August 18, 2020

Last Updated on June 26, 2025

Does your organization need to comply with Cybersecurity Maturity Model Certification (CMMC 2.0) so you can participate in future US Department of Defense (DoD) contracts? CMMC was created specifically to protect controlled unclassified information (CUI) wherever it resides on contractors’ systems across the DoD’s massive supply chain.

This post covers the basics on CUI, including why protecting it is so important to US national security as well as the competitive viability of US defense industrial base (DIB) orgs.

Key takeaways

  • Companies that receive CUI will need to comply with CMMC Level 2 to participate in future DoD contracts.
  • CUI is subject to strict cybersecurity compliance requirements as specified in the NIST 800-171 standard.
  • There are two types of CUI: CUI Basic and CUI Specified. The latter must be identified and protected with a range of extended controls depending on its specific designation. 
  • The DoD’s CMMC 2.0 standard mandates third-party compliance audits for nearly all contractors that handle CUI.

What is CUI?

According to the DoD, CUI is “…unclassified information the United States

Government creates or possesses that requires safeguarding or dissemination controls

limiting its distribution to those with a lawful government purpose. CUI may not be

released to the public absent further review.”

CUI is a distinct category of sensitive but non-classified information that requires cybersecurity and dissemination controls. If publicly associated with defense missions or aggregated with other data sources, adversaries can use CUI to reveal or extrapolate exploitable information.

While not as highly restricted as classified (e.g., Top Secret) information, CUI is subject to a range of laws, regulations, and government policies designed to protect it from unauthorized access, disclosure, or misuse. This includes rigorous cybersecurity controls as defined in the NIST 800-171 standard, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

The National Archives and Records Administration (NARA) maintains a wide array of CUI categories and subcategories. These include the “Defense” category grouping:

  • Controlled Technical Information
  • DoD Critical Infrastructure Security Information
  • Naval Nuclear Propulsion Information
  • Privileged Safety Information
  • Unclassified Controlled Nuclear Information 

There are also CUI categories relating to export control, financial services, critical infrastructure, intelligence, law enforcement, and other areas. Common examples of CUI include:

  • Financial data like account numbers and credit card details
  • Engineering drawings, schematics, and other technical data
  • Critical infrastructure security data
  • Export-controlled data

According to Thomas Price, Information Security Auditor/Quality Management Professional at BSI, CUI is “… information that the government decides needs to be controlled and not disseminated. It can reside either in a federal system or in a contractor’s system. CUI protections start at CMMC Level 2. The government wants people to have some basic cybersecurity controls in 14 domains—everything from access controls to network controls to how you do risk assessments to verify the risks affecting the CUI you may have in your custody.”

Why is CUI often hard to identify?

CUI should be marked appropriately to highlight it as sensitive data belonging to the US government. But this has historically been notoriously difficult for government agencies—let alone DIB SMBs—to accomplish. Some of the reasons include:

  • Vague contract details that do not specifically identify that the contractor or subcontractor will receive CUI, or the nature of the CUI involved in the contract.
  • “Pushing risk down the supply chain” by requiring subcontractors that may not actually handle CUI to implement CUI protections.
  • A “better safe than sorry” approach that deals with uncertainty by treating data as CUI by default.

Another challenge is the sheer diversity of CUI data. The NARA CUI Registry lists about 125 CUI categories within 20 index groupings.

The term “CUI” is also used more broadly to mark a wide range of data categories that require protection. Examples include:

  • Personally identifiable information (PII) like employee names, addresses, social security numbers, etc.
  • Proprietary business information (PBI) or confidential business information (CBI), such as business plans, customer lists, and trade secrets.
  • Unclassified controlled technical information (UCTI), including technical drawings, blueprints, specifications, and research data.

Related to CUI are CUI assets that process, store, or identify CUI (e.g., workstations, servers, cloud services, managed service providers, managed security service providers). CUI assets are within the scope of an organization’s CUI environment and thus its CMMC Level 2 assessment, so identifying them is also critical.

CUI Basic and CUI Specified—What’s the difference?

The many types and categories of CUI all fall into one of two classifications: CUI Basic and CUI Specified. But while data marked CUI Specified requires more restrictive controls, the two designations do not refer to different protection levels per se. Specific US government regulations apply to different kinds of CUI Specified data—and these laws mandate a range of safeguards beyond the generic protections for CUI Basic that NIST 800-171 defines. 

For example, data that falls under the International Traffic in Arms Regulations (ITAR) is subject to stringent protections, including:

  • Limiting access to US persons only (export controlled).
  • Maintaining end-to-end encryption, not just in transit and at rest but when the data is in use.
  • Documenting and implementing an ITAR protection plan.

Because ITAR data relates to weapons systems and many other battlefield assets per the US Munitions List (USML), it is extremely common for DIB orgs to receive it. ITAR compliance entails significant additional controls that could affect your entire cybersecurity program or roadmap—and there are formidable penalties for noncompliance. Therefore, it is crucial for defense suppliers to know definitively whether they hold ITAR data, including how they receive it, where it resides on their systems, and who has access to it. 

Other CUI Specified categories include:

  • Not Releasable to Foreign Nationals (NOFORN), which marks export-controlled data subject to restrictions similar to ITAR.
  • Export Administration Regulations (EAR), which is also similar to ITAR but relates to the US Commerce Control List managed by the US Department of Commerce, rather than the USML. 

What is FCI?

Another level of unclassified information that is part of every US government contract by definition is federal contract information (FCI). This is “… any information that is created and used in the administration of a government contract,” said Mr. Price. 

Like CUI, FCI includes information created or aggregated by or for the US government, as well as data contractors receive from the government. All CUI on non-government systems is considered FCI, but not all FCI is CUI. 

Examples of FCI that generally is not also CUI include:

  • Contracts
  • Emails exchanged with the DoD or a prime contractor
  • Organizational charts
  • Performance reports
  • Draft documents
  • Pricing data
  • Basic technical data

To protect FCI on DoD contracts, contractors will need to implement the 15 “foundational” cybersecurity controls at CMMC Level 1. This is a considerably lower compliance bar than CMMC Level 2. 

But as Mr. Price points out, the DoD could later classify as CUI some contract deliverables initially classified as FCI. “So, you need to be working closely with your contracting officer throughout the duration of your contract to make sure about any information you have that does become classified as CUI.” That data could then become subject to the 110 NIST 800-171 controls at CMMC Level 2.

What is CMMC 2.0?

As an audit-based program with three certification levels, CMMC 2.0 is much more rigorous than today’s self-attestation compliance approach to protect CUI—though both are based on NIST 800-171.

If you want to do business with the DoD going forward, you need to know whether you receive CUI, where it resides in your environment, and what your contractual obligations currently are and/or likely will be regarding its protection. Then, unless you handle no CUI whatsoever, you will need to prove to an independent auditor that your cybersecurity posture meets the CMMC 2.0 Level 2 (or possibly Level 3) requirements.

CMMC 2.0 will be implemented when the DFARS 7021 clause that puts CMMC language into DoD contracts is finalized, and following a 60-day waiting period after publication of the final 48 CFR rule in the Federal Register. This will initiate a three-year phased rollout process that gradually puts CMMC requirements in force across all DoD contracts.

While CMMC 2.0 requirements do not yet appear in DoD contracts, DIB orgs that handle CUI have long been subject to NIST 800-171 compliance, which mandates the exact same control set as CMMC 2.0 Level 2. Given that many SMBs will need a year or more to implement those controls, contractors should move now to close any gaps in their CMMC compliance posture to avoid the risk of losing out on future contracts or contract renewals.

For more information

These US government resources provide more information on CUI:

What’s next?

To speak with an expert on how to identify, categorize, and protect CUI and other sensitive data in compliance with CMMC and other regulations, contact CBIZ Pivot Point Security.