by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
Updated September 29, 2025
The federal government expects contractors at all levels to protect their information. Besides basic Federal Contract Information (FCI), there is a more sensitive category of data called Controlled Unclassified Information (CUI). To get and keep a contract, defense contractors and their subcontractors need to know what CUI they have and implement a system to adequately protect it.
QUICK ANSWER:
What is CUI, and should I worry about it?
CUI, or Controlled Unclassified Information, is sensitive information related to the deliverables of a government contract. Defense contractors that handle CUI are required to protect it according to NIST SP 800-171. You need the right documentation to prove that you are handling CUI properly to reach CMMC Level 2 and keep your defense contracts.
Table of Contents
What is CUI?
CUI stands for Controlled Unclassified Information. Based on regulation 32 CFR 2002.4, it can be described this way:
“information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, not including information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
We know that sounds like government word salad. In practical terms, CUI is sensitive information related to the deliverables of a contract. It can be information sent to you by your government partner or information you produce for them. Here are a few examples:
- Technical drawings
- Specifications
- Manuals
- Reports
- Computer code
CUI can seem overwhelming, but it’s actually an improvement over the old way of doing things. In the past, government agencies had separate marking systems and it was nearly impossible to keep them all straight. In contrast, the DoD says, “CUI policy provides a uniform marking system” that “alerts recipients that special handling may be required”.
How is CUI different from FCI?
FCI is non-public information related to your contract, like payment information—things like invoices, payment account details, and emails between you and federal employees.
CUI is a more sensitive subset of FCI because it includes details about the particulars of a project. It must be marked and requires additional safeguards. It’s often said that all CUI is FCI, but not all FCI is CUI. For more information, see our article, What is FCI?
FCI vs. CUI
How CUI relates to CMMC
You are required to protect all information you handle as part of a government contract, even if you are just a subcontractor. If it is related to a defense contract, then you are also subject to CMMC, the Cybersecurity Maturity Model Certification program.
A business that exclusively handles FCI only needs to meet CMMC Level 1 requirements. However, many defense contractors—such as manufacturing and engineering firms—also handle CUI and need to reach CMMC Level 2.
In part, CMMC Level 2 compliance means that you need to have a system security plan (SSP), incident response plan (IRP), and plan of action and milestones (POA&M). You also must pass an assessment carried out by a Certified Third Party Assessor Organization (C3PAO). This isn’t just a one-and-done certification, either—you must recertify every three years to demonstrate that you are actively protecting government data.
Scope first
Scoping refers to the process of figuring out what data you have, what systems it touches, who should have access to it, and what security controls you need to implement. Organizations can be tempted to jump ahead to lock things down. But we strongly encourage you to start with scoping for at least two reasons:
- Scoping allows you to focus on what matters. When you identify what is in scope, you also know what is out of scope, and you don’t have to waste time on those systems. You can put your time and budget toward what’s needed for compliance.
- Scoping makes your assessment go more smoothly. Your CMMC assessor will expect clear documentation of your scope and for you to be familiar with it. It also makes their job easier and allows them to concentrate on scoped items.
If you don’t take time to properly scope your project, you will waste time and money doing unnecessary things, you will make your assessment more stressful, and you may fail to implement needed controls because you weren’t thorough.
What does scoping involve?
Here’s a brief overview of the scoping process:
- Gather your contracts. This includes direct government contracts as well as any subcontracts.
- Review your contracts. They will often mention specific information—such as technical drawings, specifications, manuals, reports, or computer code—that you are expected to protect.
- Take inventory of your information assets. This is any information your company processes, stores, or transmits, whether electronically, on paper, or on removable media (e.g., CDs and USB drives).
- Map information to contracts. Document which contract each type of information is associated with.
- Decide what information is CUI. Does the information meet the definition of CUI as outlined in 32 CFR 2002.4?
- Map information to systems. Clearly document what information is CUI, where it resides, what systems it touches, and who should have access.
You can find the official Level 2 Scoping Guidance on the DoD CMMC website.
How should CUI be handled?
CUI must be handled according to the cybersecurity standards in NIST SP 800-171. This 113-page document details 110 controls broken up into 14 families. For an in-depth explanation, check out our Ultimate Guide to DFARS and NIST SP 800-171.
Note that the specific way you implement these controls is up to you. It is your responsibility to protect all CUI that you handle. As a contractor, you have the right to set your policy on how you will handle CUI. Don’t be timid about talking with your government partner if you need clarification on whether something is CUI or need to remind them how to securely transmit information to you.
Whatever solution you use, you want it to be right-sized. Sometimes we find that people skip scoping and immediately overspend on a solution that’s total overkill. Then when they realize how much money they’re hemorrhaging, they switch to a pathetic, cheap solution. With a clear scope, you’ll be able to implement a Goldilocks solution that saves you time and money.
One example of this can be seen with Microsoft 365. Someone who only handles FCI can be fine using a commercial Microsoft 365 tenant. Someone who handles CUI will need Microsoft 365 Government Community Cloud (GCC), and someone who also has export-controlled information will need GCC High. GCC and GCC High will allow you to implement tags to label and track CUI tenant wide. For a more thorough comparison of these services, see our article, What is Microsoft 365 GCC High and do I need it?
The Cyber AB, the DoD’s exclusive CMMC implementation partner, highly recommends working with a Registered Practitioner (RP) through this process. A Registered Practitioner is an experienced IT professional who has been tested to demonstrate understanding of the CMMC framework. A good Registered Practitioner will guide you through scoping and implementation so that you are compliant and well-prepared for your assessment. E-N Computers is a Registered Practitioner Organization with two RPs, and we’re actively helping businesses prepare for CMMC.
Official CUI resources
The National Archives CUI Registry is “the Government-wide online repository for Federal-level guidance regarding CUI policy and practice.” You can find the CUI Marking Handbook here as well as some CUI training.
The DoD CUI Registry gives information on categories of CUI, required markings, policies, and examples.
This DoD Mandatory CUI Training is designed for DoD personnel as well as industry and provides information on “accessing, marking, safeguarding, decontrolling and destroying CUI along with the procedures for identifying and reporting security incidents.”
The DoD website provides official CMMC documentation, including a Level 2 self-assessment guide.
E-N Computers offers an audio version of the CMMC Level 2 Self-Assessment Guide as a free service to the IT community. Download or listen via Spotify or Amazon.
Next Steps
A great first step is to take advantage of our complimentary 30-minute CMMC consulting session with one of our senior engineers.
For background, E-N Computers focuses on manufacturers, engineers, and companies with physical operations and complex compliance requirements. After 30 years serving SMBs in the Virginia and DC area, we’ve worked with clients ranging from small operations to regional market leaders.
We’re not in CMMC compliance to jump on a bandwagon or take advantage of companies feeling the heat. When our manufacturing and engineering clients needed CMMC support, we invested in developing this specific compliance expertise on top of our long history of compliance-focused IT services. We’ve also published extensive guidance helping business leaders make informed compliance decisions.
Unlike national MSPs with revolving account managers, clients work directly with local owner Ian MacRae and our Virginia-based team. We typically serve companies with 10-200 employees that have complex operational requirements alongside their compliance needs.
Complimentary review with an experienced engineer
Are you ready for CMMC?
Get a free strategic consultation to start or streamline your journey toward CMMC compliance.
Related articles
If you need CMMC managed IT services
If you need to better understand CMMC requirements:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
- CMMC compliance deadlines: Key dates and what they mean
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
- CUI enclaves in CMMC compliance: Are they right for your business?
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
- Case Study: Virginia Government Contractor Nears CMMC Compliance
- CMMC Gap Analysis
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
