An email arrives from a federal contracting officer. Attached is a project document. Across the top, in block letters, it reads: CUI. You have no idea what that means, and the question “what is CUI?” sends you down a rabbit hole of policy memos. You forward it to your office manager. She has no idea either.
That is the moment this article is written for.
CUI stands for Controlled Unclassified Information. It is sensitive but unclassified information that the federal government creates, or that a contractor creates for the government, that a law or regulation says you must protect. Not classified. No security clearance needed. But real rules, and real consequences if you ignore them.
This guide skips the technical language and translates everything to plain English for the owner of a five-person company who just found out they handle CUI.
What You Will Learn
- What CUI actually means in plain English
- How to recognize a CUI document by its markings
- Which contract clauses trigger your CUI obligations
- What it really costs a small business to handle CUI properly
- The five biggest myths about CUI
What Is CUI? What It Actually Means
Before 2010, federal agencies used more than 100 different labels for sensitive but unclassified information. The Department of Defense (DoD) called it FOUO (For Official Use Only). The Department of Justice had LES (Law Enforcement Sensitive). The Department of Energy used OUO. Every agency had its own labels and its own rules. Nobody could keep track.
On November 4, 2010, President Obama signed Executive Order 13556 and replaced all of those labels with one: CUI. The program is codified at 32 CFR Part 2002, which took effect November 14, 2016. The National Archives and Records Administration (NARA), through its Information Security Oversight Office (ISOO), serves as the Executive Agent for the CUI program under EO 13556.
Plain-English definition: CUI is information the government creates or possesses, or that you create for the government, that a law or regulation says you must safeguard or limit who you share it with. Sensitive but not secret. No clearance needed. But real obligations attached.
CUI is not classified information. Classified material (Top Secret, Secret, Confidential) is governed by a different Executive Order, EO 13526, and requires a security clearance to access. CUI requires neither a clearance nor a classified storage system. It requires a baseline of good security practices.
How to Recognize a CUI Document
Banner Markings (Top of Every Page)
Per the NARA CUI Marking Handbook v1.1 (published December 6, 2016, updated May 24, 2019), every page of a CUI document must carry a banner marking at the top. Here is what you will see:
- CUI or CONTROLLED for standard CUI (called Basic CUI)
- CUI//SP-[CATEGORY] for Specified CUI, where the underlying law adds extra handling rules. Export-controlled information, for example, carries the banner CUI//SP-EXPT.
- Multiple categories are separated by //. A document with both export control and limited dissemination restrictions might read CUI//SP-EXPT//FEDCON.
The difference between Basic and Specified matters. Basic CUI means you follow the standard safeguards in 32 CFR Part 2002. Specified CUI means the underlying law adds rules on top of those. The NARA CUI Registry tells you which categories are Specified and what the extra rules are.
Other Markings to Know
- Footer: The banner marking repeats at the bottom of every page.
- Designation block: The first page carries a block identifying the originating agency, the applicable contract or program, and a point of contact.
- Email subject prefix: Emails containing CUI carry the prefix (CUI) in the subject line.
- Portion marks: In multi-classification documents, individual paragraphs may carry (CUI) marks to identify which sections contain controlled information.
If you receive a document with any of these markings, you are holding CUI and your handling obligations apply immediately.
The CUI Categories Small Businesses Actually Hit
NARA maintains the official CUI Registry with more than 100 categories organized into groupings. Most small businesses encounter a handful of them. Here are the ones that show up most often on federal contracts:
| Category | Plain-English Example |
|---|---|
| Procurement and Acquisition | The government’s internal scoring notes on competing bids and your own cost data submitted under a contract |
| Privacy / Personally Identifiable Information (PII) | Names and Social Security Numbers of federal employees on a project roster |
| Tax (Federal Taxpayer Information) | IRS data shared with a contractor building or maintaining a tax system |
| Export Control | Technical drawings subject to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) |
| Financial | Pre-decisional federal budget data you receive as part of a financial consulting engagement |
| Proprietary Business Information | Confidential pricing from another contractor shared with you during a competitive evaluation |
| Controlled Technical Information (CTI) | Engineering drawings, software source code, or specifications for a defense system |
| Critical Infrastructure | Vulnerability assessments of energy grids or water systems |
The full registry is at archives.gov/cui/registry. If you are not sure whether information you received is CUI, look it up there by category name.
Which Contract Clauses Trigger CUI Obligations
The contract clause is the trip wire. If it appears in your contract, you have CUI obligations. Here are the four you need to know.
FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
Federal Acquisition Regulation (FAR) clause 52.204-21 covers Federal Contract Information (FCI), which is a broader category than CUI but often overlaps with it. FCI is any information provided by or generated for the government under a contract that is not intended for public release.
This clause appears in contracts across all civilian and DoD agencies, not just defense. It requires 15 basic safeguarding practices, such as limiting system access to authorized users, controlling external connections, and running malware protection. FAR 52.204-21 remains in force as a binding clause (confirmed active at acquisition.gov as of March 2026). The FAR 2.0 Companion Guide v2 uses model deviation language referencing this clause as FC 52.240-93, which agencies may adopt via class deviation; this is not a government-wide regulatory renumbering. If you see FAR 52.204-21 in your contract, those 15 requirements apply to you today. For a broader look at FAR compliance, see FAR Compliance for Small Businesses.
DFARS 252.204-7012: DoD Only
If you have a DoD contract, look for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This is the clause that makes CUI compliance serious work for defense contractors.
DFARS 252.204-7012 uses the term Covered Defense Information (CDI), which means unclassified CUI in the DoD context. The clause requires you to:
- Implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security standard across all systems that process, store, or transmit CDI
- Report cyber incidents to the DoD within 72 hours via dibnet.dod.mil
- Preserve images of compromised systems for at least 90 days after you submit the incident report
Flow-down to subcontractors: per DFARS 252.204-7012(m), the clause must be included in subcontracts where performance involves covered defense information or operationally critical support. If your work as a sub touches either of those categories, the clause applies to you directly, regardless of whether your prime mentioned it. Search your subcontract for this clause number before starting work.
Proposed FAR CUI Rule (Status: Still Proposed as of May 2026)
On January 15, 2025, the FAR Council published a proposed rule in the Federal Register (Regulatory Identifier Number 9000-AN56) that would extend NIST SP 800-171 requirements to civilian agency contracts, not just DoD. The 60-day public comment period closed March 17, 2025. As of May 2026, this rule has not been finalized. It remains a proposal. Watch for updates at federalregister.gov.
CMMC: The Verification Framework
The Cybersecurity Maturity Model Certification (CMMC) is not a separate set of security rules. It is the verification framework DoD uses to confirm you are actually implementing NIST SP 800-171, not just claiming you are. Think of it this way: NIST 800-171 tells you what to do. CMMC verifies you did it.
CMMC has three levels:
- Level 1 (L1): 15 controls for companies that handle FCI but not CUI. Self-assessment.
- Level 2 (L2): 110 security requirements (all of NIST SP 800-171 Revision 2) for companies that handle CUI. This is where most small businesses with DoD contracts land.
- Level 3 (L3): 110 requirements plus additional NIST SP 800-172 enhancements, for the highest-sensitivity CUI programs.
The CMMC program rule (32 CFR Part 170) took effect December 16, 2024. The acquisition rule (48 CFR) took effect November 10, 2025. Phase 1 (self-assessments in DoD contracts) started November 10, 2025. Phase 2, when Certified Third Party Assessor Organizations (C3PAOs) begin conducting Level 2 assessments, starts November 10, 2026. Full implementation runs through November 10, 2028. For the full CMMC timeline and what it means for your specific contract, see CMMC Certification for Small Business.
NIST SP 800-171 in Plain English
NIST SP 800-171 is the security standard you must implement if your DoD contract contains DFARS 252.204-7012. Its full title is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Published by the National Institute of Standards and Technology, it is available at no cost at csrc.nist.gov.
The current binding version for DoD contractors is Revision 2. It has 110 security requirements. NIST finalized Revision 3 on May 14, 2024, but DoD has not adopted it. DoD Class Deviation 2024-O0013 keeps Revision 2 as the binding standard for DoD contracts. In 2026, you are working from Revision 2.
The 14 Practice Areas, Translated for a 5-Person Company
These are not abstract security principles. Each one is a change your company has to make. DoD maps the 110 requirements across 14 practice areas for contract compliance purposes.
| Practice Area | What It Means for Your 5-Person Firm |
|---|---|
| Access Control | Every employee gets their own login. No shared accounts. Computers lock automatically after a short period of inactivity. Former employees lose access the same day they leave. |
| Awareness and Training | Everyone who touches CUI completes security training at least once a year. Keep records of who completed it and when. |
| Audit and Accountability | Your systems keep a log of who accessed what and when. If something goes wrong, you can pull the log and show what happened. |
| Configuration Management | You keep a written list of what software is approved on company devices. Employees do not install personal apps on work computers that touch CUI. |
| Identification and Authentication | Strong passwords and two-factor authentication on every account that can reach CUI. No exceptions, including the owner’s account. |
| Incident Response | You have a written plan for what to do if you get breached. If you have a DoD contract, you report to DoD within 72 hours of discovering an incident. |
| Maintenance | When someone repairs your computers or servers, you track who did the work and what they accessed. |
| Media Protection | Drives with CUI are encrypted. Old hard drives are wiped before disposal. Paper CUI is shredded, not put in the recycling bin. |
| Personnel Security | New hires who will touch CUI go through background checks. Employees who leave get cut off immediately, including remote access and email. |
| Physical Protection | The office is locked. Visitors sign in. Laptops with CUI do not sit in cars overnight or in hotel rooms unsecured. |
| Risk Assessment | You periodically check your systems for security gaps and document what you found and what you did about it. |
| Security Assessment | You test your own controls periodically. The self-assessment score you submit to the Supplier Performance Risk System (SPRS) is based on this work. |
| System and Communications Protection | Your websites use secure connections. Remote workers connect through a protected channel. Laptops use full-drive encryption. |
| System and Information Integrity | Antivirus is installed and kept current. Security patches get applied promptly. You watch for unusual activity on your network. |
Some of these you probably already do. Most small businesses starting from zero need outside help to get through the full list. That is what the cost section below addresses.
What CUI Compliance Really Costs
This is the question everyone asks and almost no one answers directly. Here are real ranges, anchored to DoD’s own regulatory analysis for 32 CFR Part 170 and the DFARS 252.204-7012 Regulatory Impact Analysis.
| Component | Cost Range | Notes |
|---|---|---|
| Self-assessment (Level 1) | $0 + 40-80 staff hours | DIY only. No consultant needed at L1. Time is the cost. |
| Gap assessment (Level 2) | $3,500 – $20,000 | An outside firm evaluates where you stand against all 110 requirements and tells you what needs fixing. |
| Remediation and implementation | $35,000 – $250,000+ | Tools, configurations, written policies, and anything else needed to close gaps the assessment found. |
| Compliance consultant | $15,000 – $40,000 | A consultant who walks you through all 110 requirements and helps you document your implementation. |
| Government-approved cloud (DoD CUI workloads) | $25 – $45 per user per month | Standard commercial Microsoft 365 and Google Workspace do not satisfy all DFARS 7012 controls. The common paths are Microsoft 365 GCC High, Azure Government, and AWS GovCloud. |
| Security tooling | $5,000 – $50,000 per year | Recurring annual cost, not a one-time purchase. |
| Level 2 third-party assessment (C3PAO) | $35,000 – $115,000 | Required for CMMC Level 2 certification starting November 10, 2026. DoD’s own three-year projection: $105,000 – $118,000 per the 32 CFR Part 170 Regulatory Impact Analysis. |
| Total to achieve Level 2 | $100,000 – $200,000+ first year | DoD’s internal estimate for annualized ongoing cost: approximately $160,000 per year per the DFARS 252.204-7012 Regulatory Impact Analysis. |
Those numbers are not worst-case. They are what DoD itself projects in its own regulatory analysis.
What do you do with that number? Three things small businesses are doing in 2026:
- Stay in non-CUI work. Not every federal contract involves CUI. Many IT services, administrative support, and professional services contracts do not. If you can build a sustainable pipeline without CUI contracts, that is a legitimate business decision.
- Join a managed secure environment. Some prime contractors and managed service providers operate CUI-compliant cloud environments that small subs can plug into. You use their CMMC-certified setup instead of building your own. The cost becomes a monthly fee instead of a six-figure capital investment.
- Team with a prime that hosts the CUI environment. As a subcontractor handling only non-CUI deliverables under a prime that manages all the CUI work, you may avoid the direct compliance burden. This requires careful review of your subcontract and an honest conversation with your prime about scope.
None of these options removes your obligation if your contract clause creates it. But they are real paths that small businesses use to handle the cost reality.
Want the Free Starter Kit?
Download the free GovCon Starter Kit: registration checklist, capability statement template, and a list of free resources used by working contractors.
The Five Biggest Myths About CUI
The CUI and CMMC space has more misinformation than almost any other area of government contracting. Here are five claims that keep circulating, and why each one is wrong.
Myth 1: CUI is classified information. Wrong. CUI is explicitly unclassified. You do not need a security clearance to handle it. Classified information (Top Secret, Secret, Confidential) follows EO 13526 and requires a clearance. CUI follows EO 13556 and requires good security practices. These are two entirely separate systems.
Myth 2: Only DoD contractors handle CUI. Wrong. The Internal Revenue Service, Department of Health and Human Services, Department of Energy, and General Services Administration all have CUI in their programs. If you have a civilian agency contract that involves sensitive information, ask whether it involves CUI. The proposed FAR CUI Rule (RIN 9000-AN56, still proposed as of May 2026) would eventually extend NIST 800-171 to all civilian contracts, but the direction is already clear even before that rule finalizes.
Myth 3: If I am a sub, my prime handles compliance. Wrong. Per DFARS 252.204-7012(m), the clause must flow down to subcontracts where performance involves covered defense information or operationally critical support. If your work as a sub touches either category, your obligation runs directly between you and the clause in your subcontract. Your prime’s compliance does not cover you. Read your subcontract.
Myth 4: I can store CUI in regular Microsoft 365 or Google Workspace. Generally wrong for DoD work. Standard commercial Microsoft 365 and Google Workspace do not satisfy all DFARS 252.204-7012 controls and FedRAMP Moderate-equivalent requirements for DoD CUI. The standard paths are Microsoft 365 GCC High, Azure Government, and AWS GovCloud. This is one of the largest cost drivers for small businesses that currently run on commercial cloud tools.
Myth 5: CUI and CMMC are the same thing. Wrong. CUI is the data. CMMC is the verification that you are protecting the data correctly. CUI existed before CMMC. NIST SP 800-171 existed before CMMC. CMMC is the certification framework DoD built to verify that contractors are actually implementing what the standard requires, not just claiming they are.
Frequently Asked Questions
What does CUI stand for?
CUI stands for Controlled Unclassified Information. The CUI program was created by Executive Order 13556, signed by President Obama on November 4, 2010. It replaced more than 100 older agency-specific labels like FOUO (For Official Use Only) and SBU (Sensitive But Unclassified) with a single standardized system governed by NARA under 32 CFR Part 2002.
What is the difference between CUI and classified information?
CUI is unclassified. You do not need a security clearance to handle it. Classified information (Top Secret, Secret, Confidential) is governed by Executive Order 13526 and requires a formal clearance. CUI is governed by Executive Order 13556 and requires good security practices. A contractor can handle CUI on a standard federal contract with no clearance at all. The two systems are separate.
What is FOUO and how is it different from CUI?
FOUO (For Official Use Only) was one of the older agency labels that CUI replaced. Before 2010, agencies created their own sensitivity labels with their own rules. When 32 CFR Part 2002 took effect in November 2016, FOUO was retired and those documents were reclassified under the CUI framework. If you receive an older document marked FOUO, treat it as CUI. The handling obligations are equivalent.
Who has to comply with CUI requirements?
Any contractor that creates, receives, stores, or processes CUI on a federal contract must comply. The specific obligations depend on which contract clauses are present. FAR 52.204-21 applies to Federal Contract Information (FCI) across all agencies and requires 15 basic safeguarding practices. DFARS 252.204-7012 applies to Covered Defense Information (CDI) on DoD contracts and adds the NIST SP 800-171 requirement. Subcontractors whose work involves covered defense information or operationally critical support carry the same obligations as primes.
Is CUI only for DoD contractors?
No. Any federal agency can have CUI. The IRS has taxpayer information. HHS has health data. DOE has energy infrastructure data. GSA has procurement data. A civilian agency contract that involves sensitive information may include CUI even if the words DoD, defense, or CMMC never appear. The proposed FAR CUI Rule (RIN 9000-AN56, still proposed as of May 2026) would extend NIST SP 800-171 requirements to civilian contracts when finalized.
What is NIST SP 800-171?
NIST SP 800-171 is the security standard DoD contractors must implement to protect Covered Defense Information. Its full title is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The current binding version for DoD is Revision 2, with 110 security requirements. NIST finalized Revision 3 on May 14, 2024, but DoD has not adopted it. Class Deviation 2024-O0013 keeps Revision 2 as the binding standard for DoD contracts through at least 2026.
How do I label CUI documents my company creates?
Every page of a CUI document must carry a banner marking at the top and a matching marking at the bottom. For standard CUI, the marking is CUI or CONTROLLED. For Specified CUI with extra handling rules, use CUI//SP-[CATEGORY]; for example, CUI//SP-EXPT for export-controlled information. The first page should include a designation block identifying the originating agency, contract, and contact. Emails containing CUI carry (CUI) in the subject line. The NARA CUI Marking Handbook v1.1 is the authoritative source for marking requirements.
What happens if I mishandle CUI?
Consequences depend on the category of CUI and the nature of the mishandling. At minimum, a contractor faces contract default and potential termination for breach. Debarment from federal contracting is possible for serious or repeated violations. The False Claims Act creates civil liability if you certify CMMC compliance and later fail to meet the standard, a risk the Department of Justice actively pursues through its Civil Cyber-Fraud Initiative.
For certain categories of CUI, the underlying law may impose its own penalties. Mishandling of IRS taxpayer data, for example, carries statutory penalties under tax law. If you have a DoD contract, you must also report cyber incidents to DoD within 72 hours via dibnet.dod.mil. Failure to report a known incident is itself a violation under DFARS 252.204-7012.
Do This Monday
- Search your active contracts for the words “CUI” and “Controlled Unclassified Information.” If you find either phrase, you handle CUI. Write it down with the contract number.
- Search your contracts for FAR 52.204-21. Finding this clause means you have Federal Contract Information obligations and the 15 basic safeguarding requirements apply.
- If you have a DoD contract, search for DFARS 252.204-7012. That clause triggers NIST SP 800-171 and the 72-hour cyber incident reporting requirement.
- Calculate the annual revenue you receive from contracts that touch CUI. Compare that number to the $100,000 – $200,000+ first-year compliance cost. That comparison is your business case for deciding how to proceed.
- If the compliance math does not work yet, call your prime contractor and ask whether they offer a managed CUI environment for subs. Many large primes do. It is a faster and cheaper path than building your own setup from scratch.
