Understanding CUI: Controlled Unclassified Information

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Regulatory requirements and standards evolve, and you should consult with a qualified compliance professional about your specific situation.

CMMC exists primarily to protect Controlled Unclassified Information, usually referred to as CUI. You need to understand what CUI is because your organization's compliance burden depends directly on how much CUI you handle, where it lives in your environment, and how you're protecting it. The problem most defense contractors face is that they don't have a clear picture of what CUI they actually possess. And you can't protect what you don't know you have.

This article demystifies CUI and walks you through how to identify it in your environment, how to handle it properly, and the mistakes organizations commonly make. Understanding this puts you in a position to answer the fundamental CMMC question: what are we actually protecting, and where does it live?

What CUI Is and Why It Matters

CUI is information that isn't classified but is still sensitive enough to be protected by law or regulation. This is the key distinction. If information is classified—marked as SECRET, TOP SECRET, or another classification level—it requires significantly more stringent protections and security clearances. CUI is different. It's unclassified, which means it doesn't require security clearances to access, but it's controlled, which means specific laws or regulations require that it be protected in particular ways.

The Department of Defense considers CUI valuable enough to require special handling. CUI includes technical data—specifications, algorithms, designs, test results for defense systems. It includes information about DoD acquisition and contracting. It includes information about vulnerabilities in DoD systems or networks. It includes personally identifiable information of government employees and contractors. It includes information about military capabilities or operations that isn't classified but is still sensitive. The Department has published a CUI Registry that lists all of the specific categories of information that qualify as CUI, organized by originating agency. The registry is publicly available and worth exploring if you want to see the scope.

The key insight is that CUI is genuinely sensitive, but it can be handled by normal employees without security clearances. That distinction matters enormously because it affects how you have to treat it. Classified information requires secure facilities, cleared personnel, vault storage, specific handling procedures. CUI can be handled in a normal office, but it requires specific protections around storage, transmission, and disposal. It's a different category of protection, and getting this wrong in either direction creates problems.

Marking and Identifying CUI

In theory, CUI should be marked—documents should have a CUI banner or marking that identifies them as controlled information. In practice, many documents that are CUI aren't marked, and many organizations don't have systematic approaches to marking. This creates a real problem for contractors: you might be handling CUI without realizing it. A technical specification your DoD customer sends you might not have a CUI marking on it, but it could be CUI because of its content and sensitivity.

The safe assumption for any contractor handling defense work is to treat any technical or sensitive information from your DoD customer as potentially CUI unless you've explicitly been told otherwise. If it came from a government customer, if it contains technical details about a system or capability, if it contains information about vulnerabilities or weaknesses, assume it's CUI until proven otherwise. Some contractors have gone through the exercise of systematically marking all documents they hold as either CUI or non-CUI, creating a register of their CUI and documenting how they handle it. Others have not, which is a significant liability. If you're audited for CMMC compliance and you don't know what CUI you have, that's a major finding. You can't claim to be protecting something you don't know you have.

This is one of the common reasons contractors fail CMMC assessment: they didn't properly identify their CUI, so they didn't implement appropriate protections for it. The auditor finds CUI that wasn't protected as required, and that becomes a failure item. Marking doesn't have to be perfect—you don't need to label every document in a specific format—but you need a systematic way to identify what's CUI and what's not. Documentation of that process matters. A simple policy that says "any technical information from DoD customers is treated as CUI unless marked otherwise" is a starting point.

Where CUI Lives in Your Environment

This is the inventory problem, and it's a real challenge for most organizations. CUI could be in your email system, in shared drives, in collaboration tools, in the hands of employees working remotely, embedded in documents, stored in databases, backed up on external drives. If you haven't done a thorough search of your environment for CUI, you're almost certainly missing some.

The search process involves several steps. First, talk to your technical teams about what data they know is sensitive. Your system administrators probably know which systems handle customer data. Your developers might know which systems contain technical specifications. Your business development team knows what information they share with customers. Second, search your file systems and shared drives for documents from DoD customers. Third, check whether your employees have taken documents home or stored them on personal devices. Fourth, review your email systems. Sensitive information flows through email constantly, and it often stays there indefinitely. Fifth, check your backup systems. If you're backing up systems that contain CUI, those backups themselves are CUI and need protection. Sixth, check cloud storage and collaboration tools. If you're using Google Drive, OneDrive, Slack, or similar tools, CUI might be stored there.

CUI doesn't just mean documents. It can be in system configuration files. It can be embedded in software code. It can be in presentations. It can be in meeting notes. It can be in photographs or diagrams. It can be in database records. The key is understanding what information qualifies as CUI in your environment, not just looking for marked documents.

This isn't a one-time exercise. New CUI comes in constantly from customer contracts, purchase orders, and communications. You need an ongoing process for identifying CUI when it arrives, handling it appropriately while it's in your possession, and destroying it when you no longer need it. Many organizations implement a process: new documents come in, they're screened for sensitivity, they're marked and stored appropriately, and there's a documented process for eventual disposal.

Handling Requirements: How to Protect CUI

Once you've identified what CUI you have, you need rules for how to handle it. These rules are documented in your information security policies and your incident response plan. CUI should be stored on systems where access is controlled—not in shared folders everyone can access. It should be encrypted if it's on portable devices or transmitted over networks. It should not be printed and left on desks. It should not be sent to personal email accounts. It should not be discussed in unsecured conversations or public spaces. CUI needs to be backed up so you don't lose it, but the backups themselves are also CUI and need the same protections.

If CUI is no longer needed—you've completed the work it was used for and no longer need to retain it—it needs to be securely destroyed. Secure destruction means deleting it in a way that it can't be recovered. File deletion on a computer doesn't truly delete the data; it just marks the space as available for reuse. Forensic tools can recover "deleted" files. True secure deletion requires either overwriting the data or using secure deletion tools. If CUI is printed, it should be shredded, not thrown in the trash. If it's on external drives, those drives should be destroyed when no longer needed.

This sounds like a lot of rules, but it boils down to: treat it like the sensitive information it is. Don't leave it lying around. Don't discuss it in public spaces. Don't store it on devices that could be lost or stolen. Don't send it to untrusted people or on unsecured channels. The stronger your controls, the less likely you are to have a breach that affects your customer's sensitive information and exposes you to liability.

CUI vs. Classified Information

The distinction between CUI and classified information matters because it affects what personnel can access it, what facilities it must be stored in, and what processes you need. Classified information—marked SECRET, TOP SECRET, or other classification level—requires significantly more stringent protections. It requires access by cleared personnel only. It requires secure facilities. It requires specific handling procedures defined by NISPOM (the National Industrial Security Program Operating Manual). Most contractors don't handle classified information, which is why CMMC focuses on CUI. But if your contract includes classified information, you operate under different rules.

It's important to understand which you have because you can't apply CMMC rules to classified information and call yourself compliant. CMMC is specifically about CUI protection. If you're handling classified information, you're also subject to NISPOM requirements, which are more stringent. That said, if you're handling CUI well, you're probably handling classified information well too, assuming you're required to. The reverse isn't always true: an organization good at protecting classified information might be sloppy with CUI because they underestimate its importance.

Common Mistakes Organizations Make Identifying and Handling CUI

The most common mistake is assuming you don't have CUI because you work on unclassified contracts. You absolutely can have CUI on unclassified work. Your defense contract might be unclassified, but it could include sensitive technical specifications, pricing information, acquisition strategy, or other details that qualify as CUI. Unclassified doesn't mean uncontrolled.

Another common mistake is thinking that if a document isn't marked, it isn't CUI. Many documents are unmarked but could still be CUI. The assumption should be conservative: if it's sensitive technical information from a DoD customer, assume it's CUI unless told otherwise.

A third mistake is thinking CUI only refers to documents. It can be in emails, databases, system configurations, software code, presentations, meeting notes, photographs. An organization that marks some documents as CUI but misses CUI in their email system or collaboration tools is only partially protected.

Fourth mistake: not realizing CUI handling obligations extend to subcontractors and service providers. If you use a cloud service to store data, you need to vet the service provider and ensure they handle your CUI appropriately. If you outsource work to a consultant or offshore team, they're handling your CUI and need to be subject to the same controls. Your responsibility for CUI doesn't end at your organization's boundary.

Fifth mistake: creating a CUI inventory and then never updating it. CUI comes in constantly as you win new contracts. You need an ongoing process for identifying new CUI, not a one-time exercise. Many organizations do an initial CUI identification and then forget about it, missing new CUI that arrives with new contracts.

Sixth mistake: assuming that physical security is enough. An organization might keep CUI documents in a locked office but transmit CUI unencrypted over email or store it on unencrypted laptops. Physical security matters, but it's not enough. You also need controls over electronic storage, transmission, and access.

Seventh mistake: not destroying CUI when it's no longer needed. Organizations accumulate years of CUI because they don't have a process for determining when to get rid of it. Your contract or customer might specify retention requirements, but anything beyond that should be securely destroyed. Accumulating CUI increases your liability and your risk.

CUI Handling in a Distributed Workforce

The shift to remote work has complicated CUI handling significantly. Employees working from home are accessing CUI on home networks, on personal devices, from coffee shops. This creates vulnerabilities. Your CUI handling policies need to account for remote work. Do you allow employees to work with CUI on personal devices? If yes, those devices need encryption. Do you allow remote access to systems containing CUI? If yes, you need multifactor authentication and secure VPN access. Do you allow CUI to be stored on personal laptops? If yes, you need encryption and device management. If no, you need a policy that's enforced.

Cloud services and collaboration tools introduce similar challenges. If your team uses Google Drive, Slack, or similar tools, CUI might end up stored there. Your security policies need to address whether these tools are approved for CUI, what controls are required if they are, and what the consequences are if someone uses unapproved tools.

The Bottom Line on CUI

You now understand what CUI is and why the DoD cares about it. You know that CMMC's entire purpose is to ensure you're handling CUI properly. You're ready to ask your organization a hard question: do we actually know what CUI we have in our environment? If the answer is no or you're uncertain, that's your first project. Find the CUI, document it, understand how you're currently handling it, and then work toward implementing the controls CMMC requires. That inventory becomes the foundation for everything else. You can't protect what you don't know you have. Once you have that clarity, you can build a protection program that actually works.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about CMMC as of its publication date. Standards, requirements, and enforcement actions evolve — consult a qualified compliance professional for guidance specific to your organization.