I Spy CUI: How to Identify Controlled Information in Your DoD Work

As a business working with the Department of Defense (DoD) or its contractors, understanding whether your work involves Controlled Unclassified Information (CUI) is crucial. Identifying CUI is a foundational step in achieving Cybersecurity Maturity Model Certification (CMMC) at Level 2 and Level 3 and to protecting information with national security implications. Here’s a short guide to help you assess whether CUI is part of your operations.

Understand What CUI Is

Controlled Unclassified Information (CUI) is government-created or owned information that requires safeguarding and/or dissemination controls according to law, regulation, or government-wide policy, but is not classified. It includes data such as:

• Engineering drawings and technical specifications 

• Sensitive procurement and acquisition documents that include information requiring additional safeguarding (like export-controlled technical data or proprietary designs)

• Export-controlled information (e.g., ITAR/EAR) 

• Personal identifiable information (PII) shared under a contract 

• Operations security details

The National Archives CUI Registry provides an authoritative list of CUI categories. Use it as a reference to understand what might apply to your work.

Additionally, CUI is divided into two main categories:

• CUI Basic: This category is protected under uniform government-wide handling requirements described in 32 CFR Part 2002. Most DoD contracts involving CUI will reference these general safeguarding and dissemination rules, which align with the controls in NIST SP 800-171.

• CUI Specified: This category has specific safeguarding or dissemination controls established by law, regulation, or government-wide policy. Examples include export-controlled information (e.g., ITAR/EAR) or certain types of privacy-protected data. These controls may be more stringent than the baseline NIST SP 800-171 requirements (e.g., it can only be shared with U.S. citizens).

When you’re working on DoD contracts, it’s essential to determine whether you’re handling CUI Basic or CUI Specified. This will help you tailor your security measures and ensure you’re meeting the right set of requirements.

How to Identify CUI: Start with Your Contract

The clearest indication that you are handling CUI is within your contract documentation. Look for:

• DFARS 252.204-7012: This clause is a strong indicator that the contract involves CUI and requires safeguarding it according to NIST SP 800-171.

• Statements of Work (SOWs) or Performance Work Statements (PWS): These often describe deliverables or systems involving sensitive data. 

• Markings or Labels: Documents marked “CUI,” “FOUO,” or “Export Controlled” can signify the presence of CUI.

If your contract includes DFARS 7012, you are expected to implement appropriate cybersecurity controls and likely handle CUI.

Ask Your Prime or Contracting Officer for Clarification

If it’s not immediately clear whether CUI is involved, ask. Your Contracting Officer (CO) or prime contractor has a duty to confirm what data must be protected.

Under DFARS 252.204-7012, the CO is responsible for ensuring contractors understand their cybersecurity obligations. If CUI is part of the contract, it must be identified and communicated—especially for flow-down to subcontractors.

We recommend asking:

“Can you confirm whether any data, deliverables, or systems associated with this contract are considered Controlled Unclassified Information (CUI)? If so, are there specific categories or protection requirements we should be aware of?”

This request demonstrates due diligence and ensures that you align your practices with official expectations—critical for both compliance and audit readiness.

Review the Flow of Information

CUI isn’t always obvious at contract award. It may be generated or received during performance. Ask yourself:

• Are we creating deliverables based on DoD specifications? 

• Are we modifying or integrating government-furnished equipment or software? 

• Are we accessing sensitive government systems or facilities?

If so, you may be producing or interacting with CUI—even if it wasn’t explicitly provided at the outset. Monitoring the flow of information and identifying where sensitive data arises is a key part of maintaining a defensible CUI boundary.

Document Your Determination

Whether or not CUI is involved, document your conclusion. This includes:

• Notes from communications with the Contracting Officer or prime 

• Copies of relevant clauses or emails 

• Internal memos summarizing your assessment 

This documentation serves as proof of due diligence and will be valuable during a CMMC assessment. It also helps guide your team in applying appropriate security controls moving forward.

Need Help? Triumvirate Cybersecurity is Here

Determining whether CUI is part of your work can be challenging—but it’s one of the most important steps in securing your business and achieving CMMC compliance. As a CyberAB Registered Practitioner Organization (RPO), Triumvirate Cybersecurity supports small and midsize businesses in the defense supply chain with:

• CUI identification and scoping 

• NIST SP 800-171 gap assessments 

• Policy and procedure development 

• CMMC readiness & preparation support

We help you make informed, defensible decisions—backed by documentation and expert guidance. Contact us today to schedule a consultation or learn more about our CMMC and CUI advisory services.

Ready for even more acronyms? Check out our blog post: Alphabet Soup - CMMC, DFARS, DFR, and More!