If you work with federal agencies or are a part of the defense supply chain, your business may come into contact with CUI.

CUI refers to sensitive but not classified data that needs to be protected for national security. And managing it properly is now a prerequisite for doing business with the DoD or federal agencies.

In this guide we’ll cover what CUI is, why it matters for defense contractors, and what you need to know about protecting it.

What is CUI (Controlled Unclassified Information)?

Controlled Unclassified Information (CUI) is a category of sensitive Federal government information that is unclassified but still requires strict safeguarding and protection.

CUI is the day-to-day operational data that the government creates or possesses, or that an organization (like yours) creates or possesses for the government. The government doesn't want this information made public, even if it's not a state secret.

This is what CMMC (Cybersecurity Maturity Model Certification) Level 2 is built to protect, and it's the exact type of data that the vast majority of the 300,000+ companies in the Defense Industrial Base handle.

CUI is broken into two main categories, CUI Basic and CUI Specified, which determine the handling rules.

• CUI Basic: This is the default category. The safeguarding and handling requirements are uniform across the U.S. government, as defined by NIST SP 800-171.
• CUI Specified: This is CUI that requires more stringent handling because a specific law, regulation, or government-wide policy demands it (e.g., export-controlled data, specific privacy information). It requires all the protections of CUI Basic plus whatever the specific rule calls for.

Real-world examples of CUI include:

• Technical drawings, blueprints, and specifications
• Program manuals and operational guides
• Drafts of government contracts and proposals
• Personally Identifiable Information
• Part numbers for controlled items
• Research and engineering data
• Program management plans and schedules

CUI vs. Classified Information

When you hear “official use only,” “law enforcement sensitive,” and “sensitive but unclassified” it’s easy to think of the movies and classified information. But CUI is something different. Confidential, secret, and top-secret information — the stuff that falls under CMMC Level 3, covers the most sensitive data that could threaten national security it it got out.

Access to CUI requires a “lawful government purpose” and it needs to be protected in alignment with CMMC Level 2 requirements, but it’s not as sensitive as classified information.

Why CUI is Prominent Right Now

CMMC Level 2 exists to protect CUI as the Department of Defense has stopped entrusting contractors to self-certify its protection.

For years, companies would simply attest that they were protecting this data according to federal guidelines. After multiple delays and revisions, the DoD is now mandating third-party audits by a Certified Third-Party Assessor Organization (C3PAO) to certify contractors meet the requirements laid out in CMMC.

With CMMC the stakes here are fundamentally different from other compliance frameworks. This isn’t like a SOC 2 compliance audit, where you might have some "wiggle room" with controls.

For most of the DIB, the DoD is their primary client. If you fail the CMMC audit, you will be ineligible to bid on DoD contracts. Period. It's a "pass or go out of business" scenario for thousands of companies.

How to Identify and Categorize Your CUI

1. Follow Your Contract

Your hunt for CUI doesn't start with a system scan, it starts with your contract. Dig up your contracts and look for the DFARS clauses (like 252.204-7012) and any accompanying documents like a DD 254. These legally obligate you to protect CUI and tell you what kind of data to look for. This documentation is your "lawful government purpose" — which proves why you have this data in the first place.

2. Use the CUI Registry

The National Archives and Records Administration (NARA) CUI Registry lists every single category of CUI that you might encounter.

It will also distinguish between CUI Basic (the default with standard NIST 800-171 protections) and CUI Specified (which has additional or different handling rules). For example, if your contract involves technical data governed by ITAR, that is CUI Specified ("Export Control") and has stringent rules that go beyond the CMMC baseline. Knowing the category is the only way to know the correct handling procedures.

3. Data Discovery

Once you know what to look for, you have to find where it is. This means looking at data in all three states:

• Data at Rest: Scour your shared drives, cloud storage (SharePoint, Google Workspace, Box), backup tapes, and local workstations.
• Data in Transit: How does data move? Look at email, file-sharing portals (like DoD SAFE), and API connections.
• Data in Process: Where is CUI actively used? This includes laptops running CAD software, ERP/MRP systems with part numbers, and project management tools.

How to Manage CUI for CMMC: A Step-by-Step Roadmap

Step 1: Define Your Boundary

This is the most critical step of the entire process. How you define your CUI data boundary will determine the cost, timeline, and difficulty of your CMMC audit.

Most companies have no idea where their CUI actually lives. After years of operation, it's everywhere. In old email attachments, on legacy shared drives, in a random AWS bucket someone spun up in 2019, and on laptops of remote employees.

If you don't, or can't, define a clear boundary, your entire company falls in scope for the prescriptive 110-control CMMC audit. Every laptop, every server, every employee, every change management process. Your entire corporate network has to meet these standards.

The goal is to create a CUI "enclave." You must be able to carve out a niche and say, "Okay, CUI comes in here, it lives only in this one specific, isolated AWS VPC or this locked-down Microsoft 365 GCC High tenant, and only these five authorized people can touch it."

This scoping process is where we see most companies get tripped up. If you want to get through the CMMC certification process as smoothly (and cost effectively) as possible, work with aa CMMC Registered Practitioner Organization (RPO). An RPO, like Workstreet, specializes in CMMC scoping. Our job is to help you define the smallest, most defensible boundary to ensure you don't over-complicate and over-spend on your audit from day one.

Step 2: Mark and Handle CUI Correctly

Once you find CUI, you must label it. The CUI Basic standard requires a banner marking at the top of the document (e.g., CUI) and in the footer. CUI markings visually alert your employees to handle the data with care and can also trigger automated security rules, like Data Loss Prevention (DLP) policies that block it from being emailed externally.

All CUI must be clearly marked according to DoD standards to prevent accidental "spillage" outside the secure boundary.

Step 3: Implement and Document NIST 800-171 Controls

Protecting CUI means implementing the 110 security controls defined in NIST SP 800-171, which is the technical rulebook for CMMC Level 2. These 110 controls are broken into 14 families, covering everything from:

• Access Control (who can log in, least privilege)
• Awareness & Training (do your people know the rules)
• Incident Response (what you do when you get breached)
• System & Information Integrity (patching, monitoring, etc.)

As I mentioned, CMMC compliance is highly prescriptive. Unlike a SOC 2 audit, the bar for evidence is much higher. If a control requires a specific log file or a screenshot showing specific elements, that is exactly what the auditor will demand.

4. Train Your Team

Everyone who comes into contact with CUI within your organization will need to be CUI training on how to handle the data and their personal responsibility to protect it. If you’re pursuing CMMC Level 2, your staff will be a part of your audit and will need to be able to answer questions about your data practices and the steps you take to protect CUI.

Step 5: Monitor, Manage, and Prepare for Your Audit

The final step in the process is the formal CMMC audit with a Certified Third-Party Assessor Organization (C3PAO). But you should only go into the audit if you’re sure you’ll get through it — there’s no room for errors. (Find a list of accredited" C3PAOs here.)

When you begin your process towards CMMC certification, start with a gap assessment to see where you stand against the 110 controls needed for CMMC Level 2. This assessment show you where you stand and what work needs to be completed for you to meet the requirements.

From there, you will create two critical documents: your System Security Plan (SSP), which documents how you meet every single control, and a Plan of Action & Milestones (POA&M), which documents your precise plan to fix any controls you don't yet meet.

For a company starting from scratch, this entire process — from initial scoping to being truly  audit-ready — can easily take six to 12 months.

Your Path to Government Business Success

If you work with government agencies, you need a robust CUI program — and it’s not a one-time effort. Maintaining CMMC and keeping your information systems  on top of the latest gov requirements is an on-going job.

At Workstreet, we deliver expert-led implementation of CMMC, FedRAMP, NIST 800-171, and NIST 800-53 frameworks. Get certified faster with our automated-first services and dedicated public sector compliance specialists.