What Is CUI and Why Should Defense Contractors Care?
Controlled Unclassified Information (CUI) is a category of government information that requires safeguarding but isn't classified. Before CUI existed, over 100 different agency-specific labels ("For Official Use Only," "Sensitive But Unclassified," "Law Enforcement Sensitive") created confusion about how to handle non-classified sensitive data. Executive Order 13556 standardized these into a single system, managed by the National Archives (NARA) Information Security Oversight Office (ISOO).
For defense contractors, CUI is not a theoretical category. It's the data you work with daily:
- Proposal content responding to government solicitations
- Technical data subject to export control or distribution restrictions
- Contract performance information and cost/pricing data
- Source selection information during the acquisition process
- Acquisition planning data, market research, and procurement strategies
- Controlled technical information (CTI) including engineering drawings and specifications
If information matches a category in the NARA CUI Registry and has been designated as CUI by the originating agency, it must be handled according to the requirements in 32 CFR Part 2002 and protected per NIST SP 800-171.
The practical implication: every system that processes, stores, or transmits CUI must meet specific security requirements. This includes your acquisition intelligence platform, your proposal management tools, your contract analytics software, and any cloud service that touches this data.
The DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, has made the consequences of mishandling CUI concrete and expensive. Consider a composite drawn from recent enforcement actions: A defense contractor uses a third-party email platform and internal development network to manage proposal data --- technical approaches, cost volumes, and past performance narratives that constitute CUI. The contractor reports a near-perfect NIST 800-171 self-assessment score in the Supplier Performance Risk System (SPRS), but an external audit reveals the email platform does not meet FedRAMP Moderate equivalency requirements, no System Security Plan exists, and actual compliance covers barely a quarter of the required 110 controls. A whistleblower files a qui tam lawsuit under the False Claims Act.
This is not hypothetical. In 2022, Aerojet Rocketdyne paid $9 million to settle allegations of misrepresenting cybersecurity compliance on DoD and NASA contracts --- the first cyber-fraud FCA case to reach trial before settling. In March 2025, MORSECORP paid $4.6 million after admitting it reported an SPRS score of 104 while a third-party assessment calculated the actual score at -142 --- out of compliance with 78% of NIST 800-171 controls. One month later, Raytheon settled for $8.4 million over allegations that its internal network handling covered defense information lacked even a basic SSP. Across 2025 alone, DOJ collected over $51.8 million in cyber-fraud settlements --- a 233% increase over 2024. The pattern is clear: if your proposal tools handle CUI without compliant security controls, the False Claims Act exposure is real, and DOJ is actively enforcing it.
CUI Categories Relevant to Acquisition and Procurement
The NARA CUI Registry defines dozens of CUI categories and subcategories. For defense contractors working in acquisition, the most relevant include:
Procurement and Acquisition
| CUI Category | Subcategory | What It Covers | Marking |
|---|---|---|---|
| Procurement and Acquisition | Source Selection | Evaluation criteria, rankings, competitive range determinations | CUI//SP-PROPIN |
| Procurement and Acquisition | Small Business Research and Technology | SBIR/STTR proposal data, technical volumes | CUI//SP-PROPIN |
| Controlled Technical Information | --- | Engineering data, technical specifications, performance data | CUI//SP-CTI |
| Export Controlled | Export Controlled Research | ITAR/EAR-controlled technical data | CUI//SP-EXPT |
| Budget and Finance | --- | Contract pricing, cost estimates, financial data | CUI//SP-BUDG |
Defense-Specific Categories
| CUI Category | What It Covers | Why It Matters |
|---|---|---|
| Defense (CUI//SP-DEF) | Information specific to military operations, planning, and systems | Heightened sensitivity, often paired with other categories |
| Naval Nuclear Propulsion | Nuclear-powered naval vessel information | Highest non-classified sensitivity |
| Critical Infrastructure | Defense infrastructure vulnerability data | Supply chain implications |
| Intelligence (CUI//SP-INTEL) | Intelligence activities and sources | Strictest handling within CUI |
CUI Marking Requirements
Proper CUI marking follows the NARA CUI Marking Handbook and, for DoD contractors, the DoD CUI Marking Aid:
- Banner marking at the top of documents:
CUIorCONTROLLED - Category marking when required:
CUI // [Category Indicator] - Specified vs. Basic CUI: Specified categories (marked
SP-) carry additional handling requirements beyond the baseline. Basic CUI follows the standard NIST 800-171 requirements. - Portion marking (paragraph-level) may be required by some agencies
Only the government designates information as CUI. Contractors don't create CUI --- they receive it from government agencies or generate it in response to government requirements (such as proposal content responding to a solicitation).
The NARA CUI Marking Handbook remains at Version 1.1 (originally published December 2016, last updated May 2019). No new revision has been released. However, DoD has published its own supplemental guidance: the Cleared CUI Marking Training Aid was updated in December 2024, aligning marking procedures with DoDI 5200.48 requirements and clarifying that contractors are authorized to create and mark CUI documents. DoD also released an updated CUI Awareness and Marking Training deck alongside the marking aid. For CMMC Phase 1 purposes, proper CUI identification and marking is assessed under the NIST 800-171 Media Protection (MP) and Awareness and Training (AT) control families --- contractors should be using the December 2024 DoD aid as their primary marking reference.
The Regulatory Framework: From CUI to FedRAMP
CUI doesn't exist in a regulatory vacuum. It sits at the center of an interconnected compliance framework that defense contractors must navigate:
CUI (the data type)
↓ must be protected per
NIST SP 800-171 (the control framework --- 110 requirements)
↓ required by
DFARS 252.204-7012 (the contract clause --- "adequate security")
↓ verified through
CMMC 2.0 (the certification program --- Level 2 for CUI)
↓ for cloud services, validated by
FedRAMP (the cloud authorization program --- Moderate minimum, High for sensitive CUI)
How Each Layer Connects
NIST 800-171 -> CUI Protection. NIST SP 800-171 defines the 110 security requirements for protecting CUI in non-federal systems. This is the technical baseline. Every contractor handling CUI must implement these controls. See our NIST 800-171 compliance guide for details.
DFARS 252.204-7012 -> Contractual Obligation. The DFARS cybersecurity clause makes NIST 800-171 compliance a contractual requirement for any DoD contract involving CUI. It also adds incident reporting obligations (72-hour notification to DoD) and requires that cloud services meet FedRAMP Moderate or equivalent.
CMMC 2.0 -> Verification. CMMC adds a verification layer --- self-assessment or third-party audit --- to ensure contractors actually implement the controls they claim. Phase 2 (starting November 2026) makes third-party certification mandatory for CUI contracts.
FedRAMP -> Cloud Platform Authorization. FedRAMP validates that the cloud services contractors use to handle CUI meet the appropriate security baseline. FedRAMP Moderate (~287 controls) is the minimum for CUI; FedRAMP High (~370 controls) provides enhanced protection for sensitive CUI categories and DoD environments.
Why FedRAMP Moderate Is the Floor, Not the Ceiling
DFARS 252.204-7012 requires cloud services handling CUI to meet FedRAMP Moderate or equivalent security requirements. This is a minimum, not a recommendation.
For defense contractors handling sensitive acquisition data, FedRAMP Moderate may not be sufficient:
-
Aggregate CUI risk: An acquisition intelligence platform processes CUI across many programs. The aggregate sensitivity of contract data, pricing, technical volumes, and source selection information across multiple defense programs creates a risk profile that exceeds any single CUI category.
-
DoD environments require IL5. The DoD Cloud Computing SRG maps Impact Level 5 to CUI in DoD environments. IL5 requires FedRAMP High as a foundation. If your platform operates in DoD environments, FedRAMP Moderate is structurally inadequate.
-
GSA's new CUI certification process. In early 2026, GSA deployed a new process requiring contractors to document CUI cybersecurity compliance and obtain third-party verification. The trend is toward stricter enforcement, not looser.
The industry's default assumption that FedRAMP Moderate is "good enough" for CUI is a compliance liability waiting to materialize. FedRAMP Moderate was designed for systems where a breach causes "serious adverse effect" --- but defense acquisition data routinely crosses into territory where compromise causes "severe or catastrophic" impact. Source selection information for a major weapons program, export-controlled technical data on military systems, cost and pricing data that reveals classified budget priorities --- these are not "serious" impact scenarios. They are national security risks. The DoD Cloud Computing SRG maps Impact Level 5 to FedRAMP High for exactly this reason, and most defense CUI flows through IL5 environments. Yet only ~48 of 451 FedRAMP-authorized cloud services hold full FedRAMP High authorization --- meaning the vast majority of the market's tool stack was built to a baseline that does not match the data it handles. The bar is moving to High. GSA's 2026 CUI certification process, CMMC Phase 2's third-party audits, and DOJ's accelerating cyber-fraud enforcement are all converging on the same conclusion: Moderate was a starting point, not a destination. Contractors who built their compliance posture around "Moderate or equivalent" will find that equivalency increasingly does not hold up to scrutiny.
Why Your Acquisition Intelligence Platform Needs FedRAMP High for CUI
Generic CUI compliance guides tell you to implement NIST 800-171 controls. They don't address a critical question: what about the platforms you use to DO the work that generates and processes CUI?
An acquisition intelligence platform is not a general-purpose file storage tool. It's a system that actively processes, analyzes, and generates CUI as part of its core function:
- Market research involves analyzing government procurement data that may include source selection sensitive information
- Solicitation analysis processes RFP/RFI content that often contains CUI markings
- Proposal development generates CUI in the form of technical approaches, cost volumes, and past performance narratives
- Contract analytics processes award data, pricing information, and performance metrics
- Compliance tracking itself involves documenting CUI handling procedures
This isn't peripheral data passing through a file share. This is CUI being actively processed by an AI-powered system. The security requirements for the platform match the sensitivity of the data it handles.
GovSignals' CUI Handling Under FedRAMP High
GovSignals' FedRAMP High authorization means CUI processed through the platform is protected at the highest FedRAMP baseline:
- Encryption: All CUI is encrypted at rest and in transit using FIPS 140-2/140-3 validated cryptographic modules
- Access control: Role-based access with separation of duties, dual authorization for sensitive operations, and session management controls
- Audit logging: Tamper-resistant audit trails for all CUI access and processing, with automated monitoring and anomaly detection
- Incident response: Advanced IR capabilities including forensic analysis, cross-organizational reporting, and the 72-hour DoD notification requirement built into operational procedures
- Supply chain risk management: Comprehensive SCRM program covering all components of the platform's technology stack
FedRAMP High authorization requires implementation of 421 security controls from NIST 800-53 Rev. 5 --- 96 more controls than FedRAMP Moderate's 325. For CUI protection specifically, these additional controls translate into concrete technical requirements that go well beyond baseline compliance. FIPS 140-2/140-3 validated encryption is mandatory under control SC-13, covering not just data at rest and in transit but all cryptographic operations including hashing, key generation, and random number generation --- each module must hold an active NIST CMVP certificate. Tamper-resistant audit logging under the AU family requires automated, immutable log storage with real-time alerting on unauthorized access attempts --- logs cannot be modified or deleted, even by administrators. Role-based access control at the High baseline enforces separation of duties with dual authorization for privileged operations, continuous session monitoring, and account lockout after failed authentication attempts. Network segmentation isolates CUI processing environments from general-purpose infrastructure, with boundary protections validated by accredited 3PAOs during annual penetration testing, including red team exercises required under CA-8(2). And the Supply Chain Risk Management (SR) control family --- added in the Rev. 5 baseline --- requires documented assessment of every component in the technology stack, from cloud infrastructure providers to third-party libraries.
Additionally, GovSignals' IL5 authorization through Second Front Systems' Game Warden platform means the same CUI protections extend into DoD environments, with the additional data isolation and physical infrastructure requirements that IL5 mandates.
CUI Compliance Obligations for Defense Contractors
If you handle CUI, these are your core obligations:
1. Identify CUI in Your Environment
Determine which data in your systems is CUI by matching it to NARA CUI Registry categories. Check your contracts for CUI designation clauses. When in doubt, assume CUI if the data relates to a government contract and contains technical, financial, or procurement-sensitive information.
2. Implement NIST 800-171 Controls
All 110 controls from NIST SP 800-171 Rev. 2 must be implemented for systems handling CUI. Document your implementation in a System Security Plan (SSP).
3. Score and Report
Enter your self-assessment score into the Supplier Performance Risk System (SPRS). As of Phase 1 of CMMC, this score is being checked against new contracts.
4. Verify Your Tool Stack
Every cloud service, SaaS platform, and software tool that processes CUI must meet FedRAMP Moderate or equivalent security requirements under DFARS 252.204-7012. For DoD environments and sensitive CUI categories, FedRAMP High is the appropriate baseline.
5. Prepare for CMMC Level 2
CMMC Phase 2 begins November 2026 with mandatory third-party assessment for CUI contracts. Your CUI handling posture will be directly evaluated.
6. Report Incidents Within 72 Hours
DFARS 252.204-7012 requires notification to the DoD within 72 hours of any cyber incident involving CUI. Your platform's incident detection and response capabilities are part of this obligation.
The gap between obligation and execution is staggering. A 2019 DoD Inspector General report found that defense industrial base companies "did not consistently implement the cybersecurity requirements to protect CUI." A subsequent GAO assessment (GAO-22-105259) found that DoD's own components had not met 22% of the 110 NIST 800-171 security controls for their CUI systems --- and those are the government's systems, with dedicated compliance staff and budgets. At the agency level, ISOO's FY 2023 Annual Report found that only 40 of 81 federal agencies had even completed their CUI policy --- barely half, over a decade after Executive Order 13556. If the agencies that created the CUI framework are still catching up, the defense industrial base is further behind. The MORSECORP settlement laid this bare: a contractor reported an SPRS score of 104 while actually complying with just 22% of required controls. The honest assessment most small defense contractors will not want to hear is that rigorous CUI identification and handling processes remain the exception, not the norm.
Frequently Asked Questions
What is Controlled Unclassified Information (CUI)?
CUI is government-created or government-designated information that requires safeguarding but is not classified. It replaces over 100 previous agency-specific labels (FOUO, SBU, etc.) with a standardized system managed by NARA under Executive Order 13556. For defense contractors, CUI includes technical data, contract performance information, proposal content, pricing data, and acquisition-related intelligence.
What are the CUI marking requirements?
CUI must be marked with a banner at the top of documents (CUI or CONTROLLED), optionally with category indicators (e.g., CUI//SP-CTI for Controlled Technical Information). Specified categories carry additional handling requirements. The NARA CUI Marking Handbook provides government-wide standards, and the DoD CUI Marking Aid provides DoD-specific guidance.
Do I need FedRAMP authorization for CUI handling?
DFARS 252.204-7012 requires that cloud services handling CUI meet FedRAMP Moderate or equivalent security requirements. For DoD environments requiring IL5, FedRAMP High authorization is the foundation. Any cloud platform processing, storing, or transmitting CUI for defense contract work should be FedRAMP authorized.
What happens if CUI is mishandled?
CUI mishandling can result in contract termination, suspension or debarment from government contracting, False Claims Act liability (if you misrepresented your security posture), and potential criminal penalties for willful disclosure of certain CUI categories. CMMC Phase 2 adds formal assessment-based verification, making misrepresentation of CUI handling practices significantly riskier.
How does CUI relate to CMMC?
CMMC Level 2 is specifically designed for organizations handling CUI. It requires implementation of all 110 NIST 800-171 controls and verification through either self-assessment or third-party C3PAO assessment. If your contracts involve CUI, you need CMMC Level 2 compliance.
What CUI categories apply to acquisition and procurement data?
The most relevant categories include Procurement and Acquisition (source selection, SBIR/STTR data), Controlled Technical Information (engineering data, specifications), Export Controlled (ITAR/EAR data), Budget and Finance (pricing, cost estimates), and Defense-specific categories. The NARA CUI Registry is the authoritative source for all categories and subcategories.
Is proposal data considered CUI?
Proposal content developed in response to government solicitations often contains or constitutes CUI, particularly when it includes controlled technical information, pricing data, past performance on classified or sensitive programs, or responses to requirements that reference CUI categories. The originating solicitation and contract clauses determine whether specific proposal data is CUI.
Protect Your CUI with the Right Platform
If your acquisition data is CUI --- and for most defense contractors, it is --- then the platform handling that data needs to match the security requirements. GovSignals is the only FedRAMP High authorized AI platform for government contracting, with IL5 authorization purpose-built for the security demands of defense acquisition work.
Learn how GovSignals protects your CUI.