Plain-English CUI guide · primary sources
What counts as CUI for a defense contractor?
CUI (Controlled Unclassified Information) is information the government owns or creates — or that a contractor handles on the government's behalf — that requires protection under federal law, regulation, or policy. For defense contractors it includes technical data, engineering drawings, specifications, export-controlled material (ITAR/EAR), and certain PII under a DoD contract. Only the government can officially designate CUI — contractors cannot self-designate.
What CUI actually looks like in the defense industrial base
CUI is a framework, not a single document type. These are the categories small defense contractors run into most often — if any of them describe information you create, hold, or receive on a DoD program, you are almost certainly in CUI territory.
| CUI category | What it covers |
|---|---|
| Controlled Technical Information (CTI) | Technical data, engineering drawings, specifications, test and evaluation data, and source code with a military or space application. This is the most common CUI in the defense industrial base — if you build or design anything for a DoD program, you likely hold CTI. |
| Export-controlled material (ITAR / EAR) | Information controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export-controlled technical data is CUI; releasing it to a foreign person can also be a separate export violation, so treat it with extra care and ask counsel. |
| PII handled under a DoD contract | Certain personally identifiable information you process because of a DoD contract — for example, personnel records or background-investigation data. Not all PII is CUI, but PII the government requires you to protect under a contract is. |
| Program-marked ("Specified") CUI | Information the government has marked with a CUI banner and category, sometimes with extra handling rules ("CUI Specified" vs. "CUI Basic"). The markings tell you exactly how to handle it — read them, and follow the dissemination controls they name. |
Source: the CUI framework under Executive Order 13556, 32 CFR part 2002, and the National Archives (NARA) CUI Registry; for DoD, DoD Instruction 5200.48. Categories such as Controlled Technical Information and export-controlled information appear in the CUI Registry and DoD policy.
The three questions contractors ask most
Is an email CUI?
CUI is about the information, not the medium. An email is not automatically CUI — but an email that carries Controlled Technical Information, an export-controlled drawing, or program-marked data is CUI, and so is the attachment. The same content stays CUI whether it lives in an email, a CAD file, a chat message, or a printout.
Are our quotes and pricing CUI?
Usually not by themselves. Your own commercial pricing and quotes are typically your business information, or Federal Contract Information (FCI) once they relate to a contract — not CUI. But if a quote embeds controlled technical data or export-controlled specs, that embedded content is CUI even though the price is not. Look at what the document actually contains.
Does the contract have to say "CUI"?
The government should mark or identify CUI for you — only an authorized government official can designate it, and contractors cannot self-designate. In practice, a contract that carries DFARS 252.204-7012 is a strong signal you handle CUI. But do not rely on assumptions: read the markings, and when the designation is unclear, ask the contracting officer in writing.
See the DFARS 252.204-7012 guide for how the safeguarding clause defines covered defense information, and do I need CMMC certification? to see how handling CUI maps to a CMMC level.
CUI vs. classified — the key distinction
CUI is unclassified but controlled. It does not carry a classification level like Confidential, Secret, or Top Secret, and it is not stored or processed on classified systems. Classified information is a separate, higher regime with its own clearances, facilities, and handling rules. The practical takeaways: CUI is protected on ordinary (but properly secured) contractor systems under NIST SP 800-171, not in a classified enclave; and classified material must never be placed on a CUI system. If you genuinely hold classified information, that is governed by a different set of rules — talk to your facility security officer.
What to do when you receive CUI
Handle it per the markings
CUI arrives marked with a banner and category, and sometimes specific dissemination controls. The markings are your instructions — read them and follow the handling and limited-dissemination rules they name. "CUI Specified" carries extra requirements beyond "CUI Basic."
Limit who can access it
Restrict access to people who need it for the work and are eligible to see it — especially for export-controlled material, where releasing it to a foreign person can be a separate violation. Keep CUI inside your defined system boundary and out of personal accounts and unmanaged devices.
Safeguard it under NIST SP 800-171
On systems that process, store, or transmit CUI, implement the 110 security requirements of NIST SP 800-171, as required by DFARS 252.204-7012. That is the same standard CMMC Level 2 assesses, so getting this right is also your path to certification.
Report incidents within 72 hours — and ask when unsure
If you discover a cyber incident affecting covered defense information, report it within 72 hours at dibnet.dod.mil, as DFARS 252.204-7012 requires. And whenever a designation is unclear — is this CUI, which category, what handling — ask the contracting officer rather than guessing.
Muster never asks for your CUI.
By design, Muster has no file upload and never accepts Controlled Unclassified Information. The free assessment runs entirely in your browser and works only from descriptions of your systems — never the protected contents themselves. We will never ask you to upload or send CUI "to help us help you," because the safest place for your CUI is inside your own boundary.
Sources: DFARS 252.204-7012 (safeguarding covered defense information and 72-hour incident reporting at dibnet.dod.mil); NIST SP 800-171 (the 110 security requirements). To build the System Security Plan that documents how you protect CUI, see the NIST SP 800-171 SSP template guide.
Straight answers
What counts as CUI for a defense contractor?
CUI (Controlled Unclassified Information) is unclassified information the government creates or possesses — or that a contractor creates or possesses on the government’s behalf — that a law, regulation, or government-wide policy requires to be protected. For defense contractors it commonly includes Controlled Technical Information (drawings, specifications, test data), export-controlled material under ITAR or EAR, and certain PII handled under a DoD contract. Only an authorized government official can officially designate CUI; contractors cannot self-designate.
Is CUI the same as classified information?
No. CUI is unclassified but controlled — it does not carry a classification level like Confidential, Secret, or Top Secret, and it is not handled in classified systems. Classified information is a separate, higher regime with its own clearances, facilities, and rules. CUI sits below that: sensitive enough to require protection, but not classified. The two should never be conflated, and classified material must never be put on a CUI system.
Does our contract have to explicitly say "CUI"?
The government is responsible for marking and identifying CUI, because only an authorized government official can designate it — contractors cannot self-designate. A contract that carries DFARS 252.204-7012 is a strong indicator you handle covered defense information, which includes CUI. Read the markings on what you receive, and when the designation is unclear, ask the contracting officer in writing rather than assuming.
What do we do when we receive CUI?
Handle it according to its markings, limit access to people who need it for the work, and safeguard it on your systems under NIST SP 800-171 as DFARS 252.204-7012 requires. If you have a cyber incident affecting covered defense information, report it within 72 hours at dibnet.dod.mil. When a designation is unclear, ask the contracting officer.
This is compliance information, not legal advice. Only an authorized government official can designate CUI; for export-control (ITAR/EAR) and contract-interpretation questions, consult qualified counsel and your contracting officer.
Related guides
NIST 800-171 SSP template
What an SSP must contain per 3.12.4, what assessors flag first, and a free blank template (Markdown or Word) — no email gate.
POA&M template (NIST 800-171)
The 32 CFR 170.21 eligibility rules — 88-point minimum, the never-eligible six, the 180-day clock — plus a worked example and a free blank template.
CMMC Level 2 cost
Real price bands by path — self-serve software, consultant-led, enclave route — with the C3PAO assessment fee separated out honestly.
CMMC Level 1 vs Level 2
The decision rule (FCI → Level 1, CUI → Level 2), a side-by-side comparison table, and a 2-minute quiz that tells you which one you need.
Tools: SPRS score calculator · scoring methodology · CMMC Phase 2 deadline
Find out if CUI is inside your system boundary.
The free Muster Score walks your environment in plain English and never asks for any CUI — only descriptions of your systems — so you learn where controlled information lives and what protecting it under NIST SP 800-171 will take.
Get your free Muster ScoreThe free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.