What Is CUI? Controlled Unclassified Information Explained for Small Defense Contractors

Controlled Unclassified Information (CUI) is unclassified government information that still requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is governed by the National Archives and Records Administration (NARA) under 32 CFR Part 2002 and is central to CMMC Level 2 compliance. For defense contractors, CUI is why cybersecurity requirements exist in the first place.

That definition belongs in the first paragraph because it is the answer to most of what your contracts are actually asking about.

If your company supports shipbuilding, engineering, base operations, defense manufacturing, or federal services work around Hampton Roads — Norfolk, Newport News, Portsmouth, Chesapeake, Virginia Beach, Suffolk, Hampton — there is a reasonable chance your team handles CUI and may not know it by name.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information is unclassified data that the federal government — or entities working under a government contract — must protect because a law, regulation, or government-wide policy says so.

The CUI program was established to replace a patchwork of agency-level designations (FOUO, SBU, Sensitive, Limited Distribution, etc.) with a single, consistent framework. NARA manages the CUI program and maintains a public registry of all authorized categories.

The key thing to understand: CUI is not classified. If it were classified, there would be a very different access and handling system involved. But CUI is also not public. It sits in the middle — unclassified, but with specific safeguarding and dissemination controls baked into the law or policy that created the category.

A contract drawing. A technical specification. Personally identifiable information. Export-controlled research results. These are common examples of CUI in defense contracting. They are not secret in the classified sense. But they are not meant to end up in the wrong hands, on an unmanaged laptop, or in a personal email thread.

The CMMC article on this site covers CMMC requirements in detail, but the short version is this: if your contract involves CUI, you are likely looking at CMMC Level 2, which means the 110 security requirements of NIST SP 800-171.

What is the difference between CUI and FCI?

FCI stands for Federal Contract Information. It is information the government provides to a contractor, or that a contractor generates while doing government work, that is not intended for public release. Think contract deliverables, internal communications tied to a federal contract, and work products that belong to the government.

CUI is more specific and more sensitive. Every piece of CUI is, broadly speaking, also FCI — it is government-related information that is not public. But not all FCI is CUI.

Here is the practical difference in a defense contracting context:

FCI triggers CMMC Level 1, which is 15 basic safeguarding practices and an annual self-assessment. The controls are things like limiting system access to authorized users, using unique identifiers for accounts, and controlling physical access to systems. Reasonable, achievable hygiene.

CUI triggers CMMC Level 2, which is 110 security requirements from NIST SP 800-171 across 14 control families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

That is a meaningful difference in scope, evidence, and cost.

The practical question for any small contractor is: what information do you actually receive, generate, or transmit? If that information falls into a CUI category, you are in Level 2 territory. Company size does not change that.

What are examples of CUI?

The NARA CUI Registry lists over 100 authorized CUI categories organized across 20 groupings. For Hampton Roads defense contractors, the categories most likely to appear in practice include:

Controlled Technical Information (CTI) — technical data and computer software with military or space application that is subject to controls on access, use, reproduction, modification, or export. This is often what defense contractors think of when they imagine sensitive information: engineering drawings, specifications, test results, and technical manuals tied to DoD systems.

Export Controlled — research and data subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). If your company works on defense articles or defense services regulated under ITAR, the technical data associated with that work is almost certainly CUI.

Privacy/PII — Personally identifiable information tied to government employees, contractors, or program participants. This includes names combined with SSNs, DoD ID numbers, medical information, and financial details when they relate to federal programs.

Procurement and Acquisition — pre-award source selection information, contractor proposals, cost or pricing data, and similar acquisition-sensitive materials.

Naval Nuclear Propulsion — specific to nuclear-powered vessels, this is a CUI category commonly relevant to contractors supporting Newport News Shipbuilding and related work.

The point is not to memorize the registry. The point is to recognize that what gets labeled “sensitive” or “proprietary” in the normal course of defense work often has a formal CUI category associated with it, and that label carries legal handling requirements.

If you are unsure whether specific information is CUI, look at the contract. Look at the data rights and disclosure clauses. Look at what the prime tells you about how to handle deliverables. CUI will often be identified in the contract or in the document markings on information the government or prime sends you.

How is CUI marked and handled?

When a document, file, or email contains CUI, it must be marked. The standard CUI marking on a document looks like this in the header or footer:

CUI

Or, for a specific category:

CUI//CTI (Controlled Technical Information)

Or with a handling instruction:

CUI//SP-CTI (Specified, with special handling)

The DoD has issued detailed marking guidance. Not every contractor gets this right out of the gate, especially small businesses that have been handling “sensitive” information informally for years without a formal CUI designation from their prime.

For handling, NIST SP 800-171 is the operative standard. It sets requirements for how systems that process, store, or transmit CUI must be configured, protected, and monitored. Access controls, multi-factor authentication, encrypted storage, audit logging, incident response — these are not bureaucratic checkboxes. They are the technical controls that keep CUI from leaving your environment through an open door.

The System Security Plan (SSP) is the primary evidence document. It describes your system boundary, what CUI is in scope, and how each of the 110 NIST 800-171 requirements is addressed. If you do not have one, that gap alone will surface in any C3PAO assessment.

Why does CUI matter for CMMC?

CUI is why CMMC Level 2 exists.

CMMC Level 1 covers FCI with basic safeguarding. Level 2 was built specifically to address CUI and aligns to NIST SP 800-171 in full. The requirement is this: if your contract requires you to process, store, or transmit CUI, your environment must meet NIST SP 800-171 — and beginning with CMMC implementation, you may need to prove it either through self-assessment or through a third-party C3PAO assessment.

The connection between CUI and CMMC is direct and intentional. The DoD’s concern is that sensitive technical information — engineering data, research, specifications — was flowing through contractor environments without consistent protection. CMMC with its CUI focus is the mechanism to fix that.

For small Hampton Roads contractors, this means: before asking whether you need CMMC Level 2, ask whether you handle CUI. Trace where technical data, drawings, specifications, and contract deliverables land. Check email attachments. Check file shares. Check what gets sent to subcontractors. If CUI is in your environment, NIST SP 800-171 applies — and the CMMC compliance path follows from there.

The CMMC requirements guide on this site walks through the three levels, the DFARS clauses, and what readiness actually looks like for a small contractor.

What happens if you mishandle CUI?

The consequences fall into a few categories, none of them good.

Contract loss. A prime or contracting officer who discovers that CUI was mishandled — stored on personal devices, shared via personal email, sent to unauthorized subcontractors — has grounds to pull work. Before CMMC fully rolls out, this is primarily a contractual and trust problem. After CMMC requirements appear in contract clauses, it becomes a certification problem.

DFARS 252.204-7012 violations. That clause requires rapid reporting of cyber incidents affecting covered defense information — a category that overlaps significantly with CUI. Failure to report a breach involving covered defense information is itself a violation, separate from the underlying security failure. Contractors who cannot demonstrate compliance with 7012 have a bigger problem than a failed audit.

False Claims Act exposure. This is the serious one. After the DoD issued guidance on contractor cybersecurity obligations, the Department of Justice began bringing False Claims Act cases against contractors who self-certified compliance — that is, signed DFARS representations — when they knew their systems were not meeting NIST 800-171. The Civil Cyber-Fraud Initiative made this explicit. Misrepresenting cybersecurity compliance status on federal contracts is not just a regulatory problem; it can be a fraud case.

Reputational and competitive damage. Primes are increasingly asking cybersecurity questions in proposals and renewals. A contractor who cannot answer basic questions about how CUI is protected will lose opportunities to contractors who can.

None of this requires a large company to be at risk. A 10-person engineering firm handling CUI on a shared file server with no MFA, no logging, and no incident response plan has the same exposure as a 500-person defense contractor. The scale of the information is what matters, not the headcount.

Where to start if you are not sure

The most common situation is honest uncertainty. Your company handles contracts, technical data, and deliverables. You are not sure what is CUI, which systems are in scope, or whether your current controls would hold up to scrutiny.

Start by reading the cybersecurity fundamentals guide for the baseline — the basic controls that should already be in place regardless of CUI or CMMC.

Then get specific. Pull your contracts and look at the data rights, disclosure, and cybersecurity clauses. Look at the information you receive from primes and the government. If technical drawings, specifications, controlled research, or acquisition-sensitive materials are involved, those are almost certainly CUI categories. Check what the NARA CUI Registry says about the information type.

If you have a basic understanding of your exposure and want to pressure-test it, a readiness conversation with someone who works in this space is the right next move. Helix Stax helps small Hampton Roads contractors find CUI scope, identify control gaps, and build a practical path toward cybersecurity compliance — SSP development, control implementation, and CMMC readiness — without pretending it is simpler than it is.

No pressure. Just a starting point.

A Free IT Assessment takes about 60 minutes and gives you a clear picture of where the gaps are. That is the useful first step — before a prime asks for proof, before a contract clause becomes a deadline.