What is CUI (Controlled Unclassified Information)?

CUI is government-created or government-owned information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy — but is not classified. It was established by Executive Order 13556 and is governed by the National Archives (NARA), which maintains the CUI Registry of categories such as Controlled Technical Information, export-controlled data, and many others.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is non-public information provided by or generated for the government under a contract to deliver a product or service. CUI is more sensitive government information requiring specific safeguarding controls. FCI maps to CMMC Level 1 (17 practices, self-assessed); CUI maps to CMMC Level 2 (all 110 NIST SP 800-171 requirements).

How do I know if my company handles CUI?

Check your contracts for DFARS 252.204-7012 (the safeguarding and incident-reporting clause), look for CUI or legacy FOUO markings on documents you receive, identify whether you handle technical drawings or specifications, and confirm with your prime contractor or contracting officer. If covered defense information flows to you, you handle CUI and need CMMC Level 2.

Does CMMC Level 2 apply to my company?

CMMC Level 2 applies if your DoW contracts involve Controlled Unclassified Information. Level 2 requires implementing all 110 NIST SP 800-171 Rev 2 requirements, and most contractors handling CUI must pass a third-party (C3PAO) certification assessment. If you only handle FCI, CMMC Level 1 (self-assessed) applies instead.

CUICMMC ScopingCMMC Level 2

What Is CUI? How to Tell If Your Contract Triggers CMMC Level 2

By Glenn Ballard·CMMC Registered Practitioner·June 19, 2026·8 min read

One word decides whether your company faces 17 cybersecurity practices or all 110: CUI. If your defense contracts involve Controlled Unclassified Information, you are in CMMC Level 2 territory — the full NIST SP 800-171 requirement set, and for most contractors, a third-party assessment. If they only involve FCI, you are in the much lighter Level 1. The problem: many contractors genuinely don't know which bucket they're in, and guessing wrong is expensive in both directions. This guide makes it clear.

What CUI Actually Is

Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy — but does not rise to the level of classified. It was formalized by Executive Order 13556in 2010 to replace a patchwork of agency-specific labels (like “For Official Use Only”) with one standardized system.

The National Archives (NARA) maintains the official CUI Registry, which lists every approved category — from Controlled Technical Information and export-controlled data to procurement and privacy categories. In defense contracting, the CUI you're most likely to encounter is Controlled Technical Information (CTI): drawings, specifications, engineering data, and similar material with military or space application.

FCI vs. CUI: The Distinction That Sets Your Level

These two terms drive everything in CMMC, and they are constantly confused:

FCI (Federal Contract Information) — non-public information provided by or generated for the government under a contract to develop or deliver a product or service. Defined in FAR 52.204-21. Example: a non-public statement of work or delivery schedule.
CUI — more sensitive government information that carries specific safeguarding obligations. Example: a controlled technical drawing of a part you machine for a weapons platform.

That distinction maps directly onto CMMC:

Handle only FCI? → CMMC Level 1 — 17 practices from FAR 52.204-21, self-assessed annually.
Handle CUI? → CMMC Level 2 — all 110 NIST SP 800-171 Rev 2 requirements, and for most contracts, a C3PAO certification assessment.

In defense contracting, CUI often arrives under the label “covered defense information” (CDI), the term used in DFARS 252.204-7012. For practical purposes, if a contract obligates you to protect covered defense information, treat it as CUI and plan for Level 2.

How to Tell If You Handle CUI

You rarely get a memo announcing “you now handle CUI.” You have to recognize it. Five checks:

1. Read your contract clauses

Search your contracts and subcontracts for DFARS 252.204-7012 (safeguarding + incident reporting), 7019/7020 (SPRS assessment), and 7021(CMMC). The presence of 7012 is the clearest signal that covered defense information — CUI — is in play.

2. Look for markings

Inspect documents, data packages, and drawings for a “CUI” banner marking, or legacy markings like FOUO that should now be re-marked as CUI. Markings are evidence — but their absencedoesn't prove information isn't CUI.

3. Identify technical data

If you receive or create technical drawings, specifications, test data, or engineering information for a defense item, you are very likely handling Controlled Technical Information.

4. Ask your prime or contracting officer

Subcontractors should confirm in writingwhether CUI flows down to them. Primes should ask the contracting officer. “We assumed it didn't apply” is not a defense if you got it wrong.

5. When in doubt, assume CUI

If the evidence is mixed, the safer planning assumption is that you handle CUI. Over-preparing costs effort; under-preparing costs awards — and, as enforcement tightens, far more.

Misjudging CUI cuts both ways. Assume Level 1 when you actually handle CUI and you can lose awards or face False Claims Act exposure. Assume Level 2 when you only handle FCI and you may spend on controls you don't need. Getting scope right is the highest-leverage decision you'll make.

Scoping: Drawing the Boundary Around CUI

Once you know CUI is present, the next question is where it lives. Your CMMC assessment scope is the set of assets that fall under the requirements. The official CMMC Level 2 scoping guidance sorts assets into categories, the key ones being:

CUI Assets — anything that processes, stores, or transmits CUI. Fully in scope.
Security Protection Assets — tools and systems that protect the environment (e.g., your firewall, SIEM, identity provider). In scope for the controls they provide.
Contractor Risk Managed Assets — assets that can but are not intended to handle CUI, managed via policy.
Specialized Assets — items like IoT, OT, and test equipment, handled under specific rules.
Out-of-Scope Assets — assets fully isolated from CUI, with no ability to reach it.

The enclave strategy

For many small and mid-sized contractors, the smartest move is to build a CUI enclave— a deliberately small, segmented part of your environment where all CUI is processed, stored, and transmitted. A tight enclave dramatically shrinks how much of your business falls under all 110 requirements, which lowers both cost and assessment risk. The alternative — letting CUI sprawl across your whole network — means your entire company is in scope.

Know Your Scope, Then Know Your Score

Scoping is literally step one of any real CMMC effort — and it's exactly where the Dragonfli Group CMMC Accelerator begins. The guided scoping wizard helps you define your CUI boundary, then assesses you against all 110 NIST SP 800-171 requirements within that scope, producing an estimated SPRS score, a draft System Security Plan and POA&M, and a gap analysis — each reviewed by a CMMC Registered Practitioner. You leave knowing what's in scope, where you stand, and what to fix first.

FIND OUT WHERE YOU STAND

Not sure if CMMC Level 2 applies to you?

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

CMMC Level 1 vs Level 2

Which level your contracts actually require →

CMMC and the False Claims Act

Why getting scope and compliance right is now a legal issue →