What CUI Actually Is
CUI stands for Controlled Unclassified Information. That's a mouthful, so here's the short version: it's sensitive government information that doesn't rise to the level of "classified" but still can't be left sitting around unprotected.
The federal government created the CUI program in 2010 to replace a mess of overlapping labels — FOUO (For Official Use Only), Sensitive But Unclassified, Limited Distribution, and about 100 others. Too many agencies were using too many different markings, and information was falling through the cracks. CUI standardized it all into one framework.
For defense contractors specifically, CUI almost always means technical data. When a prime like Lockheed Martin or Raytheon sends you a drawing package to quote a machined component or electronic assembly, that package is CUI. The drawings, the 3D models, the material specifications, the GD&T callouts — all of it.
CUI is any information the government has identified as requiring safeguarding under law, regulation, or government-wide policy — but that's not classified. In defense contracting, it's most commonly technical data: the engineering information that describes how defense components are designed, built, and tested.
The key word there is "unclassified." You don't need a security clearance to work with CUI. You don't need a Sensitive Compartmented Information Facility (SCIF). You just need to protect it according to NIST 800-171 — 110 security controls that cover things like access control, encryption, and incident response. That's what CMMC is built around.
Why the Government Cares So Much
Defense adversaries — China, Russia, North Korea, Iran — aren't just trying to steal classified secrets. They're specifically targeting the unclassified technical data that sits in contractor systems. A classified weapons design might be locked up tight. But the manufacturing specs for a component? Those are sitting on a file server at a 15-person machine shop in Ohio with no encryption and no multi-factor authentication.
The DFARS 252.204-7012 clause — which has been in DoD contracts since 2016 — required contractors to protect CUI and report incidents. But it relied on contractors to self-attest compliance. CMMC adds third-party verification because self-attestation wasn't working. Too many contractors were signing their names to compliance they didn't actually have.
What Counts as CUI — Real Examples
This is where it gets practical. You're not going to receive a document stamped "THIS IS CUI" in big red letters every time. You need to know what to look for.
These are the most common types of CUI that small defense contractors encounter:
- Engineering drawings and blueprints — Any print that describes the form, fit, or function of a defense component. Includes 2D orthographic drawings, redlines, and annotated PDFs.
- CAD files — .STEP, .IGES, .SolidWorks (.SLDPRT/.SLDASM), .CATIA, .Pro/E files that contain 3D models derived from controlled drawings.
- Specifications and standards — Military specs (MIL-SPEC), material specifications, process specifications, surface treatment requirements.
- Technical Data Packages (TDPs) — The full set of documents a prime sends you to manufacture a part. Usually includes drawings, specs, acceptance criteria, and packing instructions.
- Test data and results — First article inspection reports, environmental test results, performance test data, qualification records.
- Material certifications — Certs that trace materials to specific controlled parts can be CUI, especially if they reference controlled part numbers or drawing revisions.
- Contract line item numbers (CLINs) with technical descriptions — Purchase orders that describe what's being made in enough technical detail to be useful to an adversary.
- G-code derived from controlled drawings — CNC programs that were created from controlled drawings inherit that CUI status. Your CAM output is CUI.
The G-code that runs your Haas mill is CUI if it was generated from a controlled drawing. Most shops don't realize this until a C3PAO assessor asks where their machine programs are stored.
What's NOT CUI
Not everything on a DoD job is controlled. These typically aren't CUI:
- Commercial off-the-shelf parts specifications (if the item isn't defense-specific)
- Publicly available technical standards (ASME, ASTM, SAE specs sold commercially)
- General business correspondence about schedules, pricing, or non-technical matters
- Your own company's internal processes that don't incorporate controlled data
The practical test: if an adversary could use the document to understand how a defense system is built, it's probably CUI. If it's basic business communication, it's probably not.
Our free readiness assessment asks about the types of technical data you receive and helps you identify your CUI boundary. Takes 2 minutes.
Take the Free Readiness Check →FCI vs. CUI — The Distinction That Determines Your CMMC Level
This is the single most important distinction in CMMC. Whether you handle FCI or CUI determines whether you need Level 1 or Level 2. The difference in cost and complexity between those two levels is enormous — we're talking $5,000–$15,000 vs. $50,000–$200,000+.
| FCI Federal Contract Information | CUI Controlled Unclassified Info | |
|---|---|---|
| What it is | Basic information generated under a federal contract — purchase orders, invoices, delivery schedules, basic contract terms | Sensitive technical data — drawings, specs, test results, export-controlled information |
| CMMC Level Required | Level 1 (Annual self-attestation) | Level 2 (Third-party C3PAO assessment) |
| Number of Controls | 17 basic practices | 110 controls from NIST 800-171 |
| Typical Cost | $5,000–$15,000 | $50,000–$200,000+ |
| Who Does It Apply To | Contractors who provide services without receiving technical data | Manufacturers, engineers, R&D contractors who work with design data |
Almost every contractor who manufactures defense components handles CUI. If you receive engineering drawings or specs from a prime, you're in Level 2 territory. There's no gray area here — it's determined by the type of information you receive, not how much of it or how often.
How to Identify CUI in Documents You Receive
The good news: marked CUI is usually pretty obvious. The bad news: not all CUI is marked. You need to know how to identify it both ways.
When It's Marked
Properly marked CUI documents will show one or more of these:
- The word "CUI" in the header or footer — Often appearing in all caps: "CUI" or "CUI // CONTROLLED TECHNICAL INFORMATION"
- Distribution statements — Phrases like "DISTRIBUTION STATEMENT D: Distribution authorized to DoD and U.S. DoD contractors only" or "DISTRIBUTION STATEMENT B: Distribution authorized to U.S. Government agencies only"
- "Export Controlled" or "ITAR" markings — International Traffic in Arms Regulations data is a subcategory of CUI with extra handling requirements
- DFARS clause references — Some documents reference the contract clause that governs them
When It's Not Marked (But Still CUI)
Here's where it gets tricky. Older drawings, legacy documents, and some prime contractor deliverables might not be properly marked — but they're still CUI. If your contract includes DFARS 252.204-7012 (and almost all DoD contracts do), you're required to treat covered defense information as CUI regardless of whether it's marked.
The practical rule: if a document came from a prime contractor and describes how a defense component is made, treat it as CUI until you've confirmed otherwise in writing.
CUI Categories Most Relevant to Small Contractors
CUI isn't just one thing — it's organized into categories and subcategories. You don't need to memorize all 125+ categories, but you should know the ones you're most likely to encounter.
Controlled Technical Information (CTI)
The category that covers most defense manufacturing data. Engineering drawings, technical specifications, test plans, manufacturing process specs. If you make parts for defense, this is your category.
Export Controlled (ITAR / EAR)
International Traffic in Arms Regulations data. Covers items on the U.S. Munitions List. Cannot be shared with foreign nationals without an export license. Carries additional compliance requirements beyond standard CUI.
Procurement and Acquisition
Source selection information, bid evaluations, contractor proposals. Relevant if you're involved in acquisition support or submitting proposals that contain sensitive pricing or technical approaches.
Naval Nuclear Propulsion Information
Applies specifically to contractors supporting naval nuclear programs. Has additional handling requirements. If you work on submarine or carrier programs, this may apply to you.
What Happens If You Mishandle CUI
This section isn't meant to scare you. It's meant to make sure you understand the actual stakes, because they're serious.
Mishandling CUI can trigger several consequences depending on the severity:
- Mandatory incident reporting — DFARS 252.204-7012 requires you to report a CUI breach to the DoD within 72 hours. You also have to preserve images of the affected systems for 90 days. This is the minimum response even for minor incidents.
- Contract termination for default — A material failure to protect CUI can be grounds for the government to terminate your contract for default rather than convenience. Termination for default has serious downstream consequences for future contract eligibility.
- Debarment — Repeated or egregious failures to protect CUI can result in suspension or debarment from federal contracting, potentially permanently.
- False Claims Act liability — If you self-attested to CMMC compliance you didn't actually have and a breach occurs, DOJ can pursue civil penalties of $13,000–$27,000 per false claim. This is not hypothetical — DOJ has already brought cases under this theory.
The most dangerous position you can be in isn't failing a CMMC assessment. It's self-attesting to compliance you don't have, having a breach, and then getting a call from the Department of Justice's Civil Division.
How CUI Determines Your CMMC Level
CMMC has three levels. Here's the simple version of what determines which one you need:
- Level 1 — You only handle FCI (basic contract information). You self-attest annually. 17 basic security practices.
- Level 2 — You handle CUI. A C3PAO does a third-party assessment. 110 controls from NIST 800-171. This is where most small manufacturers land.
- Level 3 — You handle highly sensitive CUI for DoD's most critical programs. Government-led assessment. Very few small contractors need this.
The contract clause in your prime agreement is what officially establishes your required level. Look for DFARS 252.204-7012 — if it's there, you're almost certainly handling CUI and need Level 2. Your prime should also have specified your required level in their subcontract terms by now.
If you're not sure what level you need, the fastest answer is to call your prime's compliance point of contact and ask them directly. Get it in writing. This is one of those questions where "I thought we only needed Level 1" is not an acceptable answer after the fact.
MyCMMC's Assessment-Ready Package includes your System Security Plan, policies, and evidence documentation — built around your actual environment, not a generic template. Starts at $7,500.
See If You Qualify →Frequently Asked Questions
CUI stands for Controlled Unclassified Information. It's a government-wide designation for sensitive information that isn't classified but still needs to be protected. In defense contracting, the most common types are technical data — engineering drawings, specs, CAD files, test results, and material certifications that describe how defense components are designed and built.
Classified information (Secret, Top Secret) requires a security clearance to access and is subject to strict government controls. CUI is sensitive but unclassified — you don't need a clearance to work with it, but you do need to protect it following NIST 800-171 controls. Most small defense contractors deal with CUI, not classified information.
Look for these markers: the word "CUI" in the header or footer of the document, distribution statements like "DISTRIBUTION STATEMENT D" or "Export Controlled," DFARS clause references in your contract (specifically 252.204-7012), or the phrase "Technical Data" in the document header. Many defense primes also label their drawing packages explicitly. If your contract includes DFARS 252.204-7012, assume the technical data they send you is CUI until you confirm otherwise.
FCI (Federal Contract Information) is basic information generated under a government contract — purchase orders, invoices, scheduling data. It's protected but less sensitive. CUI is a higher category that includes technical data, export-controlled information, and other sensitive content. Your CMMC level depends on which type you handle: FCI requires Level 1, CUI requires Level 2. Most contractors who work with engineering drawings are in CUI territory.
Yes. There's no "occasional CUI" exception. If you receive, process, store, or transmit CUI — even once — for a DoD contract, you need CMMC Level 2. Some contractors try to avoid this by routing CUI work through a compliant prime and not taking the files themselves, but that only works if you genuinely never receive or open the controlled data.
Mishandling CUI can mean contract termination, debarment from future contracts, civil penalties under the False Claims Act if you self-attested to compliance you didn't have, and potentially criminal liability if the breach was egregious or willful. Even an accidental breach — sending a controlled drawing to the wrong email address — triggers mandatory incident reporting under DFARS 252.204-7012 within 72 hours.
Know what CUI you have. Know what to protect.
Our free readiness assessment maps your CUI environment and tells you exactly what's in scope for your CMMC assessment.
Start Free Readiness Check →2 minutes. No email required to see your results.
Or see pricing & packages →