What is CUI ?

CUI – Controlled Unclassified Information is a subset of FCI, which is subject to stricter controls and protection requirements. 32 CFR 2002.4 defines CUI as “information the government creates, or possesses, or that an entity creates or possesses for or on behalf of the Government that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls”. CUI is not classified information. Like FCI, CUI is not for public release, but CUI requires specific safekeeping. All CUI is FCI, but not all FCI is CUI.

How do you know if you have CUI?

The National Archives and Records Administration (NARA) provides information on examples of CUI and their marking requirements. All CUI is required to be marked as such. Examples of data which NARA has designated CUI include: Controlled Technical Information, Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Unclassified Controlled Nuclear Information – Defense. Other examples include technical drawings and blueprints, intellectual property and ITAR controlled documents or products. NARA has also implemented a CUI registry for additional CUI categories.

CUI you received from the Government will be marked in accordance with NARA’s marking requirements. Your contract may also specify data you are generating is to be considered CUI. You will find this information under the DFARS 7012 language in your contract or in a Security Classification Guide for your contract’s program.

The key to identifying if you are working with, or will be working with CUI, is to read your contract carefully, looking for CUI language or the relevant CUI regulations. CUI is protected under CMMC 2.0 Level 2, so if your contract has CMMC Level 2 requirements, you are dealing with CUI.

What Laws and Regulations apply to you?

As CUI is a part of FCI, it is covered under Federal Acquisition Regulation (FAR) 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems” with 15 security controls organizations must implement to protect CUI. These controls are a part of the 110 NIST 800-171 controls which are required under the Defense Federal Acquisition Regulation (DFARS 252.204-7020 “NIST SP 800-171 DoD Assessment Requirements”. These 110 controls make up the bulk of CMMC 2.0 Level 2 controls required under DFARS 252.204-7021 “Cybersecurity Maturity Model Certification Requirements”.

Marking Requirements 

NARA – At a minimum all CUI must be marked with a CUI header at the top of any documents or other human readable data. CUI which you receive from the Government will be marked, however you are responsible for marking any CUI you create in accordance with NARA’s CUI marking guidance.


CUI must be protected according to the requirements laid out in CMMC 2.0 Level 2. See our article on CMMC for more information.

What about FCI?

All CUI is FCI, but not all FCI is CUI. Both are not for public release, but CUI has stricter protection requirements.

How can we Help?

Here at SherTech we can help you every step of the way, from reviewing contracts, to CMMC Gap Assessments, Vulnerability Scanning, Risk Assessment, and comprehensive CMMC Level 2 implementation.