dOES YOUR ORGANIZATION HANDLE CUI?
Most defense contractors don’t realize how often they come across CUI in everyday work. In two minutes, learn if your company may already handle CUI.
EXECUTIVE BRIEF
Understanding how to properly mark and manage Controlled Unclassified Information (CUI) is essential for defense contractors operating within the Department of Defense (DoD) supply chain. This blog outlines key requirements, responsibilities, and best practices to ensure compliance with CUI regulations.
- CUI includes unclassified but sensitive information that, if mishandled, can lead to lost contracts, reputational damage, or legal penalties
- There are two main types of CUI—Basic and Specified—each with distinct safeguarding requirements
- Organizational Index Groupings further classify CUI and influence the level of certification needed. Contractors handling CUI under the Defense grouping must complete a Certified Third-Party Assessor Organization (C3PAO) assessment to meet Cybersecurity Maturity Model Certification (CMMC) Level 2
- Proper markings, including banners, portion labels, and designation indicators, help ensure consistent identification and protection of CUI
Dig deeper and continue reading below.
CUI is a critical component of national security and compliance for DoD subcontractors. Properly marking and handling CUI is not just a technical requirement—it's a legal and contractual obligation. Failing to comply can lead to penalties, loss of contracts, or even civil liability under laws like the False Claims Act.
CUI refers to sensitive but unclassified data that requires safeguarding under federal law, regulation, or government-wide policy. In the defense sector, this includes information such as:
- Export control data
- Controlled technical information (CTI)
- Legal and procurement documents
CUI plays a pivotal role in protecting national interests and intellectual property, especially as threats to federal supply chains grow more sophisticated. DoD subcontractors who handle this data must understand their responsibilities to avoid compliance gaps.
CUI Basic vs. CUI Specified
CUI is categorized into two types: CUI Basic and CUI Specified.
- CUI Basic: Requires baseline safeguarding measures consistent across all agencies
- CUI Specified: Subject to additional handling requirements defined by the specific law or policy that governs it
What Is CUI Basic?
CUI Basic is the default category of Controlled Unclassified Information under the federal CUI Program. CUI Basic is protected using government-wide safeguarding requirements rather than agency-specific rules. In practice, this means organizations must implement baseline administrative, physical, and technical controls to protect the confidentiality of CUI, typically by aligning with NIST SP 800-171 security requirements. Most federal contractors, including those in the Defense Industrial Base (DIB), primarily handle CUI Basic.
Examples of CUI Basic:
- Personally Identifiable Information (PII) in personnel files
- Controlled technical information (CTI) shared under DoD contracts
- Contract performance reports containing sensitive operational details
- Internal policies or procedures referencing sensitive government programs
- Email communications discussing CUI-covered work or systems
What Is CUI Specified?
CUI Specified is a category of Controlled Unclassified Information that’s subject to additional, explicit handling requirements defined by law, regulation, or government-wide policy. Unlike with CUI Basic, safeguarding, dissemination, marking, or access controls are specifically prescribed by an authoritative source, not left to general CUI guidance. These may restrict who can access the information, how it’s labeled, whether it can be shared externally, or how it must be stored and retained.
Examples of CUI Specified:
- Export-controlled technical drawings governed by the International Traffic in Arms Regulations (ITAR)
- Law enforcement or investigative information with explicitly defined rules for who may access it and how it may be disseminated
- Sensitive infrastructure, security, or national defense information that must follow prescribed marking, retention, or transmission requirements
- Intelligence-related CUI that carries additional controls on storage, handling, or distribution
What Are CUI Organizational Index Groupings?
In addition to understanding the type of CUI you're handling, it’s equally important to know its Organizational Index Grouping. This classification determines which compliance path is required under the CMMC framework. For example, any contractor handling CUI categorized under the Defense grouping will absolutely need a C3PAO assessment to achieve CMMC Level 2 certification.
Organizational index groupings categorize CUI based on the nature of the information and the risks associated with its exposure. For example, the defense grouping includes technical information and operations security, while the export control grouping covers data regulated under frameworks like the Export Administration Regulations and the ITAR.
These groupings aren’t just labels—they directly influence your compliance obligations under the CMMC framework. Contractors handling CUI within the defense grouping will require CMMC Level 2 certification through a third-party assessment conducted by a C3PAO. As a result, approximately 75–80% of the DIB is expected to fall under this requirement.
Contractors dealing with CUI in other groupings may qualify for CMMC Level 2 (Self) certification depending on the nature and sensitivity of the information. However, prime flowdown requirements may require a subcontractor to be able to handle CUI within the defense grouping, resulting in a Level 2 (C3PAO) certification requirement.
Understanding CUI Markings
CUI markings are required to clearly indicate the presence and category of protected information. These include:
- Banner Marking: Appears at the top of each page; e.g., "CUI"
- Portion Marking: Applied to specific paragraphs or sections (if required); e.g., (CUI)
- CUI Designation Indicator: Identifies the origin and authority; includes agency name and contact info
Example:
CUI
Department of Defense
CTI
Contact: fso@company.com
Who Is Responsible for Applying CUI Markings?
Responsibility for CUI marking is shared across:
- Executives and Facility Security Officers (FSOs)
- IT and cybersecurity teams
- Authorized users handling CUI
- Authorized individuals at the authorizing government agency
Everyone in the chain of custody must understand marking and safeguarding obligations. Lack of awareness is not a defense against noncompliance.
Consequences of Failing to Protect CUI
Failure to properly mark, handle, or safeguard CUI can result in serious consequences for defense contractors:
- Contracts with the DoD may be terminated, jeopardizing both current projects and future business opportunities
- Noncompliance may lead to legal penalties, including civil fines under the False Claims Act
- A failure to secure CUI can severely damage an organization’s reputation and erode trust among government partners
- Mishandled CUI may result in the loss of sensitive U.S. intellectual property, posing a direct threat to national security
Every contractor in the DIB shares the responsibility to prevent these outcomes through vigilant compliance and proper data protection.
How to Handle CUI in Emails
To securely email CUI:
- Use FIPS 140-2 validated encryption (Transport Layer Security or end-to-end)
- Include a CUI-marked cover sheet
- Limit recipients to those with a need to know
- Apply dissemination controls such as “Not Releasable to Foreign Nationals (NOFORN)” when required, in accordance with the CUI Marking handbook
How to Apply and Decontrol CUI Markings
Applying Markings
- Add a banner marking to each page of the document
- Include portion markings where necessary
- Insert a designation indicator at the bottom or in a footer
- Use document management tools to apply labels and audit access
Decontrolling CUI
Before any information is decontrolled, it must be formally reviewed to determine whether it no longer requires safeguarding. This process is critical to ensure sensitive data isn't prematurely released or mishandled. Only authorized individuals or agencies have the authority to perform decontrol actions. Even after decontrol, the information may still be sensitive and should not be considered public without further clearance. Always verify with your FSO or the contract’s controlling agency before treating information as unrestricted. For detailed guidance, refer to the National Archives and Records Administration’s decontrol guidance.
Regulatory Frameworks Governing CUI
Several key frameworks define how CUI must be handled:
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Requires protection of CUI and reporting of cyber incidents
- National Institute of Standards and Technology Special Publication 800-171: Defines 110 controls for protecting CUI in nonfederal systems
- 32 Code of Federal Regulations Part 2002: Outlines uniform CUI handling rules across agencies
- CMMC: Verifies contractors’ ability to protect CUI through maturity level certifications
CUI categories and requirements are managed by NARA and the Information Security Oversight Office (ISOO). See the full ISOO CUI Registry.
How ISI Helps with CUI Compliance
ISI offers full-spectrum support for defense contractors needing to comply with CUI requirements:
- Compliance consulting and readiness assessments
- Document marking tools and templates
- Performing a CUI scan to determine and diagram where CUI flows through your systems
- GRC tool or platform to track, manage, and audit CUI assets
- Tailored training for FSOs and staff
Whether you're preparing for CMMC Level 2 or responding to new contractual clauses, ISI simplifies the compliance process while strengthening your security posture.
FAQS
What is the ISOO CUI Registry and its purpose?
The ISOO CUI Registry categorizes types of CUI and outlines applicable safeguarding and dissemination rules. View it here. Established under an executive order, the registry serves as the federal government’s authoritative reference for categories of CUI, including their subcategories and subsets. The ISOO CUI Registry and applies across federal agencies, including law enforcement and the Department of Defense. It helps organizations understand which types of information require protection and which handling controls apply.
How do you properly label documents containing CUI?
Each document should have a banner marking, portion markings if required, and a CUI Designation Indicator. Properly marking CUI ensures that sensitive but unclassified information isn’t confused with classified information or legacy labels such as “official use only,” and that access restrictions are clearly communicated. Correct markings support downstream access control, authentication, and enforcement of security requirements, reducing the risk of unauthorized disclosure.
What tools can help automate CUI compliance?
Tools like classification labels in Google Workspace and Microsoft Purview can help apply markings and manage access. These tools support automation of security controls, including labeling, data loss prevention, and role-based access, which are commonly required for CMMC compliance. When properly configured, they also help identify vulnerabilities, enforce handling controls, and streamline incident response and reporting workflows.
What’s the difference between FOUO and CUI?
FOUO was a legacy designation. CUI was introduced to standardize handling requirements across agencies, replacing inconsistent markings like FOUO with clear rules defined by DoD instructions. This standardization is especially important for organizations supporting DoD contracts and complying with DFARS requirements.
How long must CUI be retained and protected?
CUI retention depends on DoD contract clauses and agency policies. CUI must be protected if it retains its designation and sensitivity. Organizations must maintain appropriate security controls throughout the lifecycle of the data, including during storage, transmission, and disposal, and ensure personnel receive adequate CUI training.
What are the penalties for mishandling CUI?
Penalties for mishandling CUI include contract loss, False Claims Act liability, financial penalties, and reputational harm. Failing to enforce access control, missing required incident reporting, or not addressing known vulnerabilities can result in findings under DFARS, failed CMMC compliance assessments, or enforcement actions by federal agencies. Prompt incident response and documented compliance with security requirements are critical to reducing risk. In some cases, national security implications may apply.
