GET YOUR CMMC BUDGET GUIDE
Compliance costs add up fast, unless you plan wisely. Download our guide to learn how to build a realistic CMMC budget.
Executive Brief
Most defense contractors handle Controlled Unclassified Information (CUI) more often than they realize.
CUI hides in emails, HR files, project folders, supplier documents, and even meeting notes and overlooking it is one of the fastest ways to fail a Cybersecurity Maturity Model Certification (CMMC).
The challenge isn’t just protecting CUI. It’s identifying it correctly. If you can’t spot it, you can’t secure it or track all the places it moves through such as email, shared drives, vendor portals, contract files, engineering tools, and everyday collaboration systems.
This guide breaks down what “actually” counts as CUI, common blind spots auditors look for, and why every contractor should start with a quick self-check: Our 2-minute CUI Identification Quiz.
Why CUI Identification Is Difficult
CUI isn’t always stamped, labeled, or obvious.
And many teams assume that if they don’t work with “classified” data, they don’t work with CUI.
Reality check:
- CUI is everywhere — supply chain files, HR paperwork, technical data, procurement documents, emails.
- It’s often created accidentally — copying, forwarding, or referencing controlled content makes the new document CUI.
- It flows down from primes — your subcontract may not say “CUI,” but the obligation still applies: DFARS 252.204-7012 requires primes to pass CUI protection, incident reporting, and cybersecurity requirements to any subcontractor that handles the information.
- Misidentifying CUI leads to mishandling — and that creates real consequences: assessment findings, contract risk, financial penalties, or reputational damage.
Before you can protect CUI, you must recognize it.
What Actually Counts as CUI
Here are the categories that most contractors encounter.
1. Engineering and Technical Data
- Drawings
- Schematics
- Computer-Aided Design files
- Test results
- Specs tied to Department of Defense (also known as the Department of War) systems
If it describes how something defense-related is built, assembled, or functions, assume it’s CUI.
2. Export-Controlled Information
Any content subject to International Traffic in Arms Regulations or Export Administration Regulations. Even if you aren’t an exporter, if the prime shares controlled data, it’s CUI.
3. Contract-Sensitive Information
- Statements of Work
- Performance reports
- Non-public deliverables
- Proprietary material exchanged under contract
If the government didn’t publish it publicly, handle it as CUI.
4. Personnel or HR Data
- Personally Identifiable Information for cleared or uncleared staff
- Badge lists
- Emergency contact forms
- Travel itineraries tied to defense work
These are common blind spots since HR teams often don’t view themselves as “CUI handlers.”
5. System, Network, or Facility Details
- Network diagrams
- Security configurations
- Physical security layouts
- Access logs
These can be CUI when tied to defense operations or contract requirements.
6. Supplier and Subcontractor Information
Primes frequently share CUI with subs in:
- Bills of Materials
- Quality assurance files
- Technical instructions
- Supplier data packages
If a prime touches it, assume flow-down applies. DFARS 252.204-7012 requires primes to pass CUI protection requirements to any subcontractor that will store, process, or transmit that information.
Where Teams Miss CUI Most Often
Auditors consistently flag the same blind spots:
- Email threads
- Shared drives with mixed access
- File shares copied into SharePoint or Teams
- Slide decks built for internal updates
- Unlabeled drafts or working documents
- Invoices, purchase orders, or shipping docs
If a document references, summarizes, or quotes CUI in any way, it becomes CUI.
That’s why it’s often said that CUI is contagious.
The Risks of Getting It Wrong
Misidentifying CUI isn’t a minor issue; it’s a compliance failure.
- Failed assessments. Certified Third-Party Assessment Organizations and Defense Industrial Base Cybersecurity Assessment Center expect clear boundaries, consistent labeling, and documented control.
- Lost and delayed contracts. Primes increasingly ask subs to show proof of CUI handling controls before onboarding.
- False Claims Act exposure (FCA). Mishandling CUI while asserting compliance in your System Security Plan or SPRS score can trigger FCA scrutiny.
- Uncontained data spread. Once CUI leaks into emails, shared folders, or personal drives, containment is difficult and expensive.
Knowing what counts as CUI is the first line of defense.
How to Get Better at CUI Identification
You don’t need a catalog memorized; you need awareness.
- Train teams on CUI categories and examples
- Use metadata tagging and sensitivity labels
- Maintain a contract-specific CUI registry
- Review system boundaries and access controls
- Label at the earliest possible point of creation
- Encourage teams to ask, not assume
And step one: know whether you’re handling CUI in the first place.
Start with a 2-Minute Check
Most contractors are surprised by how much CUI already exists in their systems.
Use our new quick-check tool to find out whether your organization is already handling CUI today:
You’ll learn:
- Whether your organization likely handles CUI
- Where it may already live
- What to do next to protect it
- Whether you need to update your SSP, boundaries, or controls
Before you invest in remediation or policy updates, start with clarity.
FAQs
Does all government data count as CUI?
No. Not all government data is CUI.
CUI is a specific subset of unclassified information that federal agencies designate as requiring protection under laws, regulations, or government-wide policies. Examples include technical data, export-controlled information, sensitive personnel information, and program-specific details.
Government data that is public, purely administrative, or not tied to a protected category is not CUI.
If a prime doesn’t label data as CUI, is it safe to treat it as unrestricted?
No. Labeling mistakes are common, and primes expect subcontractors to recognize CUI even when it arrives mislabeled or unlabeled.
Under DFARS 252.204-7012, subs must safeguard CUI whenever they receive or generate it — regardless of whether the prime marked it correctly.
If the content fits a CUI category (technical drawings, controlled technical information, sensitive program data, procurement-sensitive info), treat it as CUI and seek clarification if needed.
Do drafts count as CUI?
Yes. Drafts must be protected the same way as final documents if they contain CUI or reference it.
That includes emails, early versions of drawings, redlines, change orders, design iterations, lab notes, and working spreadsheets.
CUI doesn’t become “CUI” only when finalized, it’s CUI the moment it is created, transmitted, or stored.
What’s the difference between Federal Contract Information (FCI) and CUI?
FCI is information provided by or generated for the government under a contract and not meant for public release. It requires basic safeguarding under FAR 52.204-21.
CUI is more sensitive. It includes technical data, drawings, specifications, personnel information, supply chain details, and other categories governed by federal law or DoD marking rules. CUI requires full implementation of all 110 NIST SP 800-171 controls and often triggers CMMC Level 2.
Many contractors think they’re only handling FCI, but everyday files such as engineering snippets, subcontractor packages, HR data tied to programs or even change orders can contain CUI. Misclassification is one of the top reasons contractors fail assessments.
