CUI & NIST 800-171 FAQ

CUI stands for Controlled Unclassified Information. It is unclassified information that the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. CUI was established by Executive Order 13556 (2010) and is governed primarily by 32 CFR Part 2002.

For DoD contractors, CUI handling is mandated by DFARS 252.204-7012 and protected through the 110 security controls in NIST SP 800-171.

CUI stands for Controlled Unclassified Information. The term replaced a patchwork of legacy markings — including FOUO (For Official Use Only), SBU (Sensitive But Unclassified), and over 100 other agency-specific designations — with a single, government-wide framework administered by the Information Security Oversight Office (ISOO) at the National Archives.

CUI Basic is information that requires safeguarding under the standard CUI rules in 32 CFR Part 2002. There are no special handling requirements beyond the baseline.

CUI Specified is information for which the underlying authorizing law, regulation, or government-wide policy specifies more restrictive safeguarding or dissemination controls than CUI Basic. Examples include export-controlled data (covered by ITAR/EAR), tax return information, and certain critical infrastructure information.

Always check the CUI Registry to determine whether a given category is Basic or Specified — Specified categories carry additional rules.

Common examples DoD contractors handle include:

• Controlled Technical Information (CTI) — engineering drawings, specifications, software code, technical reports
• Export-controlled data subject to ITAR or EAR
• Critical Infrastructure Security Information
• Personally Identifiable Information (PII) of military personnel
• Procurement-sensitive information (source-selection data, contractor proposals)
• Naval Nuclear Propulsion Information (NNPI) — handled as CUI Specified
• Operational security (OPSEC) information about installations or missions

The complete list of categories is published in the National Archives CUI Registry.

The CUI Registry organizes CUI into approximately 20 organizational index groupings — Critical Infrastructure, Defense, Export Control, Financial, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Patent, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax, Transportation, and Immigration. Each grouping contains specific categories and subcategories.

For DoD contractors, the most frequently encountered groupings are Defense (especially Controlled Technical Information), Export Control, Procurement and Acquisition, and Privacy.

Some PII is CUI; not all PII is CUI. The Privacy organizational index in the CUI Registry includes specific PII categories — such as Death Records, Genetic Information, Health Information, Inspector General Protected, and others — that qualify as CUI when handled by or for the federal government. General employee or customer PII held by a private company is not automatically CUI.

If PII is collected, used, or maintained pursuant to a federal contract, check the contract terms and the CUI Registry to determine whether it is CUI.

FCI (Federal Contract Information) is information not intended for public release, provided by or generated for the Government under a contract to develop or deliver a product or service. FCI is protected by the basic safeguards in FAR 52.204-21 — 15 cybersecurity practices that align with CMMC Level 1.

CUI is a more sensitive category requiring the full set of 110 controls in NIST SP 800-171. CUI is protected under DFARS 252.204-7012 and aligns with CMMC Level 2.

Most DoD contracts contain at least FCI. Contracts that require handling CUI carry significantly more rigorous compliance obligations.

FOUO (For Official Use Only) was a legacy DoD marking used for unclassified information that needed limited distribution. It was replaced by CUI as part of the government-wide standardization under Executive Order 13556.

Documents marked FOUO that were created before the CUI program took effect should be handled as CUI when they meet the criteria in the CUI Registry. New documents should not be marked FOUO — they should be evaluated for CUI status and marked accordingly.

The authorized holder who creates or possesses the information is responsible for identifying and marking CUI. Within a DoD contractor organization, this typically means the originator of a document, email, or file at the time of creation. Marking responsibility cannot be delegated to a downstream recipient — every authorized holder who creates new CUI must mark it correctly at the moment of creation.

Per 32 CFR 2002.20, markings must include the CUI banner marking and any required category, dissemination control, or limited dissemination control markings.

The CUI banner marking appears at the top center of each page (and on a separate line above the body of emails) and follows this format:

CUI — at minimum, when the document contains only CUI Basic.

CUI//[Category]//[Limited Dissemination Control] — when categories or controls apply. For example: CUI//SP-CTI//NOFORN for Controlled Technical Information not releasable to foreign nationals.

Footer markings mirror the banner. Portion markings (line by line within the document) are optional for CUI Basic but required for CUI co-mingled with classified information.

Yes. Under 32 CFR 2002.20, the CUI banner marking is required on every page of a document containing CUI, on every email containing CUI in the body, and on physical media (CDs, USB drives, etc.) that store CUI. Failure to mark CUI is a compliance violation that can trigger administrative consequences and contractual penalties under DFARS 252.204-7012.

The standard CUI cover sheet (SF 901, available from the National Archives) carries the CUI designation prominently and is placed on top of any physical document containing CUI to signal its sensitivity to anyone handling it. The cover sheet protects the contents from inadvertent visual disclosure while the document is in transit or on a desk.

The cover sheet does not replace the per-page banner markings — both are required for physical CUI documents.

Only the markings prescribed by 32 CFR Part 2002 and the CUI Registry are authorized. The minimum is CUI — alone for CUI Basic without category-specific requirements. When a CUI Specified category applies, the marking takes the form CUI//[Category Marking]. Limited Dissemination Controls (LDC) such as NOFORN, FED ONLY, or DL ONLY are appended after a second double-slash.

Legacy markings — FOUO, SBU, LES, "Official Use Only" — are not authorized on new documents.

Every authorized holder of CUI is responsible for its protection. Inside a DoD contractor organization, this responsibility is shared:

• Senior leadership — accountable for the organization's overall NIST 800-171 compliance posture and DFARS attestations
• The CUI program manager / ISO — oversees the program, training, and incident response
• System administrators and security engineers — implement and maintain the technical controls
• Every individual employee with CUI access — applies markings correctly, follows handling rules, and reports incidents

Liability for mishandling extends to both the organization and, in cases of willful misconduct, individual employees.

Only the originating agency — or a designated official within that agency — can decontrol CUI. A contractor cannot unilaterally decide that information is no longer CUI. If a contractor believes information should be decontrolled (for example, because it has been publicly released or the underlying sensitivity has expired), the request must be made to the contracting officer or originating agency for review.

Per 32 CFR 2002.18, decontrol determinations are documented and the markings are removed or struck through with a notation indicating the decontrol authority.

At the moment of creation, the authorized holder who creates the CUI is responsible for properly identifying it, applying the correct CUI category and any required dissemination controls, and marking the document or file accordingly. This individual is often called the originator or author.

The originator does not "own" the CUI in a property sense — the U.S. Government remains the controlling authority — but the originator carries responsibility for correct initial marking and handling.

Access to CUI requires three conditions:

1. A lawful government purpose — access must support a specific authorized mission, contract, or function
2. Need-to-know — the individual must require the information to perform their duties
3. Adherence to safeguarding requirements — including NIST 800-171 controls for systems handling CUI, mandatory training, and individual accountability

Unlike classified information, CUI does not require a security clearance. However, the system, network, and physical environment used to access CUI must meet the controls specified in NIST 800-171.

The ISOO CUI Registry is the official government-wide catalog of all CUI categories, maintained by the Information Security Oversight Office at the National Archives and Records Administration. Its purpose is to provide a single, authoritative source identifying:

• Every approved CUI category and subcategory
• The underlying law, regulation, or government-wide policy authorizing each category
• Whether the category is CUI Basic or CUI Specified
• Specific safeguarding and dissemination requirements
• Approved markings for each category

The Registry is publicly available at archives.gov/cui and is the definitive reference contractors should consult when categorizing information.

DoD Instruction 5200.48 — "Controlled Unclassified Information (CUI)" — implements the CUI program within the Department of Defense. Issued in March 2020 and updated periodically, DoDI 5200.48 establishes DoD policy, assigns responsibilities, and prescribes procedures for designating, marking, safeguarding, disseminating, decontrolling, and destroying CUI.

For contractors, the operational requirements flow through DFARS 252.204-7012 and the technical controls in NIST SP 800-171, but DoDI 5200.48 is the foundational DoD instruction.

DoD Instruction 5200.48 provides the primary governance for the DoD CUI program. It is supported by the broader government-wide framework established in 32 CFR Part 2002 (the implementing regulation for Executive Order 13556) and by the NARA CUI Notices issued by ISOO.

Together, EO 13556, 32 CFR 2002, DoDI 5200.48, and the CUI Registry constitute the governance stack for CUI in the DoD context.

At the executive branch level, Executive Order 13556 (signed in 2010) established the CUI program. Implementation is detailed in 32 CFR Part 2002, the binding regulation issued by NARA/ISOO.

For DoD specifically, DoDI 5200.48 sets DoD policy. For contractor obligations, DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021 set the contractual policy for safeguarding CUI and reporting cyber incidents.

The DoD CUI Registry is DoD's implementation of the government-wide ISOO CUI Registry, listing the CUI categories DoD personnel and contractors most commonly encounter. It mirrors the ISOO Registry but adds DoD-specific guidance on handling and marking. It is maintained by the Office of the Under Secretary of Defense for Intelligence and Security.

The goal of CUI destruction is to render the information unreadable, indecipherable, and irrecoverable. Destruction must be thorough enough that the information cannot be reconstructed by any reasonable means — physical, digital, or forensic.

For paper, this means cross-cut shredding to specifications meeting NIST SP 800-88 guidelines. For digital media, it means clearing, purging, or destroying media per NIST SP 800-88 — depending on the media type and the sensitivity of the data.

Before destroying CUI, documents must be reviewed against the organization's records management schedule and any applicable retention requirements. The specific procedures include:

• Records retention review — confirm the document is no longer subject to a federal records retention requirement
• Litigation hold check — confirm the document is not subject to a current or anticipated legal hold
• Approval by an authorized official — typically the records officer or designated authority
• Destruction method selection — match the method to the media type per NIST SP 800-88

Destruction must be documented in a destruction log maintained per organizational records policy.

NIST Special Publication 800-88 Revision 1 — Guidelines for Media Sanitization — defines three destruction levels:

• Clear — logical techniques (overwriting) for low-sensitivity media that will be reused
• Purge — physical or logical techniques (cryptographic erase, degaussing) that render data infeasible to recover with state-of-the-art techniques
• Destroy — physical destruction (shredding, disintegration, incineration) preventing media from being reused

For paper CUI, cross-cut shredders meeting the relevant NSA/CSS specifications are typical. For magnetic media, degaussing followed by physical destruction is the safest approach. For SSDs, cryptographic erase plus physical destruction is recommended.

Systems and networks that process, store, or transmit CUI must implement the 110 security requirements in NIST Special Publication 800-171 (Revision 2, with Revision 3 phasing in). These requirements are organized into 14 control families covering access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

Beyond the 110 controls, the system must be documented in a System Security Plan (SSP), with any unimplemented controls tracked in a Plan of Action and Milestones (POA&M).

NIST Special Publication 800-171 — "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" — is the foundational standard for protecting CUI on contractor systems. It specifies 110 security requirements that nonfederal organizations must satisfy when handling CUI on behalf of the federal government.

NIST 800-171 is a derivative of NIST SP 800-53, tailored down to the requirements most directly applicable to CUI on private-sector systems. It is the technical foundation for DFARS 252.204-7012 compliance and CMMC Level 2 certification.

NIST SP 800-53 is a comprehensive catalog of security and privacy controls used by federal agencies for federal information systems. It contains over 1,000 controls and control enhancements organized into 20 families, applied at low, moderate, and high impact baselines.

NIST SP 800-171 is a derivative standard tailored for nonfederal organizations handling CUI. It distills NIST 800-53 down to the 110 requirements most relevant to protecting CUI in contractor environments.

In practice: federal agencies follow 800-53; defense contractors follow 800-171. The two are aligned — every 800-171 requirement traces back to a 800-53 control — but 800-171 is leaner and contractor-focused.

Revision 2 (published February 2020) is the version currently mandated under DFARS 252.204-7012 and assessed under CMMC 2.0. It contains 110 security requirements across 14 families.

Revision 3 (published May 2024) restructures and updates the requirements to align with NIST 800-53 Revision 5. Key changes include:

• Expanded number of requirements (organized differently than the prior 110)
• New requirements addressing supply chain risk management
• Updated language for modern threats (cloud, ransomware, identity-based attacks)
• Re-categorized some controls; removed or merged others

As of this writing, DoD contracts continue to reference Revision 2 for compliance. DoD has indicated it will provide implementation guidance before requiring Revision 3 — contractors should monitor DoD CIO and DCMA announcements for the transition timeline.

NIST 800-171 compliance for a DoD contractor handling CUI requires:

1. Implementation of all 110 security requirements — or documented plans to implement, with compensating controls where needed
2. A System Security Plan (SSP) describing how each requirement is implemented
3. A Plan of Action and Milestones (POA&M) for any unimplemented requirements, with target completion dates
4. An assessment — self-assessment using the DoD Assessment Methodology, with the score posted to the Supplier Performance Risk System (SPRS) per DFARS 252.204-7019
5. Incident reporting — within 72 hours of discovering a cyber incident affecting CUI, per DFARS 252.204-7012
6. Flow-down to subcontractors handling CUI

For contracts requiring CMMC Level 2, contractors must additionally pass a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO).

NIST SP 800-171 Revision 2 contains 110 security requirements, organized into 14 control families: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

NIST 800-171 is the technical standard — the rulebook of 110 security requirements you must implement to protect CUI.

CMMC (Cybersecurity Maturity Model Certification) is the DoD assessment and certification program — the exam that verifies you have those controls in place. CMMC 2.0 has three levels:

• Level 1 — Foundational. Covers the 17 practices in FAR 52.204-21 for Federal Contract Information (FCI). Annual self-assessment.
• Level 2 — Advanced. Covers all 110 NIST 800-171 controls. Most contracts handling CUI require triennial third-party assessment by a C3PAO.
• Level 3 — Expert. Adds a subset of NIST 800-172 enhanced security requirements. Required for the most sensitive CUI. Government-led assessment.

You implement NIST 800-171 to pass a CMMC Level 2 assessment.

CMMC Level 2 maps directly and one-to-one to the 110 security requirements in NIST SP 800-171 Revision 2. Every NIST 800-171 control is assessed at CMMC Level 2 — no additions, no subtractions in the practices themselves.

The differences between a NIST 800-171 self-assessment and a CMMC Level 2 assessment lie in the assessment rigor and authority:

• Self-assessment under DFARS 252.204-7019 is performed by the contractor and scored per the DoD Assessment Methodology
• CMMC Level 2 assessment is performed by an independent C3PAO, typically every three years, with stricter evidence requirements

The DoD Assessment Methodology is a scoring framework the Department of Defense uses to evaluate contractor implementation of NIST 800-171. It assigns a numeric weight to each of the 110 controls — most are worth 1 point, some 3 points, and the most critical are worth 5 points. The starting score is 110, and points are deducted for each unimplemented control.

A perfect score is 110. Negative scores are possible (and common before remediation). Per DFARS 252.204-7019, contractors must complete a Basic (self), Medium, or High Assessment and post their score to the Supplier Performance Risk System (SPRS) before contract award.

Three assessment levels exist:

• Basic — contractor self-assessment
• Medium — DoD-conducted desk review
• High — DoD-conducted on-site assessment

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — is the cornerstone DFARS clause for CUI protection. It requires contractors to:

• Implement the security requirements in NIST SP 800-171 to protect Covered Defense Information (CDI), which includes CUI
• Report cyber incidents affecting CDI to DoD within 72 hours
• Submit malicious software discovered during incident investigation
• Preserve and protect images of affected systems for 90 days
• Provide DoD access for damage assessment
• Flow down the clause to subcontractors handling CDI

The clause has been in defense contracts since 2013 and is the contractual mechanism through which NIST 800-171 becomes enforceable.

DFARS 252.204-7019 — "Notice of NIST SP 800-171 DoD Assessment Requirements" — is a solicitation provision requiring offerors to have a current NIST 800-171 self-assessment score on file in the Supplier Performance Risk System (SPRS) before contract award. The score must be no more than 3 years old at the time of contract award.

The companion clause DFARS 252.204-7020 — "NIST SP 800-171 DoD Assessment Requirements" — extends this to during contract performance: contractors must maintain a current SPRS score and provide DoD access for higher-level Medium or High assessments if requested.

Together, 7019 and 7020 turn the NIST 800-171 self-assessment into a contracting prerequisite, not just a performance obligation.

The "FAR CUI Rule" refers to the proposed FAR rule (84 FR 39712 and subsequent updates) that would extend CUI safeguarding requirements government-wide via the Federal Acquisition Regulation — moving CUI protection beyond DoD-only DFARS clauses to all federal contracts. The rule has been in proposed and revised stages for several years; contractors should monitor regulations.gov and DoD CIO/GSA announcements for the final rule.

Once finalized, the FAR CUI Rule will likely impose NIST 800-171–style requirements on civilian agency contracts that handle CUI, expanding the contractor compliance landscape considerably.

Consequences for mishandling CUI vary based on intent, severity, and circumstances:

• Administrative — loss of system access, suspension or debarment from federal contracting, contract termination, negative past-performance evaluations affecting future awards, mandatory remedial training, employee disciplinary action
• Civil — False Claims Act liability if CUI safeguarding attestations were knowingly false (qui tam suits have produced multi-million-dollar settlements), breach of contract damages, civil penalties under specific statutes governing CUI Specified categories (e.g., ITAR, HIPAA, tax confidentiality)
• Criminal — willful unauthorized disclosure of CUI Specified information (such as ITAR-controlled technical data, tax return information, or grand jury material) can carry felony penalties including imprisonment and substantial fines

The Department of Justice has actively pursued cybersecurity-related False Claims Act cases against contractors who certified compliance they had not achieved.

When CUI is disclosed to an unauthorized recipient, the responsible organization must:

1. Contain the disclosure — recover or sequester the information if possible
2. Report — under DFARS 252.204-7012, report cyber incidents affecting CUI within 72 hours via the DoD DIBNet portal
3. Investigate — determine scope, root cause, and affected information
4. Notify affected parties if PII is involved (state and federal breach notification laws may apply)
5. Remediate — close the gap that allowed the disclosure
6. Document — maintain records of the incident, response, and lessons learned

For CUI Specified categories with their own breach rules (e.g., HIPAA, tax information), additional regulatory reporting may be required. Failure to report a cyber incident is itself a contract violation.

Per DoDI 5200.48, all personnel who access CUI must receive initial CUI training before access and refresher training at least annually. The training must cover, at minimum:

• Identifying CUI and its categories
• Marking, safeguarding, disseminating, decontrolling, and destroying CUI
• The unique handling rules for any CUI Specified categories the individual encounters
• Reporting requirements for incidents involving CUI
• Sanctions for noncompliance

For DoD contractors, NIST SP 800-171 control 3.2.1 (Awareness and Training) reinforces this requirement — security training must be provided to personnel commensurate with their roles.

Yes. DoD contractors handling CUI must provide CUI training to all personnel with access. The requirement flows from multiple sources:

• DoDI 5200.48 — establishes annual CUI training as a DoD program requirement
• NIST SP 800-171 controls 3.2.1, 3.2.2, and 3.2.3 — require security awareness and role-based training
• DFARS 252.204-7012 — the safeguarding clause implicitly requires that personnel know how to handle CUI properly
• CMMC Level 2 assessments — verify that training records exist and are current

Training records must be retained and producible during DoD or C3PAO assessments.

Anyone in a DoD contractor organization who creates, accesses, handles, transmits, or stores CUI needs CUI training. This typically includes:

• Engineers, scientists, and developers working on CUI-bearing programs
• Program managers and contract managers
• IT and cybersecurity staff administering systems that process CUI
• Quality, manufacturing, and operations personnel handling controlled technical data
• Subcontract managers responsible for flow-down compliance
• Executives and senior leadership accountable for the compliance program

Training depth should match role — a system administrator implementing 800-171 controls needs deeper technical training than a back-office accountant who occasionally encounters a CUI document.