4. Federal Acquisition Regulation (FAR)

FAR Clause 52.204-21 establishes 15 basic safeguarding requirements for Federal Contract Information (FCI), which is often a precursor to handling CUI.

Compliance Challenges and Best Practices

Common Challenges

1. Identification and Marking: Many organizations struggle with correctly identifying and marking CUI, as expressed by a DIB professional on Reddit: "I've adopted an 'if in doubt, treat it as CUI' approach, but it's been met with resistance for being too broad."
2. Scope Management: Determining the exact scope of CUI within an organization can be difficult, as another contractor noted: "Clarifying which items (e.g., work orders) are not CUI could significantly reduce our scope and improve control clarity."
3. Resource Constraints: Smaller organizations often face significant resource challenges: "We are a tiny company with a small budget and only one person (me). I'm at a loss and overwhelmed."
4. Subcontractor Management: Prime contractors must ensure that their subcontractors also comply with CUI requirements, creating additional complexity: "I work with DIB subcontractors and we often struggle with identifying what is and isn't CUI."

Best Practices for CUI Compliance

1. Develop Clear Guidelines: Establish clear Security Classification Guides to assist staff and subcontractors in identifying CUI uniformly.
2. Implement a Data Classification System: Create a formal system for classifying information based on sensitivity and required protection levels.
3. Conduct Regular Training: Ensure all personnel who handle CUI receive appropriate training. NARA provides CUI training resources that organizations can utilize.
4. Perform Regular Assessments: Conduct periodic assessments of your NIST SP 800-171 implementation to identify and address gaps.

Steps to Secure CUI and Ensure Compliance

Securing CUI requires a systematic approach. Here's a roadmap to help organizations establish proper CUI protection measures:

Step 1: Identify CUI in Your Environment

The first step is to identify what CUI exists within your organization. This involves:

1. Review Contracts and Requirements: Carefully analyze your contracts to identify CUI-related requirements. Look for references to DFARS clauses, NIST SP 800-171, or explicit mentions of CUI.
2. Document Data Flows: Map how CUI enters, moves through, and exits your organization. Identify systems, applications, storage locations, and transmission methods that handle CUI.
3. Establish a CUI Registry: Create an inventory of all CUI your organization possesses, including the type, format, storage location, and authorized users.
4. Implement Proper Marking: Ensure all CUI is properly marked according to the CUI Marking Handbook published by NARA.

Step 2: Implement Security Controls

Once you've identified your CUI, implement the required security controls:

1. Conduct Gap Analysis: Compare your current security practices against NIST SP 800-171 requirements to identify gaps.
2. Develop and Implement a Plan of Action: Create a detailed plan to address identified gaps, with clear timelines and responsibilities.
3. Secure CUI in Both Digital and Physical Forms:
   • Digital CUI: Implement access controls, encryption, secure configuration management, and monitoring.
   • Physical CUI: Establish physical security measures like locked cabinets, controlled access areas, and proper destruction methods.
4. Document Security Policies and Procedures: Create comprehensive documentation of your security policies, procedures, and controls for CUI protection.

Step 3: Train Personnel

Everyone who handles CUI must understand their responsibilities:

1. Conduct Initial Training: Provide comprehensive training on CUI identification, handling, marking, and protection requirements.
2. Implement Role-Based Training: Tailor training to specific roles and responsibilities within your organization.
3. Establish Ongoing Awareness Programs: Conduct regular refresher training and maintain awareness through newsletters, posters, and other communication channels.
4. Document Training Completion: Maintain records of all CUI-related training completed by personnel.

Step 4: Monitor and Maintain Compliance

Compliance is not a one-time effort but requires ongoing attention:

1. Conduct Regular Self-Assessments: Periodically assess your compliance with NIST SP 800-171 requirements and document the results.
2. Implement Continuous Monitoring: Establish monitoring processes to detect security events and potential breaches of CUI.
3. Develop an Incident Response Plan: Create procedures for responding to security incidents involving CUI, including the 72-hour reporting requirement for cyber incidents.
4. Maintain Documentation: Keep all documentation related to CUI protection up-to-date, including system security plans, policies, procedures, and assessment results.

Step 5: Prepare for Assessments and Certification

If you're subject to CMMC requirements, prepare for the certification process:

1. Determine Required CMMC Level: Based on your contracts and the type of CUI you handle, identify the appropriate CMMC level.
2. Conduct Pre-Assessment: Perform an internal pre-assessment against the applicable CMMC requirements.
3. Remediate Issues: Address any identified deficiencies before the formal assessment.
4. Engage with a C3PAO: Work with a CMMC Third-Party Assessment Organization (C3PAO) for the formal certification assessment.

Common Mistakes in CUI Management

Even with the best intentions, organizations often make mistakes when managing CUI. Here are some common pitfalls to avoid:

1. Over-classification

Treating all information as CUI when it doesn't meet the definition can lead to unnecessary costs and complexity. As one contractor on Reddit noted:

"I've adopted an 'if in doubt, treat it as CUI' approach, but it's been met with resistance for being too broad."

While caution is important, over-classification can strain resources and create resistance to compliance efforts.

2. Under-classification

Conversely, failing to identify information as CUI when it should be protected can lead to security breaches and compliance violations. This often happens when organizations lack clear guidelines or training on CUI identification.

3. Ignoring Context

Sometimes, information may not be CUI on its own but becomes CUI when combined with other information or in specific contexts. For example, a single piece of unclassified technical data might not be CUI, but when combined with other related information, it could reveal sensitive capabilities.

4. Overlooking Physical CUI

While much attention is given to digital CUI, physical documents containing CUI require equal protection. This includes proper storage, handling, and destruction procedures.

5. Inadequate Subcontractor Management

Prime contractors are responsible for ensuring their subcontractors properly protect CUI. Failing to establish clear requirements and verify compliance can expose the entire supply chain to risks.

6. Neglecting Incident Response Requirements

Many organizations don't have adequate processes for identifying and reporting CUI-related security incidents, particularly the 72-hour reporting requirement for cyber incidents affecting CUI.

7. Insufficient Documentation

Proper documentation is crucial for demonstrating compliance. Many organizations fail to maintain comprehensive records of their CUI protection measures, training, assessments, and other compliance activities.

Special Considerations for Small Businesses

Small businesses face unique challenges when it comes to CUI compliance. Limited resources, budgets, and personnel can make implementing the required controls seem overwhelming. As one small business owner shared on Reddit:

"We have this requirement for 800-171 on any systems that touch CUI. We are a tiny company with a small budget and only one person (me). I'm at a loss and overwhelmed."

Strategies for Small Business Compliance

1. Scope Limitation: Clearly define and limit the systems and personnel that handle CUI to reduce the compliance footprint.
2. Cloud Solutions: Consider FedRAMP-authorized cloud services that have already implemented many of the required security controls.
3. Outsourcing: Partner with Managed Security Service Providers (MSSPs) that specialize in NIST SP 800-171 and CMMC compliance.
4. Phased Implementation: Prioritize critical controls and implement them in phases based on risk and available resources.
5. Seek Assistance: Look for resources and assistance programs designed for small businesses, such as the DoD's Procurement Technical Assistance Centers (PTACs).
6. Shared Resources: Consider sharing compliance resources with other small businesses or joining industry associations that provide compliance guidance.

However, as one experienced contractor warns:

"You can't go cheap. Like another poster mentioned, it's a minimum requirement and although you don't need to go with some enterprise solution, you cannot cut corners."

CUI Handling in Remote Work Environments

The rise of remote work has created new challenges for CUI protection. Organizations must ensure that CUI remains protected even when accessed from home offices or other remote locations.

Remote Printing Considerations

Printing CUI in remote environments introduces significant risks and compliance challenges. As several Reddit users noted:

"I forbid printing from home. Not much need for it anymore in my view."

"Banning printing is a great idea if you can get away with it..."

"Printing complicates everything. Then you have to worry about secure storage and disposal as well."

If remote printing is absolutely necessary, organizations must implement strict controls:

"When we had a remote worker with a justified need to print, we shipped the printer and instructed it be used via USB, not wifi."

Securing Home Networks

Home WiFi networks must meet security requirements if they will be used to access CUI. This includes encryption standards and proper configuration:

"If you allow CUI printing from home though.... so home wifi has to be proven FIPS validated?"

FIPS (Federal Information Processing Standards) validation may be required for cryptographic modules used to protect CUI, including those in home network equipment.

Physical Security in Remote Environments

Remote workers must implement appropriate physical security measures to protect CUI, including:

• Locking screens when not in use
• Securing physical documents in locked containers
• Preventing unauthorized viewing of CUI (visual privacy)
• Proper destruction of physical CUI documents

Future Trends in CUI Management

The landscape of CUI management continues to evolve. Here are some trends to watch:

1. CMMC Evolution

The CMMC program has undergone revisions (resulting in CMMC 2.0) and will likely continue to evolve. Organizations should stay informed about changes to certification requirements and timelines.

2. Increased Automation

Tools for automatically identifying, marking, and protecting CUI are becoming more sophisticated. These technologies can help reduce the burden of manual CUI management.

3. Enhanced Supply Chain Security

Expect increased focus on ensuring CUI protection throughout the supply chain, with prime contractors facing greater responsibility for subcontractor compliance.

4. Integration with Zero Trust Architecture

Zero Trust security models, which assume no implicit trust based on network location, align well with CUI protection requirements and may become more prevalent in CUI environments.

Conclusion

Controlled Unclassified Information represents a critical category of sensitive information that requires proper protection. While navigating CUI compliance can be challenging, especially for smaller organizations, the consequences of non-compliance can be severe, including contract termination, financial penalties, and reputational damage.

By understanding what constitutes CUI, implementing appropriate security controls, training personnel, and maintaining proper documentation, organizations can effectively protect CUI and maintain compliance with applicable regulations.

Remember these key points:

• CUI is sensitive but unclassified information that requires protection according to federal regulations
• Organizations handling CUI must comply with NIST SP 800-171 and potentially CMMC requirements
• Clear identification and proper marking of CUI are essential for effective protection
• Both digital and physical CUI require appropriate safeguards
• Compliance is an ongoing process requiring regular assessment and improvement

For more information and resources on CUI, consult these authoritative sources:

• National Archives CUI Program
• DoD CUI Registry
• NIST Special Publication 800-171
• CMMC Accreditation Body
• Defense Counterintelligence and Security Agency CUI Resources

By staying informed and proactive about CUI protection, organizations can navigate these complex requirements successfully and contribute to safeguarding sensitive information vital to national security and government operations.