CUI Handling Requirements Checklist: What You Must Have in Place Before Your Next Audit

Why CUI Handling Requirements Demand Your Attention Right Now

If your organization touches federal contracts, there is a high probability you are already receiving, generating, or transmitting Controlled Unclassified Information. The question is not whether CUI flows through your environment — it is whether you are handling it correctly and whether you can prove it under audit pressure.

The National Archives and Records Administration (NARA) CUI Program, implemented through 32 CFR Part 2002 and reinforced by DFARS clause 252.204-7012, establishes specific obligations for how contractors must identify, mark, protect, store, transmit, and dispose of CUI. When auditors arrive — whether from the Defense Contract Management Agency, the DCSA, or a C3PAO conducting a CMMC assessment — they will expect documented evidence that your program is operational, not aspirational.

This checklist is designed for compliance managers and executives at defense contractors, federal agencies, and regulated industry organizations. Use it to identify gaps before they become findings. For a foundational overview, our post on What is Controlled Unclassified Information (CUI) is a useful starting point if your team needs to build shared understanding first.

Section 1: CUI Identification and Categorization

You cannot protect what you have not identified. Auditors consistently find that contractors handle information reactively rather than systematically. Before your next review, confirm the following:

• CUI Registry alignment: Your team has reviewed the NARA CUI Registry and mapped the categories of CUI your organization encounters — whether that is Export Controlled, Privacy, Procurement and Acquisition, or others.
• CUI Basic vs. CUI Specified distinction: Staff understand the difference between CUI Basic and CUI Specified and apply the correct handling rules for each.
• Data flow mapping: You have documented where CUI enters your organization, where it is processed, where it is stored, and where it exits — including subcontractor and vendor touchpoints.
• System boundary definition: Your System Security Plan (SSP) accurately describes the systems that process, store, or transmit CUI and your defined CUI boundary is current.

Section 2: Marking and Labeling

Improper or inconsistent CUI marking is one of the most frequently cited deficiencies in federal contractor audits. The requirement is not optional — 32 CFR Part 2002 mandates that CUI be marked at the time of creation or receipt. Check that you have these controls in place:

• Physical documents: All printed CUI is marked with the appropriate CUI designation banner, including category markings where required for CUI Specified.
• Electronic files: Digital documents, spreadsheets, drawings, and emails containing CUI are labeled using an approved method — whether through Microsoft Information Protection, manual header/footer application, or another approved mechanism.
• Email handling: Users know how to mark CUI in subject lines and message bodies, and your organization has technical controls or written procedures to enforce this.
• Marking training: Employees have received documented training on what CUI looks like, what categories apply to your work, and how to apply markings consistently.

Our post on Microsoft AIP for CUI and ITAR data labeling covers practical approaches to automating the marking process within Microsoft 365 environments.

Section 3: Access Controls and Need-to-Know

Access to CUI must be limited to authorized users with a legitimate need to know. This is a core requirement under NIST SP 800-171 and directly maps to multiple CMMC Level 2 practices. Verify the following before your audit:

• Role-based access controls: Access to systems containing CUI is granted based on defined roles, and those roles are reviewed at least annually or when personnel changes occur.
• Least privilege enforcement: Users do not have administrative rights or broader access than their job function requires.
• Multi-factor authentication: MFA is enforced for all accounts with access to CUI, including remote access scenarios.
• User account lifecycle management: Procedures exist to promptly revoke access when employees are terminated, transferred, or change roles.
• Third-party access: Vendors and subcontractors who access CUI have signed applicable agreements and are subject to your access control policies.

Section 4: Physical Protections for CUI

Physical security is a dimension that organizations frequently underinvest in compared to technical controls. NIST SP 800-171 Revision 3 and CMMC both address physical protection requirements explicitly. Your checklist should include:

• Controlled work areas: Areas where CUI is discussed, displayed, or processed are restricted to authorized personnel only.
• Visitor management: Visitors are escorted, logged, and prevented from accessing areas or systems containing CUI. Visitor badging procedures are enforced.
• Secure storage: Physical CUI documents are stored in locked cabinets or controlled spaces when not in use.
• Clean desk policy: Written policy prohibits leaving CUI unattended on desks, printers, or in common areas, and employees can demonstrate awareness.
• Remote work controls: Employees working from home or remote locations have guidance on physical security of CUI — covering screens, printed materials, and secure disposal.

Organizations handling export-controlled technical data should also reference our analysis of NIST SP 800-171 Revision 3 to understand how updated physical and environmental controls affect your program.

Section 5: Transmission and Storage Controls

How CUI moves through and out of your organization is a significant risk surface. Auditors will look for both technical controls and documented procedures governing CUI in transit and at rest:

• Encryption at rest: CUI stored on servers, endpoints, and removable media is encrypted using FIPS 140-2 validated cryptographic modules.
• Encryption in transit: CUI transmitted across networks uses TLS 1.2 or higher, and unencrypted transmission channels are blocked or restricted by policy.
• Approved cloud environments: CUI is stored only in cloud environments that meet FedRAMP Moderate equivalency or higher. Consumer-grade cloud storage is prohibited.
• Email restrictions: Personal email accounts and unapproved file-sharing services are restricted from transmitting CUI by policy and, where feasible, by technical enforcement.
• Removable media controls: Use of USB drives and external media with CUI is governed by policy, and data loss prevention tools are in place to detect and block unauthorized transfers.

For a deeper look at endpoint-level controls that protect CUI in transit and at rest, see our overview of endpoint security fundamentals.

Section 6: Incident Response and Reporting Obligations

A CUI breach or cyber incident involving systems that process CUI triggers specific reporting obligations under DFARS 252.204-7012. These must be documented in advance — not assembled after the fact:

• Documented incident response plan: You have a written IR plan that specifically addresses CUI-related incidents, including who is notified, in what timeframe, and through what channels.
• 72-hour reporting capability: Your organization can report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery as required by DFARS 7012.
• Media preservation: Procedures exist to preserve and protect images of all systems involved in a reportable incident for at least 90 days following notification.
• Subcontractor flow-down: Your contracts with subcontractors who receive CUI include the required flow-down of DFARS cybersecurity clauses and incident reporting obligations.

Section 7: Documentation, Training, and Program Governance

Auditors do not just assess your technical controls — they evaluate whether your program is governed and sustained over time. This final checklist section addresses the program infrastructure that holds everything together:

1. System Security Plan (SSP): Your SSP is current, reflects your actual environment, and documents how each of the 110 NIST SP 800-171 controls is implemented or planned.
2. Plan of Action and Milestones (POA&M): Outstanding gaps are documented with realistic remediation timelines and resource owners. Nothing is simply left blank.
3. Annual CUI training: All personnel with access to CUI complete annual training, and completion records are maintained and available for auditors.
4. CUI handling policy: A formal written policy governs CUI identification, marking, access, transmission, storage, and disposal — and it has been reviewed within the last 12 months.
5. Destruction and disposal procedures: CUI is destroyed using NSA-approved methods such as cross-cut shredding for paper and certified media sanitization for electronic storage.
6. Third-party risk management: Your vendor and subcontractor program includes verification that CUI recipients have adequate protections in place before data is shared.

For contractors who need structured support building or maturing these program components, our CMMC, CUI & DFARS compliance services are specifically designed to address these requirements across the defense industrial base. Organizations that need an experienced compliance leader to own and drive this work should also consider Regulatory vCISO Services as a cost-effective alternative to a full-time hire.

Putting the Checklist to Work

Running through this checklist honestly will reveal one of three situations: you have strong controls in place and your documentation supports them; you have controls in place but the documentation does not reflect reality; or you have genuine gaps that need remediation before an audit. Each situation requires a different response, but all three require action.

The organizations that perform best in audits — including DCAA reviews and CMMC Level 2 assessments — are those that treat CUI handling requirements not as a compliance exercise but as an operational standard. That means your SSP and POA&M are living documents, your training is current, your markings are consistent, and your access controls match what is actually happening in your environment.

If you want a structured reference to supplement your internal review, our training resource CUI for Federal Contractors provides a practical, role-based walkthrough of these requirements for your team.

Take the Next Step Before an Auditor Does

A compliance gap discovered by an auditor is far more costly — in time, contract risk, and remediation expense — than one you find yourself. If this checklist has surfaced questions about where your program stands, the Cleared Systems team is ready to help you assess your current posture, close priority gaps, and build a program that holds up under scrutiny. Request a quote today and let us help you get ahead of your next audit with confidence.