What Is CUI in the Context of CMMC? A Guide for DoD Contractors

For defense contractors and subcontractors, compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0 is no longer optional—it’s a prerequisite for doing business with the Department of Defense (DoD). But not every contract is the same. If your organization handles Controlled Unclassified Information (CUI), you’re required to meet CMMC Level 2 requirements.

This blog breaks down what CUI means in the context of CMMC, what types of information qualify, and how CMMC Level 2 compliance helps protect CUI against cyber threats. Want to learn more about the ins and outs of CMMC Level 2? Don’t forget to check out our in-depth guide.

What Is CUI in the Context of CMMC?

CUI refers to sensitive government data that is not classified, but still requires protection due to its importance to national security, law enforcement, or critical infrastructure.

In the context of CMMC, CUI is the key differentiator between Level 1 and Level 2 compliance. CMMC Level 1 applies to contractors that handle Federal Contract Information (FCI) only, while CMMC Level 2 is mandatory for organizations that create, receive, transmit, or store CUI. There’s also CMMC Level 3, but it’s specific to a limited group of contractors working with CUI that is critical to national security — typically as part of a high-risk program or contract.

According to the CMMC CUI definition, any company that touches CUI in the execution of a DoD contract must meet CMMC Level 2 requirements, which are based on NIST SP 800-171’s 110 cybersecurity controls, or CMMC Level 3, which is based on the same 110 NIST controls plus an additional 24 enhanced controls from NIST SP 800-172.

Why Does CUI Matter?

CUI is often a target for cyber adversaries because it contains sensitive insights about defense technologies, operations, or personnel—even though it’s not classified. A breach of CUI can have real consequences for national defense, which is why CMMC 2.0 was designed to elevate the cybersecurity posture of the entire defense industrial base (DIB).

By requiring CMMC Level 2 certification for CUI-related work, the DoD ensures that contractors adopt the necessary cybersecurity protections to safeguard this data from increasingly sophisticated threats.

Examples of CUI That May Trigger CMMC Level 2

CUI spans a wide range of sensitive but unclassified data categories. Some common types of CUI in DoD contracts include:

• Engineering drawings and technical specifications for weapons systems
• Test data for military-grade equipment
• Export-controlled information governed by ITAR or EAR regulations
• Personnel or operations information related to military missions
• Procurement and acquisition details involving national defense
• Logistics plans or maintenance schedules for DoD assets

Not sure if your contract involves CUI? The DoD CUI Registry is a helpful resource that outlines all CUI categories. You can also check for language related to 32 CFR/48 CFR within your contract. While the DoD ultimately determines what CUI is, it’s important for DoD service providers to ask for clarity upon contract execution if there is confusion about what CUI is as part of the contract.

How CMMC Level 2 Helps Protect CUI

CMMC Level 2 introduces stricter cybersecurity requirements that are specifically aligned to the protection of CUI. These include:

• Access control measures to limit who can view or handle CUI
• Audit logging and monitoring to detect unauthorized access
• Encryption and data protection policies for CUI in transit and at rest
• Incident response planning to contain and report breaches quickly
• Security awareness training to help employees recognize threats

Whether you’re a prime contractor or a subcontractor, demonstrating CMMC Level 2 compliance signals to the DoD that your organization has the right policies, technologies, and safeguards in place to manage CUI responsibly.

The Role of CUI CMMC Cybersecurity Services

Achieving and maintaining CMMC Level 2 compliance is no small feat, especially for small and mid-sized businesses. That’s where CUI CMMC cybersecurity services come in. These services are typically provided by Registered Providers Organizations (RPOs) and Certified Third-Party Assessor Organizations (C3PAOs), and they help with:

• Gap assessments to identify CUI-related security risks
• Implementation of NIST 800-171 controls
• Documentation and evidence preparation for audits
• Support during official C3PAO assessments

Partnering with a cybersecurity service provider that specializes in CUI and CMMC can accelerate your path to compliance and reduce risk throughout your organization. IS Partners is an Authorized C3PAO, meaning that we have been certified by the CMMC Accreditation Body (Cyber-AB) and the DoD to perform official evaluations for CMMC Level 2. Our team conducts personalized gap assessments and helps refine policies and align processes to ensure you meet CMMC requirements.

With over 20 years of experience in compliance across industries, we have a 95% client retention rate and are committed to helping ensure you’re prepared for (and pass!) your CMMC Level 2 assessment. Learn more about our CMMC compliance services.

Ultimately, CUI and CMMC Level 2 go hand-in-hand. If you handle CUI in any capacity for the DoD, achieving CMMC Level 2 certification isn’t just a good idea—it’s a contractual requirement. Understanding what CUI includes and how to protect it through the CMMC framework is the first step in securing your role in the defense supply chain..

FAQs

About The Author

Jena Andrews

Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.