Meridian Compass
CUI

What Is CUI? A Defense Contractor's Guide

2026-04-21 · 7 min read

What Is CUI? A Defense Contractor’s Guide

If you work in the defense supply chain, “CUI” is one of the most important terms to understand. It is also one of the most misunderstood.

Some contractors assume CUI means classified information. It does not. Others assume they do not handle CUI because they are “just a subcontractor” or “just making parts.” That is how companies underestimate scope and budget for Level 1 when they really need Level 2.

Here is the plain-English version of what CUI is, what usually counts, and what to do if it touches your systems.

What CUI Actually Means

CUI stands for Controlled Unclassified Information. It is sensitive information that is not classified, but still requires safeguarding under federal law, regulation, or government-wide policy.

For defense contractors, CUI is the category of data that usually triggers CMMC Level 2.

That matters because Level 2 is a different world from Level 1. Level 1 applies to contractors handling only Federal Contract Information (FCI). Level 2 applies when your systems process, store, or transmit CUI and requires the 110 security requirements in NIST SP 800-171 Rev. 2.

If you need the quick comparison, start with CMMC Level 1 vs Level 2. If you want to figure out which level likely applies to your business, use the level checker.

What Usually Counts as CUI in Defense Work

In practice, many defense contractors first encounter CUI through technical work. Common examples include:

  • engineering drawings
  • technical specifications
  • CAD files and design data
  • test reports
  • source code developed for DoD work
  • manufacturing instructions tied to military applications
  • export-controlled technical information
  • documents marked CUI by the government or a prime contractor

A related term you will see in DFARS is Covered Defense Information (CDI). Under DFARS 252.204-7012, CDI includes certain forms of CUI provided by or generated for DoD contract performance. In real life, if you are handling controlled technical information for a defense program, you should assume you are in CUI territory until proven otherwise.

The authoritative source for categories is the NARA CUI Registry. For most contractors, the practical question is simpler: Would this data create a real problem if it were exposed, and has the government or prime treated it as controlled?

What CUI Is Not

CUI is not classified information.

It is also not every piece of information connected to a contract. Basic operational data like routine schedules, invoices, and contract administration records may be FCI, not CUI. That distinction matters because FCI usually points to Level 1, while CUI usually points to Level 2.

This is where contractors get into trouble. They know they are not handling classified material, so they assume the harder cybersecurity rules do not apply. That is the wrong test. CMMC is not built around classified vs. unclassified. It is built around FCI vs. CUI.

If your team receives controlled drawings, works from technical specs, or stores CUI-marked files in email, SharePoint, local drives, or vendor portals, that information can pull systems and users into scope.

How CUI Triggers CMMC Level 2

Once your organization processes, stores, or transmits CUI for a DoD contract, the compliance requirement usually moves beyond Level 1.

That means your environment may need:

  • the 110 NIST SP 800-171 Rev. 2 requirements
  • a current System Security Plan (SSP)
  • documented policies and procedures
  • asset inventories and network diagrams
  • annual affirmations in SPRS
  • for many contracts, a Level 2 C3PAO assessment path rather than a simple annual self-assessment

The specific contract clauses matter. The most important ones are DFARS 252.204-7012, 7019, 7020, and 7021. If those appear in your contract or subcontract, do not treat CUI as a side issue. It is central to your compliance obligation.

If you are still at the “does this apply to us?” stage, the fastest starting point is the CMMC applicability quiz or the readiness assessment.

The Most Common Ways Contractors Miss CUI

Most companies do not miss CUI because the rule is hidden. They miss it because the data flows through ordinary business tools.

A few common examples:

  • A machine shop receives controlled drawings by email from a prime and saves them to a shared drive.
  • An engineering subcontractor accesses CUI through a customer portal but downloads working copies to employee laptops.
  • A program manager forwards CUI-marked attachments through commercial email accounts.
  • A mixed environment stores controlled files in the same systems the rest of the company uses for ordinary work.

This is why scoping comes first. Before you talk about audits, assessors, or migration plans, you need to know where CUI lives, who touches it, and which systems are in the path.

For many small contractors, the smartest move is not certifying the whole company. It is using an enclave strategy to isolate CUI into a smaller, controlled environment.

What To Do If You Think You Handle CUI

Do not start by buying tools.

Start by answering four questions:

  1. What exact data are we receiving, creating, or sending?
  2. Is any of it marked CUI, CDI, or controlled technical information?
  3. Which people, devices, apps, and vendors touch that data?
  4. What do our contract clauses actually require?

That gives you the outline of your scope.

From there, the right next step is usually a scoping and gap assessment, not a rushed purchase. Many contractors waste money because they treat CMMC like a software problem when the first problem is really a boundary problem.

If you want a quick answer before you engage a consultant, use the free CMMC assessment. It is designed to help you identify whether you are likely dealing with Level 1 or Level 2 conditions.

FAQ

Is CUI the same as classified information?

No. CUI is unclassified information that still requires safeguarding. That is why it sits in a separate category from classified material, but still drives contractual cybersecurity obligations.

Does every defense contractor handle CUI?

No. Some contractors handle only FCI and fall under Level 1. Others handle CUI and need Level 2. The dividing line is the data, not company size or whether you are a prime or subcontractor. See Do I Need CMMC? for the decision path.

If a prime sends us drawings, does that count as CUI?

Often, yes. Technical drawings and specifications are among the most common forms of CUI in defense manufacturing and engineering work. You should confirm with the prime, but you should not assume those files are out of scope just because they arrived by email.

Where should we look first if we think CUI is in our environment?

Look at email, file shares, SharePoint or cloud storage, engineering systems, endpoints, and any portal where employees download or upload controlled files. Then map the users and vendors who touch those systems.

If you are trying to work out whether CUI touches your business, start with the level checker or the free readiness assessment. Those two tools will get you closer to the right answer than guessing from one clause in a contract.

Found this useful?

Get the CMMC Readiness Checklist — free

15 questions to understand your compliance exposure before you talk to a single vendor.

Download the Checklist → Or take the 3-minute assessment →

Ready to get started?

15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.

Get in Touch

Free. Available to US-based defense contractors.