Handling Controlled Unclassified Information (CUI) in Government Contracts
Controlled Unclassified Information encompasses a vast range of sensitive government data that contractors handle daily — from technical specifications and engineering data to personally identifiable information and law enforcement records. Mishandling CUI can result in contract termination, False Claims Act liability, and debarment.
This guide covers what CUI is, how to identify it, your obligations as a contractor, and the security requirements that govern its protection.
100M+ government records · 300+ gov/news sources · Updated hourly
What Is CUI? (32 CFR Part 2002)
Controlled Unclassified Information is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
The CUI program was established by Executive Order 13556 (November 2010) to standardize the way the executive branch handles unclassified information that requires protection. Before CUI, agencies used a patchwork of markings — For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Law Enforcement Sensitive (LES), and dozens of others — with inconsistent protection requirements. The CUI program replaced all of these with a single, standardized framework.
32 CFR Part 2002 implements the CUI program and defines the requirements for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. The Information Security Oversight Office (ISOO) at the National Archives administers the program and maintains the CUI Registry, which catalogs all approved CUI categories and subcategories.
CUI Categories and Markings
The CUI Registry organizes CUI into categories and subcategories based on the laws, regulations, and policies that require protection. There are two types of CUI:
CUI Basic
The default CUI category. Requires the baseline safeguarding measures outlined in 32 CFR Part 2002 and NIST 800-171. No additional handling restrictions beyond the standard CUI requirements.
Marking: CUI or CONTROLLED
CUI Specified
CUI where the authorizing law, regulation, or policy specifies handling controls that are more restrictive than CUI Basic. The specific controls required are defined by the authorizing authority.
Marking: CUI//SP-category (e.g., CUI//SP-CTI for Controlled Technical Information)
Major CUI categories that contractors commonly encounter include:
CUI markings must appear on the banner (top) of each page containing CUI, with the specific category indicator if CUI Specified. Portion markings (marking individual paragraphs) are encouraged but not always required. Electronic CUI must include marking metadata that persists when the document is copied or forwarded.
Contractor Obligations for CUI
Contractors handling CUI must implement a comprehensive set of protections. These obligations flow from DFARS 252.204-7012, the CUI program regulations (32 CFR Part 2002), and NIST SP 800-171. Key obligations include:
- Implement NIST 800-171: All 110 security requirements must be implemented on systems that process, store, or transmit CUI. This is the technical foundation of CUI protection for contractors.
- Maintain a System Security Plan: Document your CUI environment boundaries, data flows, security controls, and responsible personnel. The SSP must be kept current and available for review.
- Mark CUI appropriately: Apply required CUI markings to all documents, emails, and media containing CUI. Follow marking guidance from the CUI Registry and the designating agency.
- Limit access: Only individuals with a lawful government purpose and who have completed CUI awareness training should have access to CUI. Implement need-to-know access controls.
- Use approved communication channels: Transmit CUI only through authorized channels. Email containing CUI must be encrypted (FIPS 140-2 validated). Cloud storage must meet FedRAMP Moderate baseline.
- Train personnel: All employees who handle CUI must receive CUI awareness training covering identification, marking, safeguarding, dissemination, and incident reporting.
- Destroy CUI when no longer needed: CUI must be destroyed using methods that prevent reconstruction. Paper must be cross-cut shredded. Electronic media must be sanitized per NIST 800-88.
NIST 800-171 Connection
NIST SP 800-171 is the primary technical standard for protecting CUI in nonfederal systems. When a contractor handles CUI, the 110 security requirements in NIST 800-171 define the minimum security baseline. These requirements cover access control, audit and accountability, incident response, encryption, and 10 other security domains.
The relationship between CUI and NIST 800-171 is direct: DFARS 252.204-7012 requires contractors to implement NIST 800-171 specifically because the contract involves CUI (or Covered Defense Information, which includes CUI). Without CUI, there is generally no DFARS-driven requirement for NIST 800-171 compliance.
This connection extends to CMMC as well. CMMC Level 2 maps directly to NIST 800-171 and is required for contracts involving CUI. The presence of CUI in a contract is the trigger for cybersecurity compliance requirements throughout the acquisition lifecycle.
CUI Protection Chain
Incident Reporting Requirements (72-Hour Rule)
Under DFARS 252.204-7012, contractors must report cyber incidents to the DoD within 72 hours of discovery. A cyber incident is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
The 72-hour clock starts when the contractor discovers the incident, not when the incident occurred. However, contractors must have adequate monitoring and detection capabilities to discover incidents in a timely manner. The reporting process includes:
- Submit the incident report through the DIBNet portal (https://dibnet.dod.mil)
- Include a detailed description of the incident, affected systems, and data types involved
- Identify whether CUI was potentially compromised
- Preserve forensic images of affected information systems for at least 90 days
- Isolate and preserve any malicious software discovered during investigation
- Provide the DoD Cyber Crime Center (DC3) access to additional information or equipment if requested
Failure to report a CUI incident can result in breach of contract, False Claims Act liability (if the contractor certified compliance while lacking adequate protections), suspension or debarment, and loss of future contract eligibility. The DoD takes incident reporting seriously, and agencies have pursued enforcement actions against contractors who failed to report promptly.
CUI in Subcontracts
CUI protection requirements flow down through the entire supply chain. When a prime contractor shares CUI with subcontractors, those subcontractors assume the same obligations as the prime for protecting that information.
Prime contractors must:
- Flow down DFARS 252.204-7012 to all subcontractors whose work involves CUI
- Determine whether subcontractors will handle CUI and scope their access appropriately
- Verify that subcontractors have implemented NIST 800-171 before sharing CUI
- Require subcontractors to report cyber incidents to both the DoD and the prime contractor
- Ensure subcontractors have adequate CMMC certification for the required level
This cascading requirement creates challenges for prime contractors who must manage CUI protection across multiple subcontractor tiers. Best practices include maintaining a CUI data flow map that identifies every entity in the supply chain that touches CUI, conducting periodic reviews of subcontractor security posture, and limiting CUI access to the minimum number of subcontractors necessary.
Frequently Asked Questions
What is CUI and how is it different from classified information?
CUI is information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy, but is not classified under Executive Order 13526 (national security classification). Unlike classified information (Confidential, Secret, Top Secret), CUI does not require a security clearance to access — but it still requires specific protection measures defined by NIST 800-171.
How do I know if my contract involves CUI?
Check the contract or solicitation for DFARS clause 252.204-7012 (Safeguarding Covered Defense Information), references to Controlled Unclassified Information or Covered Defense Information, CUI markings on government-furnished information, or a DD Form 254 (Contract Security Classification Specification). The contracting officer should identify CUI requirements, but contractors should proactively ask if unclear.
What happens if there is a CUI incident?
Under DFARS 252.204-7012, contractors must report cyber incidents involving CUI to the DoD within 72 hours of discovery. The report is submitted through the DIBNet portal. Contractors must preserve and protect images of affected systems for at least 90 days and provide the DoD access for forensic analysis if requested. Failure to report can result in contract termination and False Claims Act liability.
Do subcontractors need to protect CUI?
Yes. Prime contractors must flow down CUI protection requirements to all subcontractors who will handle CUI. This includes the DFARS 252.204-7012 clause, NIST 800-171 compliance requirements, incident reporting obligations, and CUI marking requirements. Subcontractors at every tier who touch CUI must implement the same protections as the prime contractor.
Related Guides
Find Contracts Involving CUI
Search across SAM.gov and FPDS for contracts referencing CUI, DFARS 252.204-7012, and cybersecurity requirements. Understand which opportunities require CUI handling.