FSOs ARE NOW CENTRAL TO CMMC READINESS
Understand where industrial security ends, cybersecurity begins, and how FSOs fit into CMMC readiness.
EXECUTIVE BRIEF
Most defense contractors can't clearly explain the difference between the two types of Controlled Unclassified Information (CUI), CUI Basic and CUI Specified. That confusion can have consequences during a spillage or an assessment.
This article breaks down what the distinction actually means, where it matters operationally, and five mistakes we’ve seen most often in the field.
Some key takeaways:
- CUI Specified isn't a higher classification of CUI. It's CUI that’s governed by a specific law or regulation that dictates handling rules beyond the 32 Code of Federal Regulations (CFR) Part 2002 baseline. The problem can’t be fixed by treating all CUI as Specified because over-restricting CUI Basic is its own compliance problem.
- A clean CMMC Level 2 certification doesn't automatically cover every category of CUI you hold. International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data sit outside CMMC scope under 32 CFR Part 170. Contractors with strong CMMC programs can still mishandle export-controlled CUI Specified data and face statutory penalties the CMMC framework was never designed to address.
Dig deeper below to find out more.
A common piece of advice that circulates in the Defense Industrial Base (DIB) is to "just treat everything as CUI." It sounds safe. But it isn't.
When you misclassify CUI, you create a problem for the future: one that can show up during a Defense Counterintelligence and Security Agency (DCSA) review, in a flow-down dispute with a prime, or during a Cybersecurity Maturity Model Certification (CMMC) assessment.
In the worst case, it could show up during a suspected CUI spillage event, once the clock is ticking to provide accurate category-level reporting to the Department of Defense (DoD) (also known as the Department of War) Cyber Crime Center (DC3) inside the 72-hour window set by DFARS 252.204-7012. By that point, a wrong call on categorization could have more long-lasting ramifications than a compliance finding: it could cost you a contract.
This guide explains how CUI Basic and CUI Specified differ in practice, how they map to CMMC, and the five mistakes we’ve seen most often from defense contractors.
What Is Controlled Unclassified Information?
Controlled Unclassified Information is sensitive but unclassified data that federal law, regulation, or government-wide policy requires you to protect. Established by Executive Order 13556 in 2010 and codified by 32 CFR Part 2002, the CUI designation replaced a patchwork of legacy markings like For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) with one unified federal standard.
If you're a defense contractor, CUI is the data your contract requires you to safeguard under National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 on your own systems. It's also the data that determines whether you need CMMC Level 1 or CMMC Level 2 certification.
CUI breaks into two types: CUI Basic and CUI Specified. Let’s cover the difference.
What Is CUI Basic?
CUI Basic is the default category. It applies when the underlying law, regulation, or policy authorizing the protection does not specify handling rules beyond the baseline requirements in 32 CFR Part 2002.
You safeguard CUI Basic on your own systems by implementing NIST SP 800-171. You document those controls in a System Security Plan (SSP), track open gaps in a Plan of Action and Milestones (POA&M), and report your score to the Supplier Performance Risk System (SPRS).
The CUI marking rules treat Basic with some flexibility. The banner marking at the top of each page is required but the category or subcategory marking is optional.
Examples you'll actually see in defense contracts include:
- Controlled Technical Information (CTI), such as technical drawings or specifications produced under a federal contract
- Procurement-sensitive information disclosed during source selection
- Proprietary business information shared under contract
- Certain privacy-related records that don't carry statutory handling rules of their own
If your contract involves CUI Basic, your baseline obligations are NIST SP 800-171 implementation, SSP documentation, POA&M maintenance, and derivative marking for any documents you create that contain the protected information.
What Is CUI Specified?
CUI Specified is the subset of CUI where the authorizing law, regulation, or government-wide policy itself dictates handling or dissemination rules that go beyond the 32 CFR Part 2002 baseline.
CUI Specified is not a higher classification of CUI. CUI is governed by a more specific authority. The National Archives CUI Registry is explicit on this point. Treating Specified as "more sensitive" is one of the most common, and most expensive, mistakes contractors make. (We'll come back to this later.)
Category markings for CUI Specified are mandatory, not optional. The specific category drives the handling rules, so you have to know which one you're holding.
Examples you'll encounter include:
- Technical data controlled by the ITAR, marked CUI//SP-EXPT
- Data controlled by the Export Administration Regulations (EAR), also export-controlled but under the Department of Commerce
- Naval Nuclear Propulsion Information (NNPI)
- Certain privacy categories where statute prescribes specific handling
When you handle CUI Specified, you're complying with two regulatory frameworks at the same time: the 32 CFR Part 2002 baseline and the underlying law that made the category Specified in the first place.
A Quick Glance at CUI Basic vs. Specified
Here’s a quick reference guide for CUI Basic vs. CUI Specified:
|
|
CUI Basic |
CUI Specified |
|
Executive Agent |
NARA (National Archives and Records Administration) |
NARA |
|
Governing Framework |
32 CFR Part 2002 baseline |
32 CFR Part 2002 plus specific law, regulation, or government-wide policy |
|
Authorizing Authority |
32 CFR Part 2002 |
The specific law, regulation, or government-wide policy that also determines additional dissemination controls |
|
Baseline safeguarding standard |
NIST SP 800-171 on non-federal systems |
NIST SP 800-171 plus controls dictated by the authorizing law |
|
Category marking |
Optional |
Mandatory |
|
Dissemination controls |
Standard rules under 32 CFR 2002 |
Restrictions written into the source law (NOFORN, REL TO, DISPLAY ONLY, U.S. persons only) |
|
Common examples |
Procurement-sensitive data, certain privacy records |
CTI, ITAR technical data, EAR-controlled data, NNPI |
|
Penalty exposure |
Contract remedies |
Contract remedies plus statutory penalties from the underlying law |
There are three additional differences that don't fit cleanly into a table.
- Handling requirements diverge at the control set. With CUI Basic, you're working from the unified 32 CFR Part 2002 control set. With CUI Specified, you're layering whatever the authorizing law requires either on top of, or in place of, that baseline.
- Over-restricting CUI Basic is a separate problem. CUI Basic can flow to any authorized recipient with a lawful government purpose. CUI Specified often carries restrictions written into the source law, such as the ITAR requirement that technical data flow only to U.S. persons. Contractors get this wrong in both directions. The obvious mistake is letting restricted data reach someone who shouldn't see it. The less obvious mistake is applying restrictions the law doesn't require, like enforcing NOFORN on a category that has no foreign national restriction. Both are violations under the CUI program rules.
- Penalty exposure is fundamentally different. Mishandling CUI Basic is generally a contractual problem. Mishandling CUI Specified can trigger statutory penalties from the law underneath the marking. ITAR violations, for instance, carry criminal exposure that pure contract breach does not.
How CUI Basic and CUI Specified Map to CMMC
CMMC Level 2 maps directly to NIST SP 800-171 and applies to contractors handling CUI Basic on non-federal systems. If you handle only Federal Contract Information (FCI) and no CUI, CMMC Level 1 applies. If you handle high-risk CUI on critical programs, you may need CMMC Level 3, which the Department of Defense (DoD) determines contract by contract.
Passing a CMMC Level 2 assessment doesn't automatically mean you're handling CUI Specified correctly. ITAR and EAR data are explicitly outside the scope of CMMC under 32 CFR Part 170. A contractor with a clean CMMC Level 2 certification can still mishandle ITAR-controlled CUI Specified and face penalties the CMMC framework was never designed to address.
Your CUI inventory should map every data type you handle to two things: the CMMC scope that applies to it, and the underlying authority for any Specified category. You document both in your SSP. If your current SSP treats CUI as a monolith, that's a finding waiting to happen.
5 Common Mistakes Defense Contractors Make About CUI Basic vs CUI Specified
Mistake #1: Treating "Specified" as a Higher Classification Level
This is the single most common confusion. Contractors hear the word "Specified" and respond by over-applying controls: enforcing NOFORN restrictions the contract doesn't require, restricting access to data the contract permits to flow freely, or building dissemination workflows that block legitimate use.
Over-protection is its own compliance problem. In practice, the government will often overmark when uncertain, and primes handling ITAR data will treat it as CUI even when there is a small chance it does not qualify. Once that designation flows into a prime's contract, they cannot modify the dissemination controls when flowing down to subcontractors. That means over-marked data moves through the supply chain with restrictions baked in, and everyone downstream is bound by them whether the original designation was accurate or not.
The fix is simple. Read the marking. Check the authority. Apply exactly the controls the law requires, no more and no less.
Mistake #2: Assuming the Government or Prime Will Mark Everything Correctly
CUI arrives mismarked, ambiguously marked, or entirely unmarked all the time. While the originating agency is responsible for initial designation, you're still accountable for what happens to it inside your environment.
Three responsibilities sit on you as the prime contractor:
- Derivative marking for any document you create that contains the protected information, with a complete designation indicator identifying who designated it as CUI
- Catching mismarked or unmarked CUI that arrives from a prime or directly from the government
- Escalating ambiguity to your contracting officer in writing, not relying on verbal guidance from a Contracting Officer's Representative (COR)
Mistake #3: Assuming CMMC Compliance Means You Understand the Difference
CMMC and CUI Specified handling are overlapping requirements, not interchangeable ones. Your compliance program has to address both. CMMC Level 2 certification demonstrates that your environment can receive and protect CUI. What it does not answer is how you are permitted to handle it. Dissemination controls, particularly those tied to CUI Specified categories like ITAR or NNPI, dictate who can access the data, where it can go, and under what conditions. Those rules come from the authorizing law, not from CMMC.
For instance, picture a defense supplier producing ITAR-controlled technical drawings for a Navy program. They pass CMMC Level 2 on the strength of their NIST SP 800-171 implementation. Six months later, an engineer emails the drawings to a foreign national colleague for a quick design review. The contractor is technically still CMMC compliant, but they've also just committed an ITAR violation.
Mistake #4: Not Documenting the CUI Distinction in Your SSP
Your System Security Plan (SSP) should identify what types of CUI you handle, the authority for each type, and the controls you've applied to each.
Most SSPs we review treat CUI as one undifferentiated category. The implementation documentation describes NIST SP 800-171 controls applied to "CUI," with no breakdown by category, authority, or location in the environment. An assessor reading that SSP wouldn’t be able to tell whether the contractor understands the distinction between Basic and Specified.
The fix is to structure the CUI inventory section of your SSP around authority. For each category you handle, you should document:
- The category name
- The authorizing law or regulation
- The locations in your environment where the data lives
- The controls applied
- Any limited dissemination controls in effect
Mistake #5: Not Knowing Which Type You're Holding Until Something Goes Wrong
The moment many contractors learn whether they had CUI Basic or CUI Specified is the moment of a spillage, when DC3 DCISE expects category-level reporting within 72 hours under DFARS 252.204-7012.
If your incident response team can't tell the responder what type of sensitive data was spilled, you've got two problems instead of one. You've got the spillage, and you've got the inability to demonstrate you had a handle on your environment in the first place. The second problem can be worse than the first when the follow-up review starts.
Know Exactly What to Do in the First 72 Hours after a CUI Spillage
Download the CUI Incident Response Checklist for a step-by-step reference your team can pull up the moment an incident is identified.
How to Identify Which Type of CUI Your Contract Involves
1. Read the Contract for the Relevant DFARS Clauses
The clauses that signal CUI handling requirements include DFARS 252.204-7012 (safeguarding and incident reporting), 252.240-7997 (assessor access), 32 CFR Part 2002 and DFARS 252.204-7025, and 252.204-7021 (CMMC requirements). Note any CUI markings referenced in the statement of work and any specific category names called out.
2. Use the CUI Registry.
The NARA CUI Registry is the government-wide reference for all CUI categories and handling requirements. Within it, the Defense category covers DoD-specific CUI, with handling rules that apply to Defense Industrial Base (DIB) contractors. For DoD contracts, make sure you are referencing the Defense category entries specifically, as they carry distinct marking and protection requirements.
3. Escalate Ambiguity in Writing.
When data is unmarked, mismarked, or ambiguously marked, send a written question to your contracting officer. Verbal guidance from a COR is not a substitute for a documented designation.
4. Document Each Category in Your SSP.
Record the governing authority, the controls applied, the locations in your environment where the data lives, and any limited dissemination controls.
5. Add Categories to Your Incident Response Inventory.
Your incident response plan should be able to answer "what category was exposed" in the first hour, not the first 72.
Understand the Difference Between CUI Basic and CUI Specified Before You Need to Prove It
The difference between CUI Basic and CUI Specified isn't academic. Defense contractors who can answer it without scrambling protect their contracts, their clearances, and their growth trajectory. Those who can't end up explaining themselves to a C3PAO assessor or DC3 DCISE responder while the clock is running.
Our CUI Incident Response Checklist is a step-by-step reference your team can use the moment something goes wrong. It'll tell you within the first hour whether your CUI inventory is documented well enough to survive DFARS’s 72-hour reporting window.
FAQs
Is CUI Specified More Sensitive than CUI Basic?
No. CUI Specified is governed by a specific law, regulation, or government-wide policy that dictates particular handling rules. That doesn't make it more sensitive than CUI Basic. It makes the handling rules more specific.
Does CMMC Level 2 cover CUI Specified?
Partially. CMMC Level 2 covers the NIST SP 800-171 baseline that applies to most CUI on contractor systems. ITAR, EAR, and certain other CUI Specified categories carry requirements outside the CMMC framework under 32 CFR Part 170. A clean CMMC Level 2 certification doesn't automatically cover every Specified category you might hold.
Who Is Responsible for Marking CUI, the Government or the Contractor?
The originating agency is responsible for the initial CUI designation. Contractors are responsible for derivative marking on any documents they create that contain the protected information, for catching mismarked data that arrives from a prime or from the government, and for escalating ambiguity to the contracting officer.
What Happens If I Mishandle CUI Specified vs CUI Basic?
Mishandling CUI Basic is generally a contract issue. Mishandling CUI Specified can trigger statutory penalties from the underlying law. ITAR violations, for example, can carry criminal exposure that pure contract breach does not.
Can ITAR Data Be CUI?
Yes. ITAR-controlled technical data falls under CUI Specified and is marked CUI//SP-EXPT. ITAR data is explicitly outside CMMC scope under 32 CFR Part 170, so CMMC controls alone aren't sufficient to satisfy ITAR requirements.
How Do I Know If My Contract Involves CUI Specified?
The contract should identify the category through markings or statement-of-work references. If it doesn't, check the DFARS clauses in the contract, look up the relevant categories in the DoD CUI Registry, and escalate any ambiguity to your contracting officer in writing.
Helpful ISI Links
- CUI Incident Response Checklist
- What Should Be in Your System Security Plan for CMMC Level 2?
- CMMC Flow-Down Requirements Are Here: What to Learn from MAPS
- Who Is Responsible for Protecting CUI?
- CUI Identification: What Actually Counts as Controlled Unclassified Information
- Steal Our CMMC Level 2 Readiness Strategy