CUI protection: Handling controlled unclassified information securely

Controlled unclassified information (CUI) is sensitive but unclassified information that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. For federal agencies and contractors across defense, energy, healthcare, and other regulated sectors, the obligation to properly handle CUI carries significant compliance and contractual implications.

Yet many organizations still lack the procedures, system controls, and visibility needed to meet federal requirements. With CMMC Phase 1 implementation underway and the government moving toward more uniform contractor handling requirements via the FAR CUI rule, CUI compliance is no longer aspirational. It is a contract prerequisite.

Organizations that cannot demonstrate proper identification, marking, safeguarding, and dissemination controls for CUI risk adverse audit findings, contract delays, and loss of eligibility for future awards.

This guide breaks down what CUI actually is, what the protection requirements look like, and how to build a practical approach to handling it securely.

What is controlled unclassified information (CUI)?

Controlled unclassified information is information that the federal government creates or possesses, or that an entity creates or possesses on behalf of the government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies.

As a formal information category, CUI was established by Executive Order 13556 and codified in 32 CFR Part 2002. It replaced a patchwork of legacy markings like FOUO, LES, and SBU with a single, consistent framework for safeguarding sensitive but unclassified information across federal agencies and their contractors.

A key principle underpins the entire program: only information that requires safeguarding pursuant to federal law, regulation, or government-wide policy can be designated as CUI. Agencies cannot create CUI categories based on administrative preference alone.

CUI splits into two handling categories:

• CUI Basic is the default. It applies uniform standards from 32 CFR Part 2002 to all CUI unless the NARA CUI Registry specifically annotates a category as CUI Specified. Banner markings look like CUI or CUI//PRVCY.
• CUI Specified applies when the authorizing law or regulation contains specific handling controls that differ from the CUI Basic defaults. These categories carry an "SP-" prefix, like CUI//SP-CTI.

The difference is about the source of controls, not the sensitivity level; CUI Basic fills any gaps where the specific authority is silent.

The NARA CUI Registry is the authoritative source, covering 125+ categories. It is where contractors should go to determine proper classification, marking, and handling for any CUI they encounter.

Common examples of CUI

Not all sensitive data is CUI; it must be tied to an authority listed in the CUI Registry. Here are common CUI examples across major categories:

• Defense (CTI): Controlled technical information (CTI) includes technical schematics, system design documents, and source code developed for military applications, marked CUI//SP-CTI under the authority of DFARS 252.204-7012.
• Export control: Technical drawings for defense articles on the U.S. Munitions List and technical data subject to export licensing are covered under the CUI Registry's export control categories.
• Law enforcement: Criminal history records information, DNA profiles, and informant identification data appear under law-enforcement-related CUI categories.
• Privacy: Social Security numbers, financial account numbers, biometric data, and HIPAA-covered health information are handled under privacy/health-related CUI categories.
• Critical infrastructure: Chemical-terrorism vulnerability information, critical energy infrastructure information, and information systems vulnerability information appear under critical infrastructure categories.

These examples are representative, not definitive. Always validate the specific category, authority, and required markings in the CUI Registry and your contract language before you set handling rules.

Key CUI protection requirements

Protecting CUI is not just about locking down files. It spans marking, physical and digital safeguarding, and controlling who can access and share information. Each of these areas carries specific federal requirements, and a gap in any one of them can undermine your entire compliance posture. Here's what you need to get right across the three core protection pillars.

Marking and labeling CUI

Inconsistent markings are one of the fastest ways to fail a compliance assessment. Markings drive the entire CUI handling chain: they tell authorized holders who can access information, how it can be shared, and what protections apply.

Standard marking examples:

• CUI Basic with no category: CUI
• CUI Specified: CUI//SP-CTI
• CUI Specified with dissemination control: CUI//SP-SGI//FEDONLY

In practice, accurate banner markings plus consistent downstream labeling (email subjects, file headers, cover sheets, and repositories) are what keep CUI from leaking into uncontrolled channels.

Every CUI document must include a designation indicator identifying the controlling agency. Guidance also recommends applying CUI banner markings in email subject lines and message bodies when emails contain CUI.

Safeguarding and controlled environments

CUI must be handled in controlled environments with sufficient access controls and protections against unauthorized viewing or eavesdropping.

NIST SP 800-171 Rev. 1 established the baseline: the confidentiality impact value for CUI is no less than FIPS 199 moderate. Per FIPS 199, moderate means the loss of confidentiality "could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals."

Organizations must describe their CUI system boundary in a System Security Plan (SSP), including the operating environment, how requirements are implemented, and connections to other systems.

Physical security requirements include limiting access to authorized individuals, escorting visitors, maintaining access audit logs, and enforcing safeguards at alternate work sites.

Access control and dissemination controls

CUI access follows a clear principle: only authorized users with a legitimate need-to-know and proper training can access it.

NIST SP 800-171 Rev. 3 strengthened account management to require defining allowed account types, authorizing access based on valid need and intended usage, and continuous monitoring of system account usage.

Per 32 CFR 2002.16, dissemination must abide by the laws that established the CUI category, further a lawful government purpose, and not be restricted by an authorized limited dissemination control.

Before sharing CUI with external parties, verify that the recipient has a legitimate need-to-know, understands CUI requirements, and can protect the information appropriately.

Training matters here, too. The January 2025 FAR CUI rule establishes that contractors can't permit any employee to handle CUI unless that employee has completed proper training, and contractors must provide evidence of training upon request.

CUI and cybersecurity frameworks

CUI protection obligations don't exist in a vacuum. They sit within a layered stack of federal cybersecurity frameworks that translate policy requirements into specific, auditable security controls.

Understanding how these frameworks connect is essential for building a compliant environment, especially when different contracts reference different revisions or baselines.

NIST SP 800-171 and CUI

NIST SP 800-171 translates CUI protection obligations into specific security requirements for non-federal systems. The current version, Rev. 3, contains 97 security requirements across 17 control families. Rev. 2 had 110 requirements across 14 families.

Key domains that directly affect CUI handling include:

• Access control: account management, least privilege, separation of duties, information flow control
• Audit and accountability: audit logs capturing event type, timing, source, outcome, and identity; retention aligned to organization and contract requirements
• Incident response: operational handling capability, tracking, and testing at organization-defined frequency
• Media protection: sanitization before disposal, cryptographic protection during transport

Taken together, these domains define the daily operational controls that auditors look for when they assess whether CUI handling is actually enforced, not just documented.

FIPS 199 impact levels and CUI

The compliance cascade works like this: FIPS 199 categorizes impact levels, FIPS 200 sets minimum security requirements, and control selection is drawn from NIST security control baselines. Those baselines are then tailored into NIST SP 800-171 for non-federal organizations handling CUI.

The practical implications are significant:

• Cloud hosting: For CUI systems in cloud environments, FedRAMP Moderate is widely treated as the minimum appropriate baseline for moderate-impact information systems.
• Encryption: Cryptographic modules must be FIPS 140-2 validated, not just using FIPS-approved algorithms. NIST's CMVP guidance also notes that non-validated cryptography is viewed as providing no protection.
• Network protections: The moderate baseline spans access control, boundary protection, network segregation, transmission confidentiality and integrity, and network monitoring.

For CUI associated with critical programs or High Value Assets, NIST SP 800-172 provides enhanced security requirements, but these apply only when explicitly designated in contract language.

Best practices for handling CUI securely

The following best practices translate CUI compliance obligations into concrete steps your team can act on, from initial data discovery through access governance, encryption, and incident response.

1. Identify and classify CUI accurately

Only federal agencies can designate information as CUI. When contractors encounter potentially unmarked CUI, they should report it to the contracting officer for official determination, not mark it themselves. The FAR CUI rule requires reporting the discovery of potential CUI within eight hours.

Start with a contract-by-contract review. Map CUI categories specified in each contract against your actual information flows. Common scoping failures include:

• Missing systems: overlooking systems that process CUI outside your primary environment
• Third-party blind spots: failing to account for service providers who touch CUI on your behalf
• Shadow IT: forgetting about collaboration tools and cloud services, where CUI may end up

Training is equally important, and should happen at three levels:

• Universal awareness: for anyone who might encounter CUI
• Role-specific training: for employees who regularly handle CUI
• Advanced technical training: for system administrators managing CUI environments

This investment in training is critical because the human factor remains a top vulnerability; according to the Netwrix 2024 Hybrid Security Trends Report, 47% of IT professionals cite employee mistakes and negligence as a top security challenge.

The challenge of discovery is equally widespread; a 2025 SANS Attack Surface Management (ASM) Survey sponsored by Netwrix revealed that only 28% of organizations believe their ASM platforms effectively identify sensitive files, with another 41% saying they do so only partially.

This is where tooling makes a real difference. For example, First National Bank Minnesota used Netwrix Auditor and Netwrix Data Classification to discover, classify, and move sensitive data to secure locations, and completed an Active Directory rebuild in 3 weeks instead of 6 months.

2. Govern access at the object level

Folder-level and site-level permissions aren't granular enough for CUI. NIST SP 800-171 acknowledges that access enforcement mechanisms can be implemented at the application and service levels to increase protection for CUI.

Attribute-based access control (ABAC), as defined in NIST SP 800-162, evaluates attributes of the user, the data, and the environment against defined policy rules at every access request. The advantage for CUI is dynamic least privilege:

• Role changes: when someone's mission assignment changes, their access to no-longer-needed CUI revokes automatically through updated subject attributes
• Classification changes: when data classification shifts, access restrictions adjust across all affected users without manual reconfiguration

3. Encrypt CUI in transit and at rest

NIST SP 800-171 requires encryption for CUI transmitted or stored outside controlled environments. Within protected environments, other safeguards may satisfy the requirement, but any CUI that leaves that boundary must be encrypted

The critical requirement is that encryption modules must be FIPS 140-2 validated, with certificate numbers documented. Simply using AES-256 isn't enough if the specific module hasn't gone through NIST's Cryptographic Module Validation Program.

Key management deserves equal attention, so it should be treated as foundational infrastructure, not an afterthought.

4. Monitor, log, and respond to incidents

NIST SP 800-171 requires audit records capturing event type, timing, location, source, outcome, and associated identity. Individual user actions must be uniquely traceable, and audit record retention should align with organization-defined and contract-defined requirements.

In incident response, timelines are getting tighter. Different reporting obligations apply depending on your sector:

• FAR CUI rule: an eight-hour window for reporting suspected or confirmed CUI incidents
• DFARS 252.204-7012: DoD contractors report through DIBNet
• CIRCIA: critical infrastructure entities report to CISA within 72 hours

Meeting these timelines demands forensic capabilities and pre-established investigation procedures, not just detection.

Correlating activity data with access permissions pays off here. In the real world, even one suspicious spike in file changes can become a days-long scramble if your team has to stitch together answers from disconnected logs.

How Netwrix helps organizations protect CUI

No single process or checklist makes CUI compliance happen overnight. The challenge for contractors is connecting the dots between data discovery, access governance, and audit readiness, without stitching together disconnected tools that leave gaps an assessor will find.

If your environment runs on Microsoft infrastructure with a mix of on-premises file servers, Active Directory, and Microsoft 365, you need a platform that covers all of those from one place.

The 1Secure Platform provides automated discovery across file systems, databases, collaboration platforms, and cloud storage, so you can find CUI-relevant data before an assessor does.

It can quarantine sensitive files in insecure locations, move them to secure areas, remove excessive permissions, and embed classification tags into files, turning weeks of manual inventory into an automated, repeatable process.

But discovery alone isn't enough. The harder question is: who can access that data, is that access appropriate, and can you prove it? The 1Secure Platform reports on overexposed sensitive data objects, detailed permission structures on classified content, and activity related to sensitive files and folders.

That means you can identify where CUI sits with excessive permissions and remediate before it becomes an audit finding.

Netwrix Endpoint Protector extends that coverage to the endpoint layer, preventing CUI from leaving controlled environments through unauthorized channels. It blocks transfers to unapproved USB devices, monitors and controls uploads via browsers, email clients, and cloud storage applications. It also enforces encryption on approved removable media, directly addressing the exfiltration risks that CUI handling requirements are designed to prevent.

Pre-built compliance reports show who accessed data, what changed, and when, while interactive search helps you answer auditors' questions in minutes rather than days.

Request a Netwrix demo to see how one platform helps you discover, protect, and prove compliance for CUI across your hybrid environment.