Skip to main content


While awareness of the Cybersecurity Maturity Model Certification (CMMC) is widespread in the Defense Industrial Base (DIB), the Government’s Controlled Unclassified Information (CUI) program is poorly understood by defense contractors.  This is not really the fault of defense contractors as the lack of maturity in Government programs and the inconsistency of labeling data creates a lot of confusion. Many defense contractors do not know what constitutes CUI and where to find it, presenting a major challenge for companies trying to implement DFARS and CMMC safeguards.

The definition of CUI is “…a category of government information that requires protection and safeguarding, according to law, regulation, or policy.”  What does that mean for us?  What we know, is that government should mark or define what data created by the contractor will be considered CUI and primes should ensure that the marking process stays consistent for their subcontractors and during supplier engagements.

CUI is made of up of many categories such defense, export control, intelligence, financial, and much more. Defense contractors can visit the National Archives Records Administration’s website for a comprehensive list of all CUI categories. However, these categories only apply to data that is for or included in the requirements related to a government contract. This should be defined in the contract documentation, memorandums, or DD 254s.  So if we see categories of CUI exchanged or created for a government contract that have not been defined as CUI in the contract we out to the contract representative for clarification on whether data they have constitutes CUI. Intellectual property is not CUI unless created for or included in requirements related to a government contract. CUI replaces FOUO, SBU and other classification categories to define sensitive but unclassified data within government systems.


Defense contractors should take the following steps to identify and protect CUI:

Not all CUI is export controlled, but all export-controlled information is likely to be CUI.  If you do not find a particular data category in the above, it is likely NOT CUI unless designated otherwise in contract language or other authoritative documentation.


Are you looking for help understanding what CUI you have in your environment?

Or need to know what steps to take in order to safeguard that information and be compliant with existing DFARS clauses?

CastleLock® is here to help!

We have expertise with organizations of all sizes in the DIB, & we’ve been through the DCMA audits for high assurance and help our customers achieve high scores in these areas.

Reach out to a CastleLock® compliance professional today!

Want more compliance tips & tricks?

Close Menu

Welcome to CastleLock

We offer cybersecurity, compliance, and cloud services.

Contact CastleLock

13155 Noel Rd.
Suite 900
Dallas, TX 75240

T: 888-600-0117