What Defense Contractors Need to Know About CUI Handling Requirements
If your organization handles information on behalf of the federal government—whether you're a prime contractor, subcontractor, or supplier to the Defense Industrial Base—there's a good chance you're already working with Controlled Unclassified Information. The problem is that most contractors don't fully understand what CUI is, how it must be handled, or what's at stake when requirements are missed. This guide cuts through the regulatory language and gives you a practical, actionable picture of your CUI handling obligations.
What Is CUI and Why Does It Matter?
Controlled Unclassified Information is government-created or government-owned information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. It is not classified, but it is not public information either. It occupies a critical middle ground—and mishandling it can result in contract loss, civil liability, and referral for criminal prosecution.
The CUI program is governed by Executive Order 13556, the 32 CFR Part 2002 implementing regulation, and the National Archives and Records Administration (NARA) CUI Registry, which defines over 100 authorized CUI categories spanning defense, law enforcement, export control, financial, and other sensitive domains. For a broader foundation, our post on What is Controlled Unclassified Information (CUI) is a good starting point.
Defense contractors encounter CUI most often in the context of technical data, engineering drawings, contract performance information, personally identifiable information (PII), and export-controlled data. If your contract includes DFARS clause 252.204-7012, you are legally obligated to comply with CUI handling requirements and NIST SP 800-171.
The Two Types of CUI: Basic and Specified
Before diving into handling rules, it's important to understand that not all CUI is the same. The CUI Registry distinguishes between two categories:
- CUI Basic — Requires standard safeguarding and dissemination controls. If no specific handling requirements are stated, CUI Basic rules apply. See our detailed breakdown in What is CUI Basic?
- CUI Specified — Carries additional or more restrictive handling controls mandated by specific law, regulation, or government-wide policy. Examples include export-controlled technical data and certain law enforcement sensitive information. Learn more in our post on What is CUI Specified?
Knowing which type you're handling determines the exact controls you must apply. When in doubt, treat the information as CUI Specified and consult the applicable contract or agency requirements.
CUI Marking Requirements
Proper marking is the first line of defense in any CUI program. The rules are specific and non-negotiable.
Document-Level Marking
CUI must be marked at the top and bottom of each page that contains CUI. The standard marking is CUI at a minimum. Documents that contain CUI Specified must include the applicable category designation, such as CUI//SP-CTI for controlled technical information or CUI//SP-EXPT for export-controlled information.
Portion Marking
When a document contains a mix of CUI and non-CUI content, portion marking identifies which specific sections are sensitive. This is particularly important for technical documents and reports that combine general information with sensitive program data.
Electronic Files and Emails
Electronic documents must include the CUI designation in the file name or metadata, and CUI transmitted via email must include the marking in the subject line or body of the message. This is one of the most frequently overlooked requirements in contractor environments. Tools like Microsoft Azure Information Protection can automate labeling at scale—a topic we cover in detail in our post on Microsoft AIP: Overcoming Data Labeling and Classification Challenges.
CUI Storage and Access Controls
Marking CUI correctly is necessary but not sufficient. You must also control where it lives and who can reach it.
Physical Storage
Physical CUI must be stored in a manner that prevents unauthorized access. This typically means locked rooms, locked filing cabinets, or controlled-access areas. Open storage in common areas, conference rooms, or shared workspaces is a clear violation. Visitor access to areas where CUI is stored must be controlled and monitored.
Digital Storage
CUI stored on information systems must reside on systems that meet the 110 security requirements in NIST SP 800-171. This includes requirements for access control, audit logging, configuration management, and system and communications protection. Cloud storage platforms must meet FedRAMP Moderate equivalency at a minimum. Our post on NIST SP 800-171 Revision 3: Enhancing Security for CUI explains the most current requirements in detail.
Access Control
- CUI access must be limited to individuals with a legitimate need to know.
- User accounts must follow least-privilege principles.
- Multi-factor authentication is required for remote access and privileged accounts.
- Access must be revoked promptly when an employee changes roles or leaves the organization.
CUI Transmission Requirements
Moving CUI from one location to another—whether physically or electronically—introduces risk that must be managed systematically.
Electronic Transmission
CUI must be encrypted in transit using FIPS 140-2 validated cryptographic modules. This applies to email, file transfers, remote access sessions, and cloud synchronization. Sending CUI through personal email, consumer file-sharing services, or unencrypted channels is a reportable security incident. Understanding your endpoint and transmission controls is essential—our guide on Endpoint Security 101 provides useful context.
Physical Transmission
When CUI must be physically transported, it must be packaged to prevent unauthorized disclosure during transit. For sensitive shipments, use traceable shipping methods and document the chain of custody. Personally carrying CUI in unsecured bags or on unlocked laptops during travel is a compliance failure that auditors look for specifically.
CUI Destruction and Disposal
CUI does not become public information simply because you no longer need it. Disposal requirements are strict.
- Paper documents must be shredded using a cross-cut or micro-cut shredder meeting NSA/CSS EPL standards, or destroyed by a certified destruction service.
- Electronic media must be sanitized in accordance with NIST SP 800-88. Simply deleting files or formatting drives is not sufficient. Degaussing, cryptographic erasure, or physical destruction is required depending on media type.
- Hard drives, USB drives, and mobile devices must be sanitized before disposition, reuse, or disposal—even within your own organization if they are being repurposed for non-CUI use.
CUI Incident Reporting
If CUI is lost, stolen, or improperly disclosed, you have mandatory reporting obligations. DFARS 252.204-7012 requires contractors to report cyber incidents involving covered defense information—which includes CUI—to the Department of Defense within 72 hours of discovery. Contractors must also preserve images of compromised systems and submit malware samples as required.
Failure to report is itself a compliance violation, separate from the underlying incident. Your incident response plan must be documented, tested, and ready before an incident occurs—not assembled in a panic after one.
CUI and CMMC: Understanding the Connection
The Cybersecurity Maturity Model Certification (CMMC) program is directly tied to CUI handling. If your contract involves CUI, CMMC Level 2 certification—which maps to all 110 controls in NIST SP 800-171—will be required. Our CMMC, CUI & DFARS Compliance service is specifically designed to help defense contractors navigate this interconnected regulatory landscape efficiently and completely.
It's also worth noting that CUI obligations flow down through the supply chain. If you are a prime contractor, you are responsible for ensuring your subcontractors handle CUI appropriately. This means including CUI handling requirements in your subcontracts and verifying compliance.
Building a Sustainable CUI Program
Ad hoc CUI compliance doesn't hold up under scrutiny. Contractors who treat CUI handling as a checkbox exercise consistently struggle during audits and assessments. What actually works is a documented, repeatable program that includes:
- A written CUI policy and handling procedures tailored to your operations
- A CUI registry identifying where CUI lives across your environment
- Role-based training for all personnel who create, receive, or handle CUI
- Technical controls that enforce marking, access, encryption, and logging requirements
- Regular internal audits and a documented corrective action process
- An incident response plan with clear roles and reporting timelines
If you're building this from the ground up, our resource on How to Build a Controlled Unclassified Information Compliance Program from Scratch walks through each step in detail. For contractors who want to deepen their team's understanding quickly, our CUI for Federal Contractors training resource is a practical starting point.
Take the Next Step Toward Full CUI Compliance
CUI handling requirements are not optional, and the enforcement environment is tightening. Whether you're trying to understand your baseline obligations, close specific gaps before a contract award, or build a comprehensive program ahead of a CMMC assessment, Cleared Systems has the expertise to guide you. Contact us today through our request a quote form or review our engagement models to find the right level of support for your organization's size, contract portfolio, and timeline. Getting this right protects your contracts, your reputation, and the sensitive information your government customers are counting on you to safeguard.