As cyber threats grow more sophisticated, the U.S. Department of Defense (DoD) is raising the bar for cybersecurity across its contractor base. One of the most critical elements in this effort is the protection of Controlled Unclassified Information (CUI)—sensitive data that, while not classified, still demands strict handling. For contractors within the Defense Industrial Base (DIB), understanding and safeguarding CUI isn’t just a best practice—it’s a contractual requirement under the Cybersecurity Maturity Model Certification (CMMC). This blog explores what CUI is, how it fits into the CMMC framework, and what contractors must do to protect it.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to sensitive government data that requires safeguarding but does not rise to the level of classified information. It was formally established under Executive Order 13556 to standardize how executive agencies manage and protect this category of information.

Examples of CUI include:

• Personal data (e.g., Social Security numbers)
• Proprietary business information
• Law enforcement or legal materials
• Critical infrastructure data
  
  

To help organizations identify and protect this information, the National Archives and Records Administration (NARA) maintains the official CUI Registry, which outlines the categories of CUI and associated safeguarding or dissemination rules.

CUI is broken into two subtypes: CUI Basic, which follows standard safeguarding protocols, and CUI Specified, which includes enhanced protections mandated by law or regulation.

FCI vs. CUI vs. Classified Information

Organizations working with the U.S. government—especially the Department of Defense (DoD)—must understand the distinctions between various types of sensitive information:

• Federal Contract Information (FCI): Defined by FAR 52.204-21, this includes information not intended for public release and provided or generated under a government contract. FCI triggers CMMC Level 1 requirements.
• Controlled Unclassified Information (CUI): Broader than FCI, CUI includes sensitive government data requiring protection but not classified by law. Handling CUI invokes CMMC Level 2 or higher.
• Classified Information: National security information protected by law and accessible only with the appropriate security clearance.
  
  

Knowing which type of information your organization handles is critical for determining your CMMC obligations and ensuring ongoing DoD contract eligibility.

CUI in the CMMC Framework

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s standardized framework for safeguarding sensitive information across the Defense Industrial Base (DIB). CUI is a core component, and protecting it requires implementation of CMMC Level 2 or 3 controls.

CMMC Levels at a Glance:

Level 1 – Foundational
For FCI

• 17 basic cybersecurity practices
• Self-assessment required annually
  
  

Level 2 – Advanced
For CUI

• 110 controls from NIST SP 800-171
• Third-party assessments required for most organizations
• Some self-assessment allowed if not handling critical national security data
  
  

Level 3 – Expert
For highly sensitive CUI in high-threat environments

• Based on NIST SP 800-172
• Government-led assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

CUI protection begins at Level 2. Contractors must demonstrate full implementation of all 110 NIST controls, including areas such as access control, incident response, and data integrity.

How to Achieve and Maintain CMMC Compliance

Preparing for CMMC certification involves more than just checking a box. It requires a structured, ongoing commitment to cybersecurity. Here’s how contractors can prepare effectively:

1. Assess Your Current Posture

Start with a gap assessment against your target CMMC level, identifying any policy or technical shortfalls. This should include:

• Reviewing your existing NIST 800-171 implementations
• Evaluating system documentation and user access
• Identifying missing controls or weak points
  
  

2. Remediate Gaps

Next, update your environment to close any gaps:

• Implement or upgrade technical controls
• Update cybersecurity policies and procedures
• Conduct user training and awareness sessions
  
  

3. Undergo Formal Assessment

If you’re seeking CMMC Level 2 certification, schedule an audit with a Certified Third Party Assessment Organization (C3PAO). These organizations are accredited by the Cyber AB to perform official evaluations.

⚠️ Only some Level 2 contractors may self-assess—check your contract for details.

4. Maintain Compliance

Cybersecurity isn’t a one-time effort. Contractors must:

• Conduct ongoing monitoring and self-assessments
• Stay current with changes to CMMC 2.0
• Reassess and recertify every three years (for Levels 2 and 3)
  
  

Why CUI Compliance Matters

CUI may not be classified, but its protection is essential to national security. Unauthorized disclosure—whether due to weak access controls, lack of training, or poor system design—can have ripple effects across government operations and defense capabilities.

Contractors handling CUI must rise to the challenge with strong, NIST-aligned cybersecurity practices. With CMMC 2.0 Level 2 becoming a contractual requirement, failure to comply means losing DoD business opportunities.

Secure Your Future with RSI Security

CMMC compliance, especially for organizations managing CUI, requires precision, discipline, and experience. RSI Security is a Certified RPO with a proven track record of guiding DoD contractors through the CMMC process—from gap assessments to successful certification.

Contact RSI Security today to prepare your organization for full compliance and long-term success in the Defense Industrial Base.