If You Handle CUI, You Have Compliance Obligations — Here's What That Means

You didn't think of yourself as handling sensitive government information. You're a small defense contractor. You make parts, provide services, write code, or support a program office. You're not dealing with classified material. You don't have a secure facility. You're just doing your job.

But somewhere in your work, you received a technical drawing from a prime contractor. Or you accessed a government portal to download contract specifications. Or you processed engineering data tied to a defense program.

That information has a name. It's called Controlled Unclassified Information — CUI. And the moment it touched your systems, your email, or your employees' laptops, federal compliance obligations followed it through the door.

What Is CUI?

Controlled Unclassified Information is government information that isn't classified — meaning it doesn't carry Secret or Top Secret designations — but still requires protection because of its sensitivity.

The government created the CUI program to standardize how sensitive unclassified information is identified, handled, and protected across federal agencies and their contractors. Before CUI existed, agencies used inconsistent labels like FOUO (For Official Use Only), Sensitive But Unclassified, and dozens of other designations. CUI replaced all of them with a single, unified framework.

CUI covers a surprisingly broad range of information. Common categories defense contractors encounter include:

Technical data and engineering drawings tied to defense systems. Export controlled research and development data. Contract performance information. Privacy data on government personnel. Intelligence-related information. Naval and aviation program specifications.

If it came from a government agency, was generated under a government contract, or was explicitly marked as CUI by a prime contractor — it qualifies. And if it qualifies, you have legal obligations around how you store it, who can access it, and how you protect it.

How Do You Know If You Have CUI?

This is where many small defense contractors get into trouble. They assume that because nobody told them they were handling sensitive information, they aren't. That assumption is wrong — and costly.

CUI doesn't always arrive with a flashing warning label. Sometimes it's embedded in a technical package a prime contractor sends over. Sometimes it's in a government-furnished document you download from a secure portal. Sometimes it's data your team generates while performing work on a defense contract.

The right question isn't "did someone tell me this is CUI?" The right question is "does this information fall under a CUI category based on the nature of the contract and the data itself?"

If your contract includes DFARS clause 252.204-7012 — and most DoD contracts do — you are almost certainly handling CUI. That clause exists specifically because the government expects contractors in your position to protect it.

What Are Your Obligations?

Once CUI is in your environment, three major compliance obligations kick in immediately.

Implement NIST 800-171 Controls

NIST Special Publication 800-171 defines 110 security controls required to protect CUI in non-federal systems — meaning contractor environments like yours. These controls cover access management, incident response, system monitoring, configuration management, media protection, personnel security, and more.

You are contractually required to implement all 110 controls if you handle CUI under a DoD contract with DFARS 252.204-7012. Not most of them. All of them. And you must self-attest your compliance score through the Supplier Performance Risk System — SPRS — where contracting officers and prime contractors can see exactly where you stand.

Protect and Control CUI Access

CUI must be stored, transmitted, and accessed in ways that limit exposure to authorized personnel only. That means encrypting CUI in transit and at rest. It means controlling who can access systems where CUI lives. It means ensuring your employees understand what CUI is and how to handle it properly.

Sending CUI through personal email, storing it on unprotected personal devices, or sharing it with subcontractors who haven't agreed to protect it are all violations — even if unintentional.

Report Cyber Incidents Within 72 Hours

If your systems experience a cyber incident that affects CUI — a breach, a ransomware attack, unauthorized access — DFARS 252.204-7012 requires you to report it to the DoD within 72 hours. Not 72 business hours. 72 hours from discovery.

This is one of the most overlooked obligations small contractors face. Many don't have an incident response plan at all. When something happens, they scramble — and miss the reporting window, creating additional legal exposure on top of the breach itself.

What Happens If You Don't Comply?

Non-compliance isn't just a paperwork problem. The consequences are real and serious.

Contract loss is the most immediate risk. If a contracting officer or prime contractor discovers you're non-compliant — through a low SPRS score, a failed assessment, or an audit — your contract eligibility is at risk. Prime contractors increasingly require compliance verification before bringing subcontractors onto programs.

False Claims Act exposure is the most severe risk. Contractors who misrepresent their cybersecurity compliance to the government — submitting inaccurate SPRS scores, for example — face potential False Claims Act liability. The penalties are significant and the Department of Justice has actively pursued these cases.

CMMC certification denial is the long-term risk. As CMMC rolls out across DoD contracts, contractors who haven't built compliant programs will be unable to achieve certification — locking them out of contract opportunities entirely.

CUI Compliance Isn't as Complicated as It Sounds — With the Right Guidance

Here's the reality: most small defense contractors aren't intentionally non-compliant. They just didn't know what they didn't know. Nobody walked them through their obligations when they signed their first DoD contract. Nobody explained what CUI was, why it mattered, or what 110 security controls actually looked like in practice.

That gap is common — and it's fixable.

Start by identifying whether CUI exists in your environment. Review your contracts for DFARS 252.204-7012. Audit where government data lives on your systems. Assess your current controls against NIST 800-171. Calculate and submit an accurate SPRS score.

These aren't overwhelming steps when approached systematically. Defense contractors who tackle compliance proactively — before a C3PAO assessment is scheduled or a prime contractor comes asking — are the ones who pass on the first attempt, protect their contracts, and position themselves as trusted partners in the defense industrial base.

CUI compliance isn't a burden reserved for large defense primes. It applies to you. And the sooner you understand your obligations, the stronger your position becomes.

Achieve CMMC compliance with expert guidance, securing your defense contracts and enabling confident growth.