Question 1

What exactly is Controlled Unclassified Information?

Accepted Answer

CUI is sensitive information the government requires you to protect under law, regulation, or government-wide policy, but it's not classified as secret. Think of it as a middle ground between public information and classified defense secrets. Examples include technical drawings protected by export control laws, proprietary business data shared under government contracts, critical infrastructure information, and personal privacy data. The key identifier is that federal law or DoD regulation mandates protection. It's not CUI simply because someone marked it confidential or your company considers it sensitive. The National Archives maintains the official CUI Registry listing 24 authorized categories. If your contract information falls into one of those categories and a federal agency designated it for protection, you're handling CUI and must apply NIST SP 800-171 security controls.

Question 2

What's the difference between CUI and Federal Contract Information?

Accepted Answer

Federal Contract Information is non-public information generated under a government contract that hasn't been released publicly. Examples include delivery schedules, correspondence with contracting officers, invoices, performance reports, and organizational charts. FCI is basic contract administration data. Controlled Unclassified Information is more sensitive and requires stronger protection because its disclosure could impact national security, compromise critical infrastructure, or violate federal privacy laws. Examples of CUI include technical specifications for weapon systems, export-controlled engineering data, and classified program schedules. The relationship: all CUI in your possession is also FCI, but not all FCI is CUI. FCI requires CMMC Level 1 with 17 basic security practices. CUI requires CMMC Level 2 with all 110 NIST SP 800-171 controls. About 90 percent of defense contractors handle CUI and need Level 2 certification.

Question 3

How do I know if my DoD contract involves CUI?

Accepted Answer

Check for DFARS clause 252.204-7012 or 252.204-7021 in your contract. These clauses indicate CUI handling requirements. Look for CUI markings on documents the government provides. Documents containing CUI must have CUI banners at top and bottom of each page, sometimes with category indicators like CUI//EXPT for export control or CUI//PRVCY for privacy information. Review your Statement of Work for language about technical data, export controlled information, or sensitive government information. Check if your contract involves a DD Form 254 for classified programs, which lists applicable CUI categories. When in doubt, ask your contracting officer or program manager. They determine what qualifies as CUI for your specific contract. If you're a subcontractor, your prime contractor should tell you whether you'll handle CUI and which categories apply. Never assume information is or isn't CUI based on your own judgment. Only the government can designate CUI.

Question 4

What are CUI marking requirements for defense contractors?

Accepted Answer

All CUI documents must have CUI banner markings at the top and bottom of every page. The simplest marking is just the word CUI, but you often add category indicators showing the type of CUI. Examples: CUI for basic marking, CUI//EXPT for export-controlled information, CUI//PRVCY for privacy data, or CUI//EXPT//NOFORN for export control with no foreign disclosure. The first page or cover must include a designation indicator showing who marked it as CUI, which category applies, and any distribution limitations. Portion markings are optional but helpful when documents mix CUI and non-CUI content. For emails, put CUI at the beginning of the subject line and at the start and end of the message body. Electronic files need CUI in the filename and file properties metadata. Only authorized personnel can apply CUI markings at document creation. When you receive CUI from the government or another contractor, preserve the existing markings when you copy, forward, or share those documents.

Question 5

Can I use commercial cloud services like Dropbox or Google Drive for CUI?

Accepted Answer

No. Commercial cloud services like Dropbox, Box, consumer Google Workspace, or personal iCloud don't meet CMMC Level 2 requirements for CUI protection. These services lack the security controls, incident response capabilities, and U.S.-based infrastructure that NIST SP 800-171 requires. For Microsoft 365, you need the Government Community Cloud High version, not the commercial version. GCC High provides U.S. citizen administrators, dedicated government cloud infrastructure, enhanced incident response capabilities, and forensic imaging support required under DFARS 252.204-7012. For AWS, you need GovCloud regions configured to NIST 800-171 standards. Consumer cloud services might encrypt data in transit and at rest, but they're missing dozens of other required controls around access management, incident detection, audit logging, and physical security. Using unauthorized cloud for CUI is one of the fastest ways to fail a C3PAO assessment.

Question 6

What happens if I mishandle CUI or fail to protect it properly?

Accepted Answer

Mishandling CUI carries serious consequences. First, you lose contract eligibility. DoD won't award contracts to contractors who can't protect CUI, and existing contracts may be terminated if you fail C3PAO assessment. Second, unauthorized CUI disclosure triggers mandatory incident reporting within 72 hours under DFARS 252.204-7012. The DoD investigates every incident, and repeated violations can get you suspended from the defense industrial base. Third, you face potential civil and criminal penalties depending on the CUI category. Export controlled technical data violations can result in millions in fines and prison time. Privacy information breaches trigger HIPAA penalties if health data is involved. Fourth, you're liable for breach costs and damages. If CUI disclosure leads to compromise of defense programs or contractor intellectual property, you could face lawsuits. Finally, reputational damage makes it hard to win future contracts. Other primes won't subcontract to you if you have a history of CUI spillage or compliance failures.

Question 7

Do I need CMMC Level 2 certification if I only handle Federal Contract Information?

Accepted Answer

No. If your contract involves only Federal Contract Information without any CUI, you need CMMC Level 1, not Level 2. Level 1 requires 17 basic cybersecurity practices from FAR Clause 52.204-21, costs five to fifteen thousand dollars to implement, and uses annual self assessment instead of paid third party audits. FCI examples include delivery schedules, invoice data, contract performance reports, and general correspondence with contracting officers. However, most defense contractors handle at least some CUI, which means Level 2 is required. Technical specifications, export controlled data, critical infrastructure information, or anything marked with a CUI banner means you need Level 2 with its 110 NIST SP 800-171 practices and triennial C3PAO assessment. Check your contract clauses carefully. DFARS 252.204-7012 or 7021 indicate CUI requirements. If your contract is silent about CUI but you're unsure, ask your contracting officer. It's better to implement Level 2 controls and not need them than skip protection and fail assessment.

Question 8

How does NIST SP 800-171 relate to CUI protection?

Accepted Answer

NIST Special Publication 800-171 is the security standard that defines how to protect Controlled Unclassified Information in contractor systems. It contains 110 security requirements organized into 14 control families. These families cover access control (who can see CUI), awareness training (teaching staff about CUI), audit logging (tracking CUI access), configuration management (controlling system changes), authentication (verifying user identity), incident response (handling CUI breaches), maintenance (keeping systems secure), media protection (securing storage devices), personnel security (background checks), physical protection (locked facilities), risk assessment (identifying threats), security assessment (testing controls), system protection (firewalls and encryption), and system integrity (malware protection). CMMC Level 2 requires implementing all 110 practices. You can't pick and choose which controls to implement. Assessors verify every single requirement. The controls work together as a complete security framework. Skipping access controls makes your audit logs useless. Ignoring incident response means you can't detect CUI theft. Missing physical security lets adversaries walk in and steal data despite your technical controls.

Understanding Controlled Unclassified Information (CUI)

DoD CUI Fundamentals for Defense Contractors

What is CUI and Why Does It Matter for Defense Contractors?

CUI vs FCI: Understanding the Critical Difference

Federal Contract Information

Controlled Unclassified Information

How to Identify CUI in Your Organization

Check for CUI Markings

Review Your DoD Contract

Consult the Official CUI Registry

When in Doubt, Ask Your Contracting Officer

CUI Categories Relevant to Defense Contractors

Export Control

Critical Infrastructure

Proprietary Business Information

Operations Security

Nuclear Information

Privacy Information

Procurement and Acquisition

CUI Marking Requirements

Banner Markings (Required)

Category and Dissemination Markings

Email and Electronic Marking

CUI Handling DO'S AND DON'TS

DO'S: Essential CUI Protection Practices

DON'TS: Critical CUI Mistakes to Avoid

Why CUI Protection Matters for CMMC

Contract Eligibility

National Security

Legal Consequences

NIST SP 800-171: The CUI Protection Framework

WHO Can Access CUI

HOW We Monitor Activity

WHAT We Protect

WHEN Incidents Happen

Which CMMC Level Do You Need?

FCI Only

CUI Protection

High-Value CUI

CUI Questions for Defense Contractors

Need Help Identifying and Protecting CUI?

Loading