CUI Handling for Federal Contractors: What the FAR Rule Requires and Where Organizations Go Wrong
Controlled Unclassified Information is sensitive government data that federal law requires contractors to protect using NIST SP 800-171 controls. The January 2025 FAR CUI rule extended those requirements across all federal contracting, not just Department of Defense work. Contractors who handle CUI without a defined scoping process, proper access controls, and marked documents face CMMC certification risk, contract performance issues, and potential False Claims Act liability.
What Is CUI and Why Does It Matter for Federal Contractors?
Controlled Unclassified Information (CUI) is information the federal government has determined requires safeguarding under law, regulation, or government-wide policy. It is not classified information. However, it is also not public information. CUI occupies the space in between: sensitive enough to require protection, but not sensitive enough to warrant a security classification.
The legal framework for CUI comes from Executive Order 13556, signed in 2010, and implemented through 32 CFR Part 2002 and the National Archives CUI Registry. Specifically, the CUI Registry defines more than 100 authorized CUI categories across 20 groupings, from technical data and export controls to privacy information and legal materials.
The Federal Definition of CUI
CUI is defined as information the government creates or possesses that a law, regulation, or government-wide policy requires to be safeguarded and disseminated using controls. The keyword is “requires.” Specifically, if a legal authority mandates the protection of that type of information, it qualifies as CUI. Furthermore, that designation does not depend on a government official labeling it. If the information falls within a defined CUI category, the obligation exists regardless of whether the document is formally marked.
Consequently, many contractors unknowingly handle CUI without recognizing it as such. A contract statement of work with pricing details, an engineering drawing produced under a DoD contract, or a spreadsheet of subcontractor performance data can all qualify as CUI depending on their origin and content.
CUI vs. Classified Information: The Distinction That Trips Up Contractors
Classified information requires a formal classification authority and clearance to access. CUI does not. Instead, CUI is protected through access controls, marking, handling procedures, and cybersecurity safeguards defined by the relevant CUI category. However, the absence of a classification marking does not mean a document containing CUI can be handled freely.
This distinction trips up contractors regularly. Organizations that have successfully managed classified information often assume their procedures also cover CUI. In reality, CUI compliance involves a different set of controls, marking requirements, and regulatory framework. That said, both require a disciplined approach to identifying what information exists and where it flows.
Where CUI Exists in a Typical Federal Contractor Organization
One of the most common CUI compliance failures is incomplete scoping. Most contractors can identify CUI in their formal engineering files and technical vaults. What they miss is the CUI that flows through everyday business systems.
CUI in Technical and Program Operations
Technical CUI is the category most defense contractors recognize. It includes engineering drawings and design specifications, software source code developed under government contracts, test plans and test data, export-controlled technical data (often overlapping with ITAR and EAR requirements), and system security plans and network diagrams for controlled systems.
Additionally, program management data frequently contains CUI. Specifically, contract statements of work, cost and volume proposals, subcontractor selection data, and performance assessment reports can all carry CUI designations depending on the contract and the information authority cited.
CUI in Administrative and Business Operations
This is where scoping failures are most common. Administrative CUI includes personnel records, background investigation data, and security clearance information. It includes legal correspondence related to government contracts, particularly attorney-client communications regarding contract disputes or compliance matters. It also includes financial data tied to government program performance and procurement-sensitive pricing information.
Furthermore, CUI flows through business systems that most contractors do not consider part of their compliance boundary. Email is the most significant example. Contracting officers routinely send CUI in emails. Employees forward those messages to colleagues, save attachments to personal cloud storage, or discuss contract details in collaboration tools like Microsoft Teams or Slack. Consequently, a contractor whose formal document management system is perfectly controlled may still have CUI scattered across personal inboxes and unsecured shared drives.
What the January 2025 FAR CUI Rule Actually Requires
The January 2025 FAR CUI rule (FAR Case 2017-016, published January 15, 2025, in the Federal Register) extended CUI handling requirements across all federal contracting, not just DoD. It added FAR subpart 4.19 and established new contract clauses requiring agencies to identify CUI in contracts and requiring contractors to protect it accordingly.
Agency Obligations: CUI Identification in Contracts
Under the rule, federal agencies must identify whether a contract involves CUI before award. If CUI is present, the agency must include the appropriate contract clause and specify the CUI categories involved. This addresses a longstanding problem: contractors were expected to comply with CUI requirements but often received no clear guidance on what information in the contract was actually designated CUI.
In practice, this means contractors should now expect incoming solicitations and contracts to include explicit CUI designations. However, legacy contracts and contract modifications may lag behind. Therefore, contractors cannot rely solely on agency designations and should conduct their own CUI scoping assessment.
Contractor and Subcontractor Obligations
Contractors whose systems process, store, or transmit CUI must protect that information using the controls in NIST SP 800-171. Specifically, those 110 controls cover access management, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, system and communications protection, and system and information integrity.
Additionally, contractors must flow CUI handling requirements down to subcontractors who receive or generate CUI under the prime contract. Specifically, the prime contractor is responsible for ensuring subcontractors understand their CUI obligations and have appropriate protections in place. Furthermore, contractors must mark CUI documents using the standard CUI marking format and maintain records of CUI handled under the contract.
Common CUI Handling Mistakes and How to Avoid Them
Most CUI compliance failures are not the result of deliberate noncompliance. Rather, they stem from incomplete scoping, technology assumptions, and process gaps that organizations do not discover until a compliance assessment or incident surfaces them.
Scoping and Classification Errors
The most consequential mistake is defining the CUI boundary too narrowly. Organizations focus on their engineering vault and formal document management system, but overlook email, collaboration tools, mobile devices, and personal cloud storage. A complete CUI scoping assessment must follow the data, not just the systems. Specifically, it should map every location where CUI could exist: created, received, stored, processed, or transmitted.
A related mistake is treating all CUI as identical. Some CUI subcategories, particularly those overlapping with ITAR, EAR export controls, or intelligence community designations, are subject to stricter handling requirements than basic CUI. Consequently, organizations that apply a single CUI-handling policy across all information types may inadvertently under-protect specific categories. Instead, build your handling procedures around the most restrictive category present in your environment.
Technology and Access Control Gaps
Using commercial cloud services for CUI is one of the most common and risky gaps. Standard Microsoft 365 Commercial, Google Workspace, and similar platforms do not meet the requirements for CUI. Specifically, CUI stored in or processed by non-compliant cloud services violates both the FAR CUI rule and DFARS 252.204-7012. The appropriate baseline for most CUI is Microsoft 365 GCC or GCC High, or an equivalent FedRAMP Moderate-authorized environment.
Additionally, many contractors share CUI through video conferencing platforms without considering whether screen-shared documents or recordings are being stored in compliant systems. Furthermore, access control is often overly broad: employees who do not need CUI for their roles still have access to it. In other words, the principle of least privilege is commonly cited in NIST SP 800-171 but rarely enforced consistently. Tego’s guide to cloud enclaves for CMMC compliance covers how to architect compliant environments for CUI-handling systems.
How CUI Connects to CMMC, DFARS, and the Broader Compliance Picture
CUI is not a standalone compliance topic. It sits at the center of the entire federal contractor compliance framework.
CMMC Level 2 exists specifically to protect CUI. Every one of the 110 NIST SP 800-171 controls is designed to protect CUI in non-federal systems. Therefore, a contractor’s CMMC Level 2 assessment is fundamentally an assessment of how well they protect CUI. Organizations that have not completed a thorough CUI scoping exercise cannot accurately assess their CMMC readiness. Learn more about how CMMC compliance implementation works and the role of a VAR-RPO in closing the gap between advisory and execution.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Reporting Cyber Incidents) applies whenever a DoD contract involves CUI. The September 2025 DFARS final rule further embedded CMMC obligations into DoD contracting, making CUI compliance a condition of contract award. Additionally, the shared responsibility model in cloud environments means contractors cannot assume cloud providers handle CUI protection on their behalf. CMMC, NIST, and DFARS define specific contractor obligations that cloud providers’ standard terms do not satisfy.
Common CUI Categories for Defense and Federal Contractors
|
CUI Category |
Examples |
Common Location in Org |
|
Technical |
Engineering drawings, design specs, software source code, test data |
PLM/PDM systems, engineering drives, email |
|
Export Controlled |
ITAR-controlled technical data, EAR-classified software |
Engineering systems, export compliance files |
|
Procurement |
Contract SOWs, cost/volume proposals, source selection data |
Contracts team, legal, email |
|
Privacy |
Personnel records, SSNs, background investigation data |
HR systems, email, shared drives |
|
Legal |
Attorney-client comms on gov contracts, litigation holds |
Legal files, email |
|
Critical Infrastructure |
Network diagrams for controlled systems, facility security plans |
IT systems, security files |
|
Financial |
Government program cost data, contractor proprietary pricing |
Finance systems, email, contract files |
Practical Steps to Improve Your CUI Posture
Improving CUI compliance starts with knowing where your CUI actually lives. The steps below apply to any federal contractor, regardless of current CMMC level or contract type.
Conduct a CUI Scoping Assessment
A CUI scoping assessment maps every system, process, and location where CUI is created, received, stored, processed, or transmitted. Specifically, this includes formal document systems, email, collaboration platforms, cloud storage, mobile devices, and physical media. The output should be a CUI data flow diagram and a list of all systems that fall within your CMMC compliance boundary.
Additionally, review your contracts and incoming solicitations for CUI designations. Furthermore, conduct interviews with program managers, contract staff, and IT personnel to identify CUI flows not reflected in formal system documentation. Consequently, the scoping exercise often reveals CUI in locations the organization did not anticipate.
Address the Three Most Common Gaps
First, migrate CUI from non-compliant cloud services to a FedRAMP Moderate-authorized environment. If you are using standard Microsoft 365 Commercial for any contract work involving CUI, that is the highest-priority remediation item. Second, implement and enforce access controls based on the principle of least privilege. Specifically, review who has access to CUI-containing systems and remove access for roles that do not require it. Third, establish and train on a CUI marking and handling procedure. Employees who do not know how to identify, mark, and handle CUI are a significant compliance risk regardless of how strong your technical controls are.
Frequently Asked Questions: CUI Handling for Federal Contractors
Understanding CUI and the FAR Rule
CUI stands for Controlled Unclassified Information. Information is designated CUI when a specific law, federal regulation, or government-wide policy requires that it be safeguarded and disseminated with controls. The designation is based on the type of information, not on a formal classification decision by an individual official. Specifically, the National Archives CUI Registry defines all authorized CUI categories and the legal authorities that require their protection.
The January 2025 FAR CUI rule applies to all federal contracts, not just DoD. Previously, the most specific CUI handling requirements appeared in DFARS, which covers only DoD procurement. However, the FAR rule also extends baseline CUI protections to civilian agency contracts. Consequently, contractors who work with multiple federal agencies must now meet CUI handling requirements across all of their government work, not only their DoD contracts.
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines the 110 security controls required to protect CUI in non-federal information systems. It is the technical baseline for both DFARS 252.204-7012 compliance and CMMC Level 2 certification. In other words, if your systems handle CUI, NIST SP 800-171 defines the security controls you must implement. The controls cover access management, audit logging, incident response, configuration management, media protection, and nine other security domains.
Yes. The CUI standard requires that documents containing CUI be marked with the approved CUI designation format: “CUI” at the top and bottom of each page, along with the specific CUI category and any handling or dissemination controls. However, a common misconception is that unmarked CUI is not CUI. The obligation to protect CUI exists based on the content of the information, not whether a marking is present. That said, unmarked CUI creates audit gaps and makes it harder to demonstrate compliance during a C3PAO assessment.
Scoping, Cloud, and Subcontractor Questions
Standard commercial versions of Microsoft 365 and Google Workspace do not meet CUI handling requirements. Specifically, CUI must be stored and processed in cloud environments that meet, at minimum, the FedRAMP Moderate authorization. For most defense contractors handling CUI, that means Microsoft 365 GCC or GCC High. GCC High is required for CUI categories with additional handling requirements, including most ITAR-controlled technical data. Standard commercial licensing does not provide the data sovereignty, access controls, or audit capabilities required for CUI compliance.
Yes. Subcontractors who receive or generate CUI under a prime contract are subject to the same CUI handling requirements as the prime. Additionally, the prime contractor is responsible for flowing those requirements down and verifying that subcontractors have appropriate protections in place. In practice, this means prime contractors should include CUI handling clauses in subcontract agreements, request evidence of subcontractor compliance, and document their verification process. Failure to manage subcontractor CUI handling is itself a compliance gap that can surface during a CMMC assessment.
Your CUI scoping assessment directly determines the scope of your CMMC assessment. Every system that processes, stores, or transmits CUI falls within the CMMC boundary. Consequently, a broader CUI footprint means a larger, more complex, and more expensive CMMC assessment. One of the most effective ways to reduce CMMC scope and cost is to consolidate CUI into a well-defined, isolated environment. Specifically, a cloud enclave that is purpose-built for CUI handling can dramatically reduce the number of systems that fall within scope.
Understand Your CUI Obligations Before Your Next Assessment
CUI compliance is not a one-time project. Rather, it requires knowing where your CUI lives, implementing the right controls in the right systems, and maintaining that posture as your contracts and technology environment evolve. Ultimately, organizations that treat CUI scoping as a living process are far better positioned at the time of assessment than those that complete it once and move on.
Tego helps federal contractors and defense suppliers scope their CUI environment, identify handling gaps, and build the technical and procedural controls required for CMMC compliance. Contact us to schedule a CUI scoping consultation.
Schedule Your CUI Scoping Consultation
Resources and Primary Sources
National Archives CUI Registry: https://www.archives.gov/cui
32 CFR Part 2002 (CUI Regulation): https://www.ecfr.gov/current/title-32/subtitle-B/chapter-XX/part-2002
NIST SP 800-171 Rev. 3: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/final
DoD CMMC Program: https://dodcio.defense.gov/CMMC/
FAR (acquisition.gov): https://www.acquisition.gov/far/