Who Is Responsible for Protecting CUI?

EXECUTIVE BRIEF

Protecting CUI is a holistic effort within your company and the DIB as a whole. Here are a few key things to know:

• Safeguarding CUI is the basis for regulations like DFARS 252.204-70120, NIST SP 800-171, and CMMC Levels 2 and 3
• Everyone in your organization has a role in protecting CUI and should be properly educated on how to do so
• Failure to protect CUI can put your business, and its reputation, at risk

Dig deeper and continue learning below!

Controlled Unclassified Information (CUI) is sensitive but unclassified data that must be safeguarded. It requires controlled dissemination under federal law, regulations, and government-wide policies.

In the defense industry, CUI indicates a wide range of types of information, including export-controlled data, controlled technical information, military personnel records, DoD critical infrastructure security information, and sensitive personally identifiable information.  The term encompasses several other information designations, such as Sensitive But Unclassified (SBU), For Official Use Only (FOUO), and Law Enforcement Sensitive (LES). The CUI framework was created by Executive Order 13556 in 2010 in order to improve secure and consistent information-sharing across federal government agencies and contractors by consolidating these designations into a single umbrella term.

Safeguarding CUI isn’t just a best practice, but a legal requirement under the Code of Federal Regulations (32 CFR Part 2002). However, managing this compliance raises an important question for companies working in the defense industrial base (DIB): Who is responsible for protecting CUI?

Typically, defense contractors play a pivotal role in protecting CUI. They’re responsible for implementing security protocols that align with federal mandates, ensuring proper personnel training occurs, and incorporating cybersecurity frameworks for protecting sensitive information into their day-to-day operations.

These contractors—ranging from government contracting firms to subcontractors—must follow strict guidelines to comply with federal cybersecurity regulations. This strict control of controlled unclassified information ensures that organizations can mitigate risks associated with cyber threats, unauthorized disclosures, or potential contract violations.

Understanding the Regulations Around CUI

The CUI framework has become essential to maintaining national security and preventing unauthorized forces from gaining access to critical related intelligence. But to effectively safeguard CUI, organizations must understand the federal regulations that govern its protection. These guidelines set strict rules for handling controlled unclassified information. They set the baseline for compliance and help defense contractors and organizations navigate cybersecurity expectations.

Federal Regulations Governing CUI Protection

The Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR) establish foundational CUI requirements within the defense sector. These regulations provide a structured approach to handling CUI, ensuring organizations meet federal security mandates.

Key Standards for CUI Protection

• DFARS 252.204-7012: This clause mandates that contractors safeguard CUI, apply proper CUI notice and CUI markings, and report cybersecurity incidents to the Department of Defense (DoD). It also enforces NIST SP 800-171 controls for data protection.
• NIST Special Publication 800-171: This standard outlines cybersecurity controls required for handling the two major CUI categories (CUI basic and CUI specified) in non-federal systems and organizations. Defense contractors must comply with NIST SP 800-171 to meet DFARS requirements.

The National Archives and Records Administration (NARA) is the executive agent overseeing the CUI Program, including the CUI Registry, which categorizes different types of CUI and specifies their proper dissemination controls. These guidelines help organizations understand how to manage and protect sensitive information under federal regulations.

CMMC and CUI

The revised Cybersecurity Maturity Model Certification (CMMC 2.0) introduces a simplified, tiered approach to verifying compliance. In the near future, contractors will have to meet one of three levels of certification based on the sensitivity of the information they handle in order to accept award of new contracts.

Level 1 | Foundational: Focuses on basic cybersecurity practices to safeguard Federal Contract Information (FCI), meeting minimum cybersecurity requirements.

Level 2 | Advanced: For contractors who handle CUI and require more stringent cybersecurity practices, requiring compliance with all 110 controls listed in NIST SP 800-171.

Level 3 | Expert: Required for contractors who work with particularly sensitive CUI, mandating adherence to 24 additional, selected controls from NIST 800-172 as well as all 110 controls outlined in NIST 800-171.

CMMC certification is essential for maintaining eligibility for DoD contracts involving CUI. By adhering to the CMMC framework, defense contractors can ensure compliance with federal CUI requirements while strengthening their cybersecurity posture. 

Who Is Responsible for Protecting CUI? 

Safeguarding Controlled Unclassified Information is a collective responsibility involving multiple levels of U.S. government organizations, defense contractors, and executive branch agencies. Without a structured approach, organizations risk data breaches, regulatory violations, and loss of trust.

Effective protection of CUI depends on clearly defined roles working together to implement and follow CUI policy and best practices. Below are some of the key organizational roles involved in protecting CUI and their responsibilities in ensuring compliance and security:

• Executives and Top-Level Management: Ensure overall accountability, allocate proper resources, and enforce compliance with DoD Instruction (DoDI) and federal regulations.
• Security and Facility Security Officers (FSOs): Implement physical and personnel security measures, ensuring compliance with marking requirements for CUI and For Official Use Only (FOUO) materials.
• IT Teams and Cybersecurity Personnel: Maintain secure information systems, enforce limited dissemination controls, and prevent cyber threats.
• Additional Authorized Holders: Properly handle, mark, and store CUI according to established CUI policy and government contracting requirements.
  
  

Authorized holders must strictly follow guidelines when creating, sharing, or storing CUI. This includes properly marking documents, securely transmitting data, and ensuring only those with a lawful government purpose have access. When handling CUI that overlaps with classified national security information, organizations must adhere to additional security controls to prevent unauthorized exposure.

CUI Training and Awareness

Organizational training on how to properly handle CUI helps ensure all personnel understand their role in protecting sensitive information and comply with evolving security requirements. Regular training sessions help employees stay updated on CUI policy, federal mandates, and security protocols outlined by the Information Security Oversight Office (ISOO).

Key CUI training topics include:

• Recognizing and properly labeling CUI under marking requirements.
• Secure handling and transmission procedures, including limited dissemination controls.
• Cybersecurity best practices to prevent unauthorized access to CUI and classified national security information.
• Incident response protocols for reporting potential breaches, in line with DoDI and U.S. government security policies.

Additionally, CMMC-related training can help organizations meet government contracting requirements and ensure employees are prepared for certification audits. Businesses should align training programs with the required CMMC level, ensuring personnel are equipped to manage CUI and protect sensitive information in compliance with executive branch agencies and U.S. government regulations.

Best Practices for Safeguarding CUI

Defense contractors must proactively secure CUI to maintain compliance and protect national security interests. To enhance CUI security, organizations should make sure they complete the following:

• Use Secure Information Systems – All systems handling CUI must meet cybersecurity standards and incorporate encryption, multi-factor authentication (MFA), and continuous monitoring to detect vulnerabilities.
• Control Access Based on Necessity – Limiting access to CUI based on job roles and operational necessity reduces exposure and minimizes risks. Implement the principle of least privilege and role-based access controls to enforce these restrictions.
• Properly Mark and Manage Documents – Follow DoD marking guidelines to label all CUI documents correctly. When decontrolling documents, follow proper declassification protocols to prevent unauthorized access.
• Prevent Unauthorized Exposure – Implement secure enclaves for storing and processing CUI, ensuring that only designated personnel can access sensitive information. Secure physical and digital storage solutions, such as encrypted hard drives and cloud environments, to help prevent breaches.
• Regularly Audit and Update Security Policies – Conduct periodic compliance audits to identify vulnerabilities, assess policy effectiveness, and adjust security measures as needed. Frequent training and policy updates ensure employees remain informed about updated security protocols.

Recommended Technologies for CUI Protection

Investing in advanced security technologies strengthens an organization’s ability to protect Controlled Unclassified Information. Some essential solutions include:

• Endpoint Security Solutions – Protect any workstations, mobile devices, and network endpoints from cyber threats through antivirus software, firewalls, and intrusion detection systems.
• Security Information and Event Management Systems – Continuously monitor and analyze security logs to detect and respond to real-time threats. These solutions enhance visibility and improve incident response times.
• Secure Storage Solutions – Use encrypted storage, strict access controls, and zero-trust architecture to protect CUI data at rest and in transit. Cloud-based security measures should include compliant encryption and multi-layered authentication protocols.

ISI Insight: If you plan on using a cloud service for all or part of your storage needs, ensure your provider is either FedRAMP Moderate authorized or can prove their solution provides equivalent protection.

The Shared Responsibility of Protecting CUI

CUI protection requires a collective effort between employees, contractors, and federal agencies. Compliance with federal regulations is not only necessary for maintaining contracts but also for preserving national security.

Failing to secure CUI can lead to serious consequences, including loss of future defense contracting opportunities as well as financial and reputational damage. Organizations prioritizing CMMC compliance and up-to-date cybersecurity hygiene will gain a competitive edge, demonstrating their commitment to protecting sensitive government information.

Protect CUI with Help from ISI

Contact ISI today for expert guidance on developing robust CUI compliance strategies and securing your organization's position in the defense industry. Our team of specialists can help you navigate compliance requirements, implement security best practices, and safeguard your organization's future.