Protecting Controlled Unclassified Information (CUI) within DoD and Industry: A Guide

Last updated 5 days ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.

Safeguarding sensitive government information is important to U.S. national security, federal operations, and the integrity of the vast network of partners supporting the Department of Defense (DoD).

Among the categories of sensitive data, Controlled Unclassified Information (CUI) presents unique challenges. While not classified, CUI requires specific protections mandated by law, regulation, and government-wide policy.

This guide provides a comprehensive overview of understanding CUI, governing frameworks, DoD-specific rules, key standards like NIST SP 800-171, the CMMC verification program, implementation steps, common challenges, and resources to ensure compliance.

What is Controlled Unclassified Information (CUI)?

The Official Definition and Its Significance

Controlled Unclassified Information (CUI) is officially defined as information that the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, which requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and Government-wide policies.

CUI is not classified under Executive Order 13526 (governing Classified National Security Information) or the Atomic Energy Act. This establishes CUI as a distinct category of unclassified information that requires protection beyond that given to routine government information but doesn’t meet the threshold for classification.

The CUI program was established by Executive Order 13556 in 2010 to address inconsistencies in how federal agencies handled sensitive unclassified information. Prior to this E.O., agencies employed over 100 different markings and ad-hoc policies (e.g., For Official Use Only, Sensitive But Unclassified, Law Enforcement Sensitive) to control such information.

This patchwork system led to confusion, inconsistent protection levels, inadequate safeguarding, unnecessary restrictions on information sharing, and increased risk. E.O. 13556 mandated a single, standardized system across the entire Executive Branch for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI.

Defining information as CUI isn’t merely an administrative label; it imposes specific legal and contractual obligations for safeguarding. Mishandling CUI can lead to formal sanctions, including administrative penalties or contractual repercussions, as outlined in the CUI implementing regulation (32 CFR Part 2002) and relevant contract clauses like the Defense Federal Acquisition Regulation Supplement (DFARS).

Key Differences: CUI vs. Classified Information vs. Federal Contract Information (FCI)

CUI vs. Classified Information:

The most fundamental distinction is that CUI is unclassified information. It does not meet the damage thresholds required for classification as Confidential, Secret, or Top Secret under E.O. 13526. While CUI requires protection, it is governed by a separate framework (E.O. 13556, 32 CFR Part 2002).

CUI is considered a safeguarding system, not a classification level; one does not “classify” information as CUI, but rather “designates” or “controls” it as CUI. The security controls, personnel clearance requirements, and system accreditation standards for CUI are generally less stringent than those for classified information.

However, this distinction highlights a significant risk: because CUI has fewer controls compared to classified data, it can represent a “path of least resistance” for adversaries. The aggregated loss of sensitive CUI can pose a significant risk to national security, potentially impacting mission effectiveness and warfighter capabilities.

CUI vs. Federal Contract Information (FCI):

Federal Contract Information (FCI) is defined in the Federal Acquisition Regulation (FAR) clause 52.204-21 as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”

The key difference lies in the basis for protection. FCI requires basic safeguarding simply because it is contract-related information not meant for the public. CUI requires safeguarding because a specific law, regulation, or government-wide policy mandates or permits controls.

Therefore, all CUI handled by a government contractor qualifies as FCI, but not all FCI is CUI. This distinction directly affects compliance obligations and costs for contractors:

• Handling only FCI necessitates meeting the basic safeguarding requirements of FAR 52.204-21 (the foundation for CMMC Level 1).
• Handling CUI triggers the more comprehensive requirements of NIST SP 800-171, as mandated by DFARS 252.204-7012 (the foundation for CMMC Level 2 and above).

Accurately identifying whether contract information constitutes FCI or CUI is critical for determining the necessary compliance level and associated resource investment.

The Role of NARA and the CUI Registry

Executive Order 13556 designated the National Archives and Records Administration (NARA) as the Executive Agent (EA) responsible for implementing and overseeing the CUI program across the Executive Branch. NARA carries out these responsibilities through its Information Security Oversight Office (ISOO).

A cornerstone of the CUI program is the CUI Registry, maintained by NARA/ISOO and publicly accessible online. The CUI Registry serves as the sole authoritative, government-wide repository that identifies all approved CUI categories and subcategories. For each category, the Registry provides:

• A general description of the information type
• The specific law(s), regulation(s), or government-wide policy(ies) requiring control
• Required markings (including banner and portion marking formats)
• Applicable safeguarding, dissemination, and decontrol procedures

The Registry’s role as the exclusive source for CUI categories is critical. Agencies cannot designate information as CUI unless it falls under a category listed in the Registry, nor can they implement safeguarding controls inconsistent with the CUI program. This prevents agencies from creating their own ad-hoc sensitive information categories, enforcing the uniformity mandated by E.O. 13556.

Both federal agencies and contractors must consult the CUI Registry to determine appropriate handling for specific types of CUI.

Understanding CUI Categories: Basic and Specified

The CUI program categorizes information into two main types: CUI Basic and CUI Specified. This distinction dictates the specific handling and marking requirements.

CUI Basic:

This is the default or baseline level for CUI. For CUI Basic, the authorizing law, regulation, or government-wide policy requires or permits controls but does not specify handling or dissemination controls beyond the standard requirements outlined in 32 CFR Part 2002 and the CUI Registry. Agencies handle CUI Basic according to this uniform set of controls. Most CUI falls under the Basic category.

Examples found in the CUI Registry that are often Basic include Agriculture Information, Asylee Information, general Privacy Information (where the Privacy Act itself doesn’t mandate unique controls), and Operations Security (OPSEC) Information.

CUI Specified:

This subset includes CUI for which the authorizing law, regulation, or government-wide policy mandates specific handling or dissemination controls that differ from, or are more restrictive than, the CUI Basic baseline. These specific controls might involve unique markings, enhanced physical safeguards, stricter access limitations, or specific dissemination restrictions.

CUI Specified is not necessarily “more sensitive” or a “higher level” than CUI Basic, just subject to different rules. Examples often include Export Control information (subject to International Traffic in Arms Regulations or Export Administration Regulations), certain Law Enforcement Sensitive data, Protected Critical Infrastructure Information, and Nuclear information.

The distinction primarily impacts marking and handling. For CUI Specified, the specific category marking (e.g., SP-EXPORT CONTROL) must be included in banner and portion markings. Handling and dissemination must adhere strictly to the requirements laid out in the specific authorizing law, regulation, or government-wide policy cited in the CUI Registry.

Within the Department of Defense, DoDI 5200.48 states that DoD applies a consistent set of safeguarding controls regardless of whether the CUI is Basic or Specified. However, this primarily relates to the baseline physical and technical security measures applied within DoD systems. It does not override the specific legal or regulatory requirements (especially dissemination controls) tied to CUI Specified categories.

Governing Framework: Federal Laws and Policies

Executive Order 13556: The Foundation of the CUI Program

Issued on November 4, 2010, Executive Order 13556, “Controlled Unclassified Information,” serves as the foundational authority for the entire CUI program. Its primary purpose was to establish an “open and uniform program” to standardize the management of unclassified information requiring safeguarding or dissemination controls throughout the Executive Branch.

E.O. 13556 laid out several key mandates:

• Established the CUI Program: Formally created the program to manage sensitive unclassified information
• Designated NARA as Executive Agent (EA): Tasked NARA with implementing the Order and overseeing agency compliance
• Required the CUI Registry: Mandated the EA establish and maintain a public registry of authorized CUI categories, markings, and procedures
• Defined Scope: Clarified that the program applies to unclassified information requiring controls pursuant to law, regulation, or government-wide policy
• Mandated Agency Compliance: Required agencies originating or handling CUI to develop compliance plans and adhere to EA-issued policies
• Emphasized Balance: Stressed the need to balance safeguarding with the principles of openness and appropriate information sharing

The impetus for E.O. 13556 stemmed partly from challenges highlighted after the 9/11 attacks regarding the need for better horizontal information sharing across government agencies. By standardizing definitions, markings, and handling rules, the CUI program aimed not only to strengthen protection but also to enable consistent and authorized sharing based on the principle of “Lawful Government Purpose.”

32 CFR Part 2002: Implementing the CUI Program

While E.O. 13556 provided the foundation, Title 32, Code of Federal Regulations (CFR), Part 2002, “Controlled Unclassified Information,” provides the detailed operational rulebook. Issued by NARA/ISOO as the CUI EA and effective November 14, 2016, this regulation translates the E.O.’s principles into specific, binding policies and procedures for all Executive Branch agencies and any non-federal entities (like contractors) handling CUI on their behalf.

Key elements codified in 32 CFR Part 2002 include:

• Definitions (§ 2002.4): Provides official definitions for critical terms like CUI, CUI Basic, CUI Specified, Agency, Authorized Holder, Controlled Environment, etc.
• CUI Registry (§ 2002.10) & Categories (§ 2002.12): Reinforces the CUI Registry’s central role and mandates that agencies use only Registry-approved categories
• Safeguarding (§ 2002.14): Establishes the baseline requirements for protecting CUI in physical and electronic environments. This section mandates taking “reasonable precautions,” defines “controlled environments,” and links CUI protection requirements to specific NIST publications
• Accessing and Disseminating (§ 2002.16): Governs how CUI can be shared. Dissemination is permitted when it furthers a Lawful Government Purpose, complies with the underlying law, regulation, or government-wide policy, and is not restricted by an authorized Limited Dissemination Control
• Decontrolling (§ 2002.18): Outlines procedures for removing CUI controls when protection is no longer required
• Marking (§ 2002.20): Provides detailed rules for applying CUI markings, including banner markings, portion markings, designation indicators, and markings for different media types
• Training (§ 2002.30): Mandates that agencies establish CUI training programs for personnel who handle CUI

The direct incorporation of NIST standards within 32 CFR Part 2002 is highly significant. By mandating adherence to NIST SP 800-53 (for federal systems), NIST SP 800-171 (for non-federal systems), and NIST SP 800-88 (for destruction), the regulation establishes a clear technical foundation for CUI protection.

DoD-Specific Requirements for CUI Protection

DoD Instruction 5200.48: CUI Policy within the Department of Defense

DoD Instruction (DoDI) 5200.48, “Controlled Unclassified Information,” issued March 6, 2020, is the primary policy document governing CUI within the Department. It establishes DoD-specific policies, assigns responsibilities, and prescribes procedures to ensure consistent implementation of E.O. 13556 and 32 CFR Part 2002 across all DoD components, military personnel, civilian employees, and contractors handling DoD CUI.

Key elements of DoDI 5200.48 include:

• Scope and Applicability: Applies broadly to OSD, Military Departments, Joint Staff, Combatant Commands, Defense Agencies, Field Activities, and extends to contractors through agreements and contracts
• Adherence to CUI Program Standards: Explicitly requires DoD to follow the NARA/ISOO framework for designating, marking, safeguarding, disseminating, decontrolling, and destroying CUI
• DoD CUI Registry: Establishes the official DoD CUI Registry as a resource aligned with the NARA Registry, providing DoD-specific context and relevant issuances
• Public Release Controls: Reinforces that CUI must be formally reviewed and cleared for public release according to specific DoD public affairs instructions before being decontrolled or released
• Prohibited Uses: Echoes the CUI program principle that information cannot be designated CUI to conceal violations, prevent embarrassment, or hinder competition
• Safeguarding Consistency: States that DoD does not differentiate between CUI Basic and CUI Specified for the purpose of applying baseline safeguarding measures within DoD systems
• System Usage: Prohibits the use of non-DoD accounts (personal email, messaging) or non-DoD information systems (unless they are authorized government contractor systems) for conducting official business involving CUI
• Training: Mandates CUI training for DoD personnel

DoDI 5200.48 ensures that the government-wide CUI framework is operationalized within the specific context and structure of the Department of Defense.

Contractual Obligations: Key DFARS Clauses

The Defense Federal Acquisition Regulation Supplement (DFARS) translates DoD policy into binding contractual requirements for industry partners. Several key DFARS clauses specifically address the protection of CUI and related cybersecurity standards.

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

This clause, often considered the cornerstone of CUI protection requirements for DoD contractors, has been in effect since 2016. It mandates that contractors provide “adequate security” for “covered contractor information systems” that process, store, or transmit “Covered Defense Information (CDI)”. CDI is defined as unclassified controlled technical information (CTI) or other information identified in the CUI Registry that requires controls and is marked or identified in the contract.

The central requirement of DFARS -7012 is the mandatory implementation of the security requirements outlined in NIST Special Publication 800-171. The clause also imposes critical cyber incident reporting requirements: contractors must report incidents affecting CDI or covered systems to DoD’s DIBNet portal within 72 hours, provide access for damage assessment, and submit any malicious software discovered.

DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

Introduced via an interim rule in 2020, this solicitation provision requires offerors to have a current (usually not older than 3 years) NIST SP 800-171 DoD Assessment summary score posted in the Supplier Performance Risk System (SPRS) as a condition for award consideration. If an offeror lacks a current score, they can conduct a Basic (self) Assessment and submit the score to SPRS.

DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements

This contract clause complements -7019 by requiring contractors to maintain a current NIST SP 800-171 assessment score in SPRS throughout the contract’s duration. It formally defines the three assessment levels—Basic (self-assessment), Medium (DoD document review/discussion), and High (DoD on-site/virtual verification)—and their associated confidence levels.

DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements

This clause represents the contractual implementation of the CMMC program. As prescribed, it requires the contractor to achieve and maintain a specific CMMC certification level (Level 1, 2, or 3, as designated in the contract) for the entire contract period. While included in the 2020 interim rule, its widespread use is pending the finalization of the CMMC 2.0 DFARS rule (DFARS Case 2019-D041), expected in mid-2025, after which CMMC requirements will be phased into DoD contracts.

The Standard for Nonfederal Systems: NIST SP 800-171

Purpose and Scope of NIST SP 800-171 (Referencing Rev 3)

NIST SP 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” provides federal agencies with recommended security requirements intended for inclusion in contracts and agreements. Its primary goal is to ensure the confidentiality of CUI residing on systems outside the direct control of the federal government.

The latest version is Revision 3, finalized on May 14, 2024, which supersedes Revision 2. Revision 3 incorporates significant updates, including:

• Alignment with the latest revision of NIST’s foundational security control catalog, NIST SP 800-53 Revision 5, and the moderate control baseline
• Increased specificity in requirement language to reduce ambiguity and aid implementation and assessment
• Introduction of Organization-Defined Parameters (ODPs) in certain requirements, allowing organizations flexibility to tailor controls based on their specific environment and risk assessment
• Restructuring of security requirement families
• A change in the total number of security requirements (finalized at 97 in Rev 3, down from 110 in Rev 2, though assessment points increased)

As mandated by 32 CFR Part 2002 and DFARS 252.204-7012, compliance with NIST SP 800-171 is not merely a recommendation but a requirement for DoD contractors handling CUI.

Overview of Security Requirement Families and Objectives (Based on Rev 3)

NIST SP 800-171 Revision 3 organizes its 97 security requirements into 17 families, providing a comprehensive framework for CUI protection. These families, derived primarily from the moderate baseline of NIST SP 800-53, cover technical, operational, and management aspects of security. The families and their core objectives are:

• Access Control (AC): Limit system access to authorized users/processes/devices and their permitted functions
• Awareness and Training (AT): Ensure users are aware of risks and trained for secure actions
• Audit and Accountability (AU): Create, protect, and retain system records to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate activity
• Assessment, Authorization, and Monitoring (CA): Periodically assess, authorize (based on risk), and monitor security controls for ongoing effectiveness
• Configuration Management (CM): Establish and maintain baseline configurations and inventories of systems; manage and control changes
• Identification and Authentication (IA): Identify and authenticate system users, processes, and devices
• Incident Response (IR): Establish capabilities to prepare for, detect, analyze, contain, recover from, and respond to incidents
• Maintenance (MA): Perform and control system maintenance securely
• Media Protection (MP): Protect and control physical and digital media containing CUI during storage, transit, and disposal
• Physical and Environmental Protection (PE): Limit physical access; protect and monitor the physical facility and infrastructure
• Planning (PL): Develop, document, update, and implement security plans describing control implementation
• Personnel Security (PS): Screen individuals; manage access termination; ensure personnel understand responsibilities
• Risk Assessment (RA): Periodically assess risks to organizational operations, assets, and individuals resulting from system operation
• System and Services Acquisition (SA): Allocate resources, protect systems during acquisition, and ensure security functions are addressed
• System and Communications Protection (SC): Monitor, control, and protect organizational communications; employ architectural designs and system security engineering principles
• System and Information Integrity (SI): Identify, report, and correct flaws; protect against malicious code; monitor system security alerts; perform network/system monitoring
• Supply Chain Risk Management (SR): Identify, assess, and respond to supply chain risks associated with systems and services

Assessing Compliance: NIST SP 800-171A (Referencing Rev 3)

To verify whether the requirements in NIST SP 800-171 are implemented correctly, NIST provides a companion document: NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information”. This publication details the assessment procedures and methodology.

Revision 3 of NIST SP 800-171A was finalized alongside NIST SP 800-171 Rev 3 on May 14, 2024. Key updates include:

• Alignment with the requirements in SP 800-171 Rev 3
• Restructuring of assessment procedures to align with the format and methodology of NIST SP 800-53A
• Incorporation of assessment considerations for the new Organization-Defined Parameters (ODPs)

NIST SP 800-171A provides specific objectives for each requirement in SP 800-171 and outlines potential assessment methods (Examine, Interview, Test) and assessment objects (the specific items to be reviewed or tested, such as policies, procedures, system configurations, logs, personnel knowledge).

The detailed procedures provide significantly clearer expectations regarding the evidence needed to demonstrate compliance. By specifying what documents to examine, who to interview, and what system functions to test for each requirement, it makes assessments more objective and repeatable.

Verification and Certification: The CMMC Program

CMMC 2.0: Purpose and Link to NIST SP 800-171

The Cybersecurity Maturity Model Certification (CMMC) program was established by the DoD in response to persistent and sophisticated cyber threats targeting the Defense Industrial Base (DIB) and the sensitive information it handles. Recognizing that self-attestation of compliance with DFARS 252.204-7012 was insufficient to guarantee adequate protection across the supply chain, DoD developed CMMC as a verification framework.

CMMC 2.0, representing a refinement of the initial CMMC 1.0 model, directly aligns its requirements with existing federal standards:

• Level 1 is based on the 15 basic safeguarding requirements for FCI found in FAR 52.204-21
• Level 2 is based entirely on the 110 security requirements for CUI protection found in NIST SP 800-171 Rev 2
• Level 3 builds upon Level 2 by adding a subset of 24 enhanced security requirements derived from NIST SP 800-172, designed to counter Advanced Persistent Threats (APTs)

CMMC establishes a mandatory assessment and certification process to verify implementation of existing requirements. This shift from a “trust” model (self-attestation) to a “verify” model (assessment/certification) is the fundamental change CMMC brings to DIB cybersecurity compliance.

Understanding CMMC Levels (Level 1, Level 2, Level 3)

CMMC 2.0 employs a tiered model to apply cybersecurity requirements based on the sensitivity of the information being handled. The required CMMC level for a given contract will be specified in the solicitation.

Level 1 (Foundational):

• Applicable to contractors that handle only Federal Contract Information (FCI)
• Requires implementation of the 15 basic safeguarding controls found in FAR 52.204-21
• Compliance is verified through an annual self-assessment conducted by the contractor

Level 2 (Advanced):

• Applicable to contractors that handle Controlled Unclassified Information (CUI)
• Requires implementation of all 110 security controls from NIST SP 800-171 Rev 2
• Verification involves a triennial assessment, either a self-assessment or a formal certification assessment conducted by an accredited CMMC Third-Party Assessment Organization (C3PAO), depending on the criticality of the CUI involved

Level 3 (Expert):

• Applicable to contractors handling CUI associated with DoD’s highest priority programs, requiring protection against APTs
• Requires implementation of all 110 NIST SP 800-171 controls plus 24 selected controls from NIST SP 800-172
• Compliance is verified through a triennial assessment conducted by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

In addition to the triennial assessments for Levels 2 and 3, all levels require an annual affirmation of continued compliance by a senior company official, submitted through SPRS.

Assessment Requirements: Self-Assessments and Third-Party/Government Assessments

The type of assessment required under CMMC 2.0 depends on the certification level specified in the contract:

• Level 1: Annual self-assessment. Results and annual affirmation submitted to SPRS.
• Level 2 (Self-Assessment Path): Triennial self-assessment based on NIST SP 800-171A. Results and annual affirmation submitted to SPRS.
• Level 2 (Certification Path): Triennial assessment conducted by an accredited C3PAO. Results submitted to DoD’s CMMC Enterprise Mission Assurance Support Service (eMASS). Annual affirmation also required.
• Level 3: Triennial assessment conducted by DIBCAC. Requires a prerequisite Level 2 C3PAO certification. Results submitted to CMMC eMASS. Annual affirmation also required.

The Cyber AB (Accreditation Body) is the independent, non-profit organization authorized by DoD to operationalize the CMMC ecosystem. Its responsibilities include accrediting and overseeing the C3PAOs that conduct Level 2 certification assessments, training and certifying individual assessors, and maintaining the CMMC Marketplace where contractors can find authorized C3PAOs and other service providers.

A key aspect of CMMC 2.0 assessments is the limited allowance for Plans of Action & Milestones (POA&Ms). POA&Ms are not allowed for Level 1. For Levels 2 and 3, certain critical security requirements cannot be on a POA&M, and any open POA&M items must be remediated and verified through a closeout assessment within 180 days of the initial assessment.

The implementation of CMMC requirements in contracts is subject to the finalization of DFARS Case 2019-D041 and will occur in phases over several years, expected to begin in mid-to-late 2025.

Putting CUI Protection into Practice: Essential Controls

Marking CUI: Banners, Portions, Emails, and Media

Correctly marking CUI is fundamental, serving as the primary visual cue to handlers about the information’s sensitivity and any specific handling requirements. Only markings approved by the CUI EA and listed in the CUI Registry are authorized. Key marking practices include:

CUI Banner Marking: This is mandatory and must appear at the top of every page containing CUI (and optionally at the bottom). It includes the control marking (“CUI” or “CONTROLLED”), followed by “//” and any required CUI Specified category markings (prefixed with “SP-“) and/or authorized CUI Basic category markings (if agency policy requires), followed by “//” and any applicable Limited Dissemination Controls (LDCs).

Designation Indicator: Also mandatory, this identifies the agency or DoD component that designated the information as CUI. This can be achieved through letterhead, a signature block, or a specific “Controlled by:” line, ideally including contact information.

Portion Marking: While optional for unclassified documents unless required by agency policy, portion marking is encouraged to clearly identify specific CUI sections. If used, it must be applied consistently to all portions (paragraphs, bullets, images, etc.) using parentheses at the beginning of the portion, e.g., (CUI), (CUI//SP-EXPORT CONTROL), (CUI//FEDCON), or (U) for unclassified portions.

Email: Emails transmitting CUI must include the CUI banner marking, often placed at the beginning of the email body or potentially indicated in the subject line. Portion marking can be used within the email text. Emails must be transmitted using approved encrypted methods when sent outside secure networks.

Physical Media: Items like USB drives, hard drives, CDs, and DVDs containing CUI must be physically marked. Standard Forms SF 902 (standard label) and SF 903 (USB-sized label) are available from GSA. At a minimum, the label should include the CUI control marking and the designating agency.

Packages: CUI markings must not appear on the exterior of packages or envelopes used for mailing or shipping. Packages should be addressed to a specific individual and use trackable delivery methods where feasible.

Controlling Access: Least Privilege and User Authentication

Ensuring only authorized individuals access CUI for appropriate reasons is critical. Key principles and controls include:

Lawful Government Purpose (LGP): Access to and dissemination of CUI is based on LGP, meaning the access must be related to a recognized government mission, activity, or function. This standard replaces the more ambiguous “need-to-know” concept for CUI. Unauthorized individuals should not be able to access or overhear CUI.

Least Privilege: Users should be granted only the minimum permissions necessary to perform their assigned job functions. This minimizes the potential impact if an account is compromised or misused.

Identification and Authentication (IA): Systems must uniquely identify and authenticate users (or processes acting on their behalf) before granting access. This typically involves unique usernames and strong passwords or other authentication methods.

Multi-Factor Authentication (MFA): NIST SP 800-171 mandates MFA for both local and network access to accounts with privileged access and for network access to non-privileged accounts. This significantly enhances security beyond passwords alone.

Access Control Mechanisms (AC): Systems must enforce assigned authorizations, controlling who can access what information and perform which actions (e.g., read, write, delete). This often involves Role-Based Access Control (RBAC).

Session Management: Controls like session termination after inactivity, session locks, and monitoring help prevent unauthorized access via unattended workstations.

Remote and Wireless Access: Access via remote connections or wireless networks must be controlled and secured, typically using encryption and strong authentication.

Securing Physical Environments and Media

Protecting CUI extends beyond digital controls to the physical environment and media.

Controlled Environments: CUI must be handled and stored within “controlled environments” that have adequate physical or procedural controls (e.g., locked doors, access control systems, supervised areas) to prevent unauthorized access or observation.

Protection Outside Controlled Environments: When CUI is removed from a controlled environment, the authorized holder must maintain direct physical control or secure it within a locked container, drawer, cabinet, or room. Reasonable precautions must be taken to prevent unauthorized viewing or hearing of CUI.

Physical Access Control (PE): NIST SP 800-171 requires limiting physical access to organizational systems, equipment, and operating environments to authorized individuals only. This includes visitor controls and monitoring physical access.

Media Protection (MP): This involves safeguarding both paper documents and digital media (hard drives, USBs, CDs, tapes, mobile devices) containing CUI. Controls cover secure storage, limiting access to media, controlling transport outside secure areas, and marking physical media.

Media Destruction: A critical aspect is the secure destruction of CUI media when no longer needed, in accordance with approved records retention schedules. Destruction methods must render the CUI unreadable, indecipherable, and irrecoverable. NIST SP 800-88 provides guidance on appropriate sanitization and destruction techniques (e.g., shredding, pulverizing, degaussing, cryptographic erasure).

Implementing Technical Safeguards: Encryption, Network Security, Monitoring

Robust technical controls are essential for protecting CUI within information systems. NIST SP 800-171 mandates numerous technical safeguards, falling under several families:

System and Communications Protection (SC): This includes defining and controlling system boundaries, employing encryption to protect the confidentiality of CUI during transmission, separating user functionality from system management, preventing unauthorized data transfer, and implementing network controls like firewalls and intrusion detection/prevention systems. Network segmentation and denying traffic by default are key principles.

System and Information Integrity (SI): Focuses on protecting systems from threats and ensuring data accuracy. This involves identifying and remediating software flaws (vulnerability management), providing protection against malicious code (antivirus, anti-malware), monitoring systems for security alerts and indicators of compromise, and performing regular data backups.

Audit and Accountability (AU): Requires systems to generate audit logs recording significant events (logins, file access, administrative actions), protect logs from unauthorized modification or deletion, retain logs for a defined period, and regularly review logs for suspicious activity.

Configuration Management (CM): Mandates establishing and maintaining baseline configurations for systems, tracking and controlling changes to those baselines, and restricting the software that can execute on systems (e.g., using application whitelisting).

Encryption: While integrated into other families, encryption is a critical technical control. NIST SP 800-171 requires protecting the confidentiality of CUI in transit and often necessitates encryption for CUI at rest on storage media, laptops, and mobile devices. FIPS-validated cryptography should be used where required by federal policy or contract.

Building Awareness: Personnel Training Programs

Technology and policies alone cannot protect CUI; informed and vigilant personnel are essential.

Mandatory Training: Both 32 CFR Part 2002 and DoDI 5200.48 mandate CUI training for all personnel (government and contractor) who access, handle, or create CUI. DoD provides mandatory CUI training modules for its workforce and contractors. NARA/ISOO also provides extensive training resources on its website covering various aspects of the CUI program.

Training Content: Training must cover key aspects of the CUI program, including:

• Recognizing and identifying CUI
• Proper marking procedures
• Safeguarding requirements
• Authorized methods for accessing and disseminating CUI
• Procedures for decontrolling CUI
• Requirements for secure destruction
• Procedures for identifying and reporting security incidents and unauthorized disclosures
• Awareness of security risks associated with their activities

NIST SP 800-171 Requirements (AT): The Awareness and Training family requires organizations to ensure users are aware of security risks and adequately trained to carry out their duties securely, including training on recognizing and reporting potential insider threats.

Responding to Breaches: Incident Response Planning

Despite preventative measures, security incidents involving CUI can occur. Organizations must be prepared to respond effectively.

Incident Reporting (DFARS -7012): DoD contractors are contractually obligated under DFARS 252.204-7012 to report cyber incidents affecting covered contractor information systems or CDI to DoD (via DIBNet) within 72 hours of discovery.

Incident Reporting (CUI Program): 32 CFR Part 2002 requires agencies to establish procedures for reporting and investigating potential misuse (unauthorized disclosure, improper marking, etc.). Personnel must report suspected or actual CUI incidents through established agency channels.

NIST SP 800-171 Requirements (IR): The Incident Response family mandates establishing an operational incident handling capability. This includes developing and testing an incident response plan that covers preparation, detection and analysis, containment, eradication, and recovery. It also requires tracking, documenting, and reporting incidents according to defined procedures.

Incident Response Plan Content: A comprehensive plan should outline roles and responsibilities, incident detection methods, analysis procedures, containment strategies, eradication steps, recovery processes, post-incident analysis, and reporting requirements (internal and external, e.g., to DoD). Regular testing (e.g., tabletop exercises) is crucial to ensure the plan’s effectiveness.

Common Challenges and Best Practices

Identifying Common Implementation Hurdles

Organizations frequently encounter difficulties in several key areas:

Understanding Requirements: The complexity of the CUI framework, including navigating E.O. 13556, 32 CFR Part 2002, DoDI 5200.48, multiple DFARS clauses, NIST SP 800-171, and the CMMC program, can be overwhelming. Correctly identifying all applicable CUI within the organization and determining the specific requirements can be challenging.

Resource Constraints (Cost and Personnel): Implementing the required technical controls, developing policies and procedures, conducting training, and undergoing assessments requires significant financial investment and skilled cybersecurity personnel. This burden is particularly acute for small and medium-sized businesses, which often lack dedicated IT/security staff and budgets comparable to larger enterprises.

Technical Complexity: Implementing and managing the controls in NIST SP 800-171 involves sophisticated technical configurations related to access control, network segmentation, encryption, logging, vulnerability management, etc. Specific controls, such as flaw remediation, configuration management, and certain media protection controls, have proven particularly difficult for many organizations to implement effectively.

Supply Chain Management: CUI and cybersecurity requirements must often be flowed down to subcontractors. Prime contractors are responsible for ensuring their subcontractors comply, but gaining visibility into and managing the security posture of numerous suppliers can be extremely challenging.

Documentation (SSP and POA&M): Developing and maintaining a comprehensive System Security Plan (SSP) detailing how each NIST SP 800-171 requirement is met, and a Plan of Action and Milestones (POA&M) for addressing unimplemented requirements, is mandatory but often challenging. Keeping these documents accurate and up-to-date requires ongoing effort.

Assessment Readiness and Availability: Preparing for and undergoing assessments requires significant preparation, evidence collection, and coordination. The potential shortage of C3PAOs and the associated costs pose a significant hurdle for meeting CMMC certification deadlines.

Marking Consistency: Ensuring all CUI is correctly and consistently marked according to the detailed rules in the NARA Marking Handbook remains a practical challenge due to the complexity and need for user training and diligence.

Best Practices and Recommended Solutions

Organizations can adopt several best practices to navigate CUI compliance more effectively:

Start with Scoping and Gap Analysis: Clearly define the scope of the CUI environment – identify where CUI is stored, processed, and transmitted, including systems, applications, personnel, and facilities. Conduct a thorough gap analysis against the required standard to understand the current posture and identify specific deficiencies.

Develop a System Security Plan (SSP) and Plan of Action & Milestones (POA&M): Document how each NIST SP 800-171 requirement is met (or planned to be met) in the SSP. Use the POA&M to track remediation efforts for identified gaps, including timelines, resources, and milestones.

Prioritize Implementation: Focus remediation efforts based on the gap analysis and risk assessment, addressing the most critical vulnerabilities first. Leverage the DoD assessment methodology’s scoring system to understand the impact of specific gaps.

Leverage Technology and Automation: Utilize compliance management platforms and security tools to automate control implementation, monitoring, evidence collection, and reporting where possible.

Adopt a Phased Approach: Break down the implementation into manageable phases, especially for small and medium businesses. Focus on foundational controls first and incrementally build maturity.

Seek External Expertise: Organizations lacking internal cybersecurity or compliance expertise should consider engaging external partners, such as Registered Provider Organizations (RPOs), C3PAOs (for pre-assessments or certification), or Managed Security Service Providers (MSSPs) specializing in NIST/CMMC compliance.

Focus on Training and Awareness: Implement regular, role-based CUI and cybersecurity awareness training for all employees to foster a security-conscious culture and ensure understanding of policies and procedures.

Implement Strong Governance and Documentation: Establish clear policies, procedures, and responsibilities for CUI handling. Maintain thorough documentation of control implementation, assessments, and incidents, as this is crucial evidence for audits and certifications.

Proactive Supply Chain Risk Management: Develop processes to assess and manage the cybersecurity posture of subcontractors and suppliers handling CUI. Ensure flow-down clauses are included in subcontracts and verify subcontractor SPRS scores or CMMC certifications as required.

Stay Informed: Regularly monitor official sources for updates to regulations, standards, and program guidance.

Authoritative Resources and Further Information

National Archives and Records Administration (NARA) CUI Program

• Main CUI Page
• CUI Registry
• Policy and Guidance
• CUI Marking Handbook
• CUI Training Resources

Department of Defense (DoD) CUI Program

• DoD CUI Website
• DoD CUI Policies

NIST Computer Security Resource Center (CSRC)

• NIST SP 800-171 Rev 3
• NIST SP 800-171A Rev 3

DoD Cybersecurity Maturity Model Certification (CMMC)

• DoD CIO CMMC Page
• CMMC 2.0 Model Overview

Defense Counterintelligence and Security Agency (DCSA)

• DCSA CUI Page
• DCSA CUI FAQs
• Center for Development of Security Excellence (CDSE)

The Cyber AB

• Cyber AB Website
• CMMC Marketplace

Other DoD Resources

• Project Spectrum
• DoD Office of Small Business Programs (OSBP) Cybersecurity
• Defense Logistics Agency (DLA) Contractor Cyber Resources

Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.