Understanding CUI: Controlled Unclassified Information
Reviewed by Marcus Chen, CMMC Registered Practitioner
Controlled Unclassified Information (CUI) is unclassified data — technical specifications, acquisition details, vulnerability information, PII of government personnel — that federal law or regulation requires to be protected with specific handling controls. CMMC exists primarily to ensure defense contractors protect CUI properly. Your first and most critical task is identifying what CUI you actually possess and where it lives in your environment, because you cannot protect what you don't know you have.
CMMC exists primarily to protect Controlled Unclassified Information, usually referred to as CUI. You need to understand what CUI is because your organization's compliance burden depends directly on how much CUI you handle, where it lives in your environment, and how you're protecting it. The problem most defense contractors face is that they don't have a clear picture of what CUI they actually possess. And you can't protect what you don't know you have.
This article demystifies CUI and walks you through how to identify it in your environment, how to handle it properly, and the mistakes organizations commonly make. Understanding this puts you in a position to answer the fundamental CMMC question: what are we actually protecting, and where does it live?
What CUI Is and Why It Matters
CUI is information that isn't classified but is controlled by law or regulation — it doesn't require security clearances to access, but it does require specific protections around storage, transmission, and disposal.
The Department of Defense considers CUI valuable enough to require special handling. CUI includes technical data — specifications, algorithms, designs, test results for defense systems. It includes information about DoD acquisition and contracting. It includes information about vulnerabilities in DoD systems or networks. It includes personally identifiable information of government employees and contractors. It includes information about military capabilities or operations that isn't classified but is still sensitive. The Department has published a CUI Registry that lists all of the specific categories of information that qualify as CUI, organized by originating agency. The registry is publicly available and worth exploring if you want to see the scope.
The key insight is that CUI is genuinely sensitive, but it can be handled by normal employees without security clearances. That distinction matters enormously because it affects how you have to treat it. Classified information requires secure facilities, cleared personnel, vault storage, specific handling procedures. CUI can be handled in a normal office, but it requires specific protections around storage, transmission, and disposal. It's a different category of protection, and getting this wrong in either direction creates problems.
Marking and Identifying CUI
Many CUI documents arrive unmarked — the safe assumption for defense contractors is to treat any technical or sensitive information from a DoD customer as CUI unless explicitly told otherwise.
In theory, CUI should be marked — documents should have a CUI banner or marking that identifies them as controlled information. In practice, many documents that are CUI aren't marked, and many organizations don't have systematic approaches to marking. This creates a real problem for contractors: you might be handling CUI without realizing it. A technical specification your DoD customer sends you might not have a CUI marking on it, but it could be CUI because of its content and sensitivity.
The safe assumption for any contractor handling defense work is to treat any technical or sensitive information from your DoD customer as potentially CUI unless you've explicitly been told otherwise. If it came from a government customer, if it contains technical details about a system or capability, if it contains information about vulnerabilities or weaknesses, assume it's CUI until proven otherwise. Some contractors have gone through the exercise of systematically marking all documents they hold as either CUI or non-CUI, creating a register of their CUI and documenting how they handle it. Others have not, which is a significant liability. If you're audited for CMMC compliance and you don't know what CUI you have, that's a major finding. You can't claim to be protecting something you don't know you have.
This is one of the common reasons contractors fail CMMC assessment: they didn't properly identify their CUI, so they didn't implement appropriate protections for it. The auditor finds CUI that wasn't protected as required, and that becomes a failure item. Marking doesn't have to be perfect — you don't need to label every document in a specific format — but you need a systematic way to identify what's CUI and what's not. Documentation of that process matters. A simple policy that says "any technical information from DoD customers is treated as CUI unless marked otherwise" is a starting point.
Where CUI Lives in Your Environment
CUI exists beyond marked documents — it lives in email systems, shared drives, collaboration tools, backup systems, databases, and on remote employees' devices, and a thorough inventory is the foundation of your entire CMMC compliance program.
CUI could be in your email system, in shared drives, in collaboration tools, in the hands of employees working remotely, embedded in documents, stored in databases, backed up on external drives. If you haven't done a thorough search of your environment for CUI, you're almost certainly missing some.
The search process involves talking to your technical teams about what data they know is sensitive — your system administrators probably know which systems handle customer data, your developers might know which systems contain technical specifications, your business development team knows what information they share with customers. Search your file systems and shared drives for documents from DoD customers. Check whether your employees have taken documents home or stored them on personal devices. Review your email systems, because sensitive information flows through email constantly and it often stays there indefinitely. Check your backup systems — if you're backing up systems that contain CUI, those backups themselves are CUI and need protection. Check cloud storage and collaboration tools, because CUI might be stored there as well.
CUI doesn't just mean documents. It can be in system configuration files. It can be embedded in software code. It can be in presentations. It can be in meeting notes. It can be in photographs or diagrams. It can be in database records. The key is understanding what information qualifies as CUI in your environment, not just looking for marked documents.
This isn't a one-time exercise. New CUI comes in constantly from customer contracts, purchase orders, and communications. You need an ongoing process for identifying CUI when it arrives, handling it appropriately while it's in your possession, and destroying it when you no longer need it. Many organizations implement a process: new documents come in, they're screened for sensitivity, they're marked and stored appropriately, and there's a documented process for eventual disposal.
Handling Requirements: How to Protect CUI
CUI must be stored on access-controlled systems, encrypted on portable devices and in transit, backed up with the same protections as the original, and securely destroyed when no longer needed.
Once you've identified what CUI you have, you need rules for how to handle it. These rules are documented in your information security policies and your incident response plan. CUI should be stored on systems where access is controlled — not in shared folders everyone can access. It should be encrypted if it's on portable devices or transmitted over networks. It should not be printed and left on desks. It should not be sent to personal email accounts. It should not be discussed in unsecured conversations or public spaces. CUI needs to be backed up so you don't lose it, but the backups themselves are also CUI and need the same protections.
If CUI is no longer needed — you've completed the work it was used for and no longer need to retain it — it needs to be securely destroyed. Secure destruction means deleting it in a way that it can't be recovered. File deletion on a computer doesn't truly delete the data; it just marks the space as available for reuse. Forensic tools can recover "deleted" files. True secure deletion requires either overwriting the data or using secure deletion tools. If CUI is printed, it should be shredded, not thrown in the trash. If it's on external drives, those drives should be destroyed when no longer needed.
This sounds like a lot of rules, but it boils down to: treat it like the sensitive information it is. Don't leave it lying around. Don't discuss it in public spaces. Don't store it on devices that could be lost or stolen. Don't send it to untrusted people or on unsecured channels. The stronger your controls, the less likely you are to have a breach that affects your customer's sensitive information and exposes you to liability.
CUI vs. Classified Information
CUI requires access controls, encryption, and documented handling procedures within a normal office environment. Classified information requires security clearances, SCIFs, vault storage, and NISPOM compliance — they are separate protection categories with separate requirements.
The distinction matters because it affects what personnel can access it, what facilities it must be stored in, and what processes you need. Classified information — marked SECRET, TOP SECRET, or other classification level — requires significantly more stringent protections. It requires access by cleared personnel only. It requires secure facilities. It requires specific handling procedures defined by NISPOM (the National Industrial Security Program Operating Manual). Most contractors don't handle classified information, which is why CMMC focuses on CUI. But if your contract includes classified information, you operate under different rules.
It's important to understand which you have because you can't apply CMMC rules to classified information and call yourself compliant. CMMC is specifically about CUI protection. If you're handling classified information, you're also subject to NISPOM requirements, which are more stringent. That said, if you're handling CUI well, you're probably handling classified information well too, assuming you're required to. The reverse isn't always true: an organization good at protecting classified information might be sloppy with CUI because they underestimate its importance.
Common Mistakes Organizations Make Identifying and Handling CUI
The most common CUI-related mistakes — assuming unclassified means uncontrolled, treating only marked documents as CUI, ignoring CUI in email and collaboration tools, and failing to flow down handling requirements to subcontractors — are also the most common reasons contractors fail CMMC assessments.
The most common mistake is assuming you don't have CUI because you work on unclassified contracts. You absolutely can have CUI on unclassified work. Your defense contract might be unclassified, but it could include sensitive technical specifications, pricing information, acquisition strategy, or other details that qualify as CUI. Unclassified doesn't mean uncontrolled.
Another common mistake is thinking that if a document isn't marked, it isn't CUI. Many documents are unmarked but could still be CUI. The assumption should be conservative: if it's sensitive technical information from a DoD customer, assume it's CUI unless told otherwise.
A third mistake is thinking CUI only refers to documents. It can be in emails, databases, system configurations, software code, presentations, meeting notes, photographs. An organization that marks some documents as CUI but misses CUI in their email system or collaboration tools is only partially protected.
CUI handling obligations also extend to subcontractors and service providers. If you use a cloud service to store data, you need to vet the service provider and ensure they handle your CUI appropriately. If you outsource work to a consultant or offshore team, they're handling your CUI and need to be subject to the same controls. Your responsibility for CUI doesn't end at your organization's boundary.
Organizations also frequently create a CUI inventory and then never update it. CUI comes in constantly as you win new contracts. You need an ongoing process for identifying new CUI, not a one-time exercise. And physical security alone is insufficient — an organization might keep CUI documents in a locked office but transmit CUI unencrypted over email or store it on unencrypted laptops. Physical security matters, but you also need controls over electronic storage, transmission, and access.
Finally, organizations that don't destroy CUI when it's no longer needed accumulate years of sensitive data unnecessarily. Your contract or customer might specify retention requirements, but anything beyond that should be securely destroyed. Accumulating CUI increases your liability and your risk.
CUI Handling in a Distributed Workforce
Remote work creates CUI vulnerabilities on home networks, personal devices, and unapproved collaboration tools — your policies must explicitly address encryption, VPN requirements, device management, and approved storage locations for distributed teams.
The shift to remote work has complicated CUI handling significantly. Employees working from home are accessing CUI on home networks, on personal devices, from coffee shops. This creates vulnerabilities. Your CUI handling policies need to account for remote work. Do you allow employees to work with CUI on personal devices? If yes, those devices need encryption. Do you allow remote access to systems containing CUI? If yes, you need multifactor authentication and secure VPN access. Do you allow CUI to be stored on personal laptops? If yes, you need encryption and device management. If no, you need a policy that's enforced.
Cloud services and collaboration tools introduce similar challenges. If your team uses cloud storage or messaging tools, CUI might end up stored there. Your security policies need to address whether these tools are approved for CUI, what controls are required if they are, and what the consequences are if someone uses unapproved tools.
You now understand what CUI is and why the DoD cares about it. You know that CMMC's entire purpose is to ensure you're handling CUI properly. You're ready to ask your organization a hard question: do we actually know what CUI we have in our environment? If the answer is no or you're uncertain, that's your first project. Find the CUI, document it, understand how you're currently handling it, and then work toward implementing the controls CMMC requires. That inventory becomes the foundation for everything else. You can't protect what you don't know you have. Once you have that clarity, you can build a protection program that actually works.
Frequently Asked Questions
How do I know if my organization handles CUI?
If you hold a DoD contract or subcontract, review your contract's security requirements section — it will specify whether CUI is involved and what categories apply. If your work involves technical specifications, system designs, test data, vulnerability information, or acquisition details from a DoD customer, you almost certainly handle CUI. When in doubt, ask your contracting officer to clarify which contract deliverables and data constitute CUI.
What is the CUI Registry and how do I use it?
The CUI Registry is a publicly available catalog maintained by the National Archives (archives.gov/cui) that lists all categories and subcategories of CUI, organized by the government agency that controls each category. Use it to identify which CUI categories are relevant to your contracts and to understand the specific handling requirements for each category. The registry is the authoritative source for what qualifies as CUI.
Do CUI handling requirements apply to my subcontractors?
Yes. CUI handling obligations flow down to any subcontractor, consultant, or service provider who accesses, stores, processes, or transmits your CUI. You must ensure your subcontractors implement appropriate protections through contractual requirements and periodic verification. If a subcontractor mishandles your CUI, you share responsibility for that failure.
What happens if CUI is found unprotected during a CMMC assessment?
Unprotected CUI is a significant audit finding that can prevent certification. The assessor will document the finding, and you must remediate it — implementing appropriate protections, updating your CUI inventory, and demonstrating that the gap has been closed — before certification can proceed. Failure to properly identify and protect CUI is one of the most common reasons contractors fail CMMC assessments.
How should I destroy CUI when it's no longer needed?
Digital CUI must be securely deleted using methods that prevent forensic recovery — overwriting data, using certified secure deletion tools, or physically destroying storage media. Printed CUI must be cross-cut shredded, not simply thrown away. Your organization should have a documented CUI destruction policy specifying approved methods, and you should maintain destruction records as evidence for your CMMC audit.
Does CUI stored in cloud services require special protections?
Yes. Cloud services storing CUI must meet FedRAMP Moderate baseline requirements or equivalent. Not all commercial cloud services qualify. You need to verify that your cloud provider meets these requirements and that your configuration (encryption settings, access controls, data residency) maintains CUI protections. Using an unapproved cloud service to store CUI is a compliance violation.
Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about CMMC as of its publication date. Standards, requirements, and enforcement actions evolve — consult a qualified compliance professional for guidance specific to your organization.