Why Controlled Unclassified Information Compliance Failures Keep Happening
After working with defense contractors across the industrial base, I can tell you that most Controlled Unclassified Information compliance failures are not the result of bad intentions. They stem from incomplete understanding, inconsistent execution, and compliance programs built on assumptions rather than evidence. The consequences, however, are anything but minor. Contract termination, suspension, debarment, and False Claims Act liability are all live possibilities when CUI requirements are not met.
What follows is an honest assessment of where defense contractors most commonly fall short. If you recognize your organization in any of these patterns, treat this as a call to act before a contracting officer, a DCSA assessment, or a breach does it for you.
Failure 1: Not Knowing What Qualifies as CUI
The most foundational failure is also the most common. Many contractors cannot accurately identify which information in their environment qualifies as CUI. Teams handle technical data, export-controlled information, financial records, and personally identifiable information without a consistent framework for determining whether any of it falls under the CUI program.
The CUI program is governed by the National Archives and Records Administration (NARA) CUI Registry, which defines more than 20 categories and dozens of subcategories. Contractors are expected to know which categories apply to their contracts and handle information accordingly. Without that foundational knowledge, everything downstream in a compliance program is unreliable.
If your team cannot distinguish between CUI Basic and CUI Specified, or cannot name the CUI categories on your active contracts, this is where your program needs to start.
Failure 2: Inconsistent or Missing CUI Marking
Even contractors who understand CUI in theory frequently fail in practice when it comes to marking. Documents circulate without required banner markings. Emails containing CUI go out with no designation indicator. Drawings, specifications, and test data get shared internally and with subcontractors without proper labels.
Marking is not a bureaucratic formality. It is the mechanism by which everyone in the information chain knows how to handle the material. When CUI is not marked, it is effectively invisible to your protection controls. People cannot protect what they cannot identify.
Consistent marking requires a combination of written policy, technical controls, and workforce training. Automated labeling tools, such as those available through Azure Information Protection, can significantly reduce the burden on individual employees, but they do not replace the need for a documented marking program.
Failure 3: Inadequate Access Controls
Access control failures are among the most technically consequential CUI compliance gaps. This category encompasses several related problems that I see repeatedly across organizations of every size.
- No formal need-to-know policy: CUI should only be accessible to personnel with a demonstrated need to access it for their work. Without a policy and enforcement mechanism, access tends to expand organically until it is effectively unrestricted within the organization.
- Shared credentials and generic accounts: When multiple employees share a login, accountability disappears. You cannot determine who accessed CUI, when, or why.
- Excessive third-party access: Vendors, subcontractors, and IT support personnel often receive broader access than their role requires, creating unnecessary exposure.
- No periodic access reviews: Employees who change roles, leave the company, or complete a project often retain access long after it is appropriate.
NIST SP 800-171 is explicit about these requirements, and they form a significant portion of what assessors examine. Our post on NIST SP 800-171 Revision 3 covers the updated security requirements that now apply to these controls.
Failure 4: CUI Stored or Transmitted in Non-Compliant Systems
This failure has become more prevalent as cloud adoption has accelerated. Contractors routinely store CUI in commercial Microsoft 365 tenants, consumer-grade file sharing services, and personal email accounts — all of which fall outside the boundary of compliant systems for CUI handling under DFARS 252.204-7012.
Federal contract information and CUI must be protected in environments that meet the requirements established by NIST SP 800-171 and, where applicable, FedRAMP Moderate equivalency. For most defense contractors, this means migrating to government cloud environments such as Microsoft 365 GCC High or AWS GovCloud.
The system boundary problem extends beyond cloud storage. CUI transmitted via unencrypted email, discussed in commercial collaboration tools, or processed on unmanaged personal devices all represent compliance failures. Defining and enforcing the system boundary is a prerequisite to meaningful CUI protection.
Failure 5: No Documented CUI Program or Written Policies
A compliance program that exists only in the heads of a few senior employees is not a compliance program. Assessors and auditors expect documented policies — written procedures for identifying, marking, handling, storing, transmitting, and destroying CUI.
Common documentation gaps include:
- No CUI program plan or written policy governing the program
- No System Security Plan (SSP) or an SSP that does not reflect current operations
- No incident response plan that addresses CUI spillage specifically
- No records of employee training on CUI requirements
- No documented destruction procedures for CUI at end of contract
The SSP and POA&M are foundational documents in any serious CUI compliance program. If your organization cannot produce a current, accurate SSP on short notice, that gap alone should be a priority remediation item. Our Compliance Program Development service is specifically designed to address organizations that need to build or rebuild these foundational structures.
Failure 6: Subcontractor Oversight Gaps
Prime contractors are responsible for flowing down CUI requirements to subcontractors who receive or generate CUI on their behalf. This is a legal obligation, not a best practice, and it is one of the most consistently neglected areas of CUI compliance across the defense industrial base.
Common subcontractor oversight failures include:
- No CUI-specific flow-down language in subcontracts
- No verification that subcontractors have adequate controls in place before CUI is shared
- No ongoing monitoring or assessment of subcontractor compliance posture
- CUI shared with foreign persons or entities without appropriate authorization
If a subcontractor suffers a breach or fails an assessment, the prime contractor's liability is real and direct. Treating subcontractor oversight as optional is a significant and increasingly scrutinized compliance risk.
Failure 7: Treating CUI Compliance as a One-Time Project
Perhaps the most strategically damaging failure is the assumption that CUI compliance is a box to check rather than a program to maintain. Contractors who achieve a satisfactory NIST SP 800-171 score and then stop investing in their program will find themselves out of compliance within months as systems change, personnel turns over, and threat environments evolve.
Effective CUI compliance requires continuous monitoring, periodic internal assessments, annual training refreshers, and a mechanism for identifying and remedying gaps before they become findings. For organizations without a dedicated compliance officer or information security team, a Regulatory vCISO engagement can provide the sustained oversight that an annual consultant visit cannot.
Our CMMC, CUI & DFARS Compliance service is built around exactly this kind of ongoing program support, not just point-in-time gap analysis.
Building a Program That Actually Works
The contractors who consistently perform well on CUI assessments share a few characteristics. They have documented programs that are actively maintained. They invest in workforce training so that every employee — not just IT — understands their role in protecting CUI. They conduct internal audits regularly and take findings seriously. And they treat compliance as a business function with executive visibility, not a technical checkbox buried in the IT department.
If you want a deeper foundation in the CUI program itself, our training resource CUI for Federal Contractors is a practical starting point for compliance managers and their teams.
Controlled Unclassified Information compliance is not getting simpler. With CMMC 2.0 now in effect and enforcement posture tightening across the DoD, the contractors who will maintain and grow their federal business are those who treat CUI protection as a core operational discipline.
If your organization has gaps in any of the areas described above, the time to address them is now. Request a quote to speak with our compliance team about where your program stands and what it will take to get it where it needs to be.