CUI Handling for DoD Subcontractors: Requirements Guide

Posted: April 1, 2026 to Cybersecurity.

CUI Handling for DoD Subcontractors: Requirements and Implementation Guide

If your company handles Department of Defense contracts, you are almost certainly responsible for protecting Controlled Unclassified Information. CUI handling requirements touch every aspect of how your organization stores, transmits, marks, and ultimately destroys sensitive government data. Getting it wrong does not just risk failed audits; it can mean lost contracts, civil penalties, and referral to the Department of Justice under the False Claims Act.

This guide walks through every major CUI handling requirement that DoD subcontractors must meet, from understanding what CUI actually is to building the IT infrastructure that keeps it protected. Whether you are preparing for a CMMC assessment or simply trying to understand your obligations under DFARS 252.204-7012, this is the reference your team needs.

What Is Controlled Unclassified Information?

Controlled Unclassified Information is a broad category of government information that requires safeguarding but does not meet the threshold for classification under Executive Order 13526. Before CUI existed as a formal designation, federal agencies used a patchwork of over 100 different markings: For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Law Enforcement Sensitive (LES), and dozens of others. Every agency had its own rules, its own markings, and its own interpretation of what counted as sensitive.

Executive Order 13556, signed in 2010, created the CUI program to replace that patchwork with a single, government-wide framework. The National Archives and Records Administration (NARA) was designated as the CUI Executive Agent, responsible for developing the policies and maintaining the CUI Registry. The implementing regulation, 32 CFR Part 2002, establishes the rules for how agencies designate, mark, safeguard, and disseminate CUI.

For defense contractors and subcontractors, CUI matters because your contracts almost certainly require you to handle it. When a prime contractor flows down requirements from a DoD contract, the obligation to protect CUI flows down with them. Under DFARS 252.204-7012, any contractor or subcontractor that processes, stores, or transmits Covered Defense Information (a category that substantially overlaps with CUI) must provide adequate security in accordance with NIST Special Publication 800-171.

Why the Shift from FOUO to CUI

The old FOUO system had no uniform standard. An Air Force contractor might handle FOUO data under completely different rules than a Navy contractor, even when the information was functionally identical. Agencies over-marked information to be safe, which diluted the significance of markings and created unnecessary handling burdens. Under-marking was equally common, leaving genuinely sensitive data unprotected.

The CUI program fixes this by tying every piece of controlled information to a specific legal authority. If information is CUI, there is a law, regulation, or government-wide policy that says it must be protected. If no such authority exists, the information should not be designated as CUI. This principle is central to avoiding one of the most common mistakes subcontractors make: treating everything as CUI when it is not.

CUI Categories and Subcategories

The CUI Registry, maintained by NARA, organizes controlled information into categories and subcategories. Each entry in the registry identifies the authorizing law or regulation, the handling requirements, and whether the information falls under CUI Basic or CUI Specified rules. Understanding the categories that apply to your contracts is the first step in building a compliant handling program.

Categories Most Relevant to DoD Subcontractors

Controlled Technical Information (CTI) is the category most DoD subcontractors encounter first. CTI includes technical data with military or space application that is subject to distribution controls. This covers engineering drawings, specifications, technical manuals, test data, and similar information. The controlling authority is DoD Instruction 5230.24, and CTI carries CUI Specified handling requirements, meaning there are additional controls beyond the CUI Basic baseline.

Export Controlled information falls under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). If your contract involves defense articles, technical data related to items on the United States Munitions List, or dual-use technologies on the Commerce Control List, you are handling export-controlled CUI. The penalties for mishandling ITAR-controlled information are severe: up to $1 million per violation and potential criminal prosecution.

Proprietary Business Information includes trade secrets, commercial or financial information, and other proprietary data submitted to the government. This data is protected under 18 U.S.C. 1905 and the Trade Secrets Act. As a subcontractor, you may handle proprietary information belonging to the prime contractor, other subcontractors, or the government itself.

Privacy information covers personally identifiable information (PII) subject to the Privacy Act of 1974. If your contract involves processing personnel records, health data, or other personal information about government employees or service members, privacy CUI applies.

Other relevant categories include Law Enforcement (investigative records), Tax (federal tax return data under 26 U.S.C. 6103), Intelligence (unclassified intelligence-related data), and Procurement and Acquisition (source selection information, proposals). The full CUI Registry lists over 20 categories with more than 100 subcategories.

Identifying CUI in Your Contracts

Your primary reference for identifying what CUI you handle is the contract itself. Look for these key indicators:

• DFARS 252.204-7012 clause in the contract or subcontract, which triggers NIST 800-171 requirements for all Covered Defense Information
• DD Form 254 (Contract Security Classification Specification), which specifies security requirements including CUI categories
• Statements of Work and CDRLs that reference specific data types, technical data rights, or export control markings
• Data Rights clauses (DFARS 252.227-7013 through 7037) that identify the government's rights in technical data and software
• CUI marking on data received from the prime contractor or government, including banner markings on documents and emails

If your contract includes DFARS 252.204-7012 but does not clearly identify what CUI you will handle, request clarification from the contracting officer or prime contractor. Do not guess, and do not assume everything is CUI. Working with a firm experienced in NIST compliance can help you properly scope your CUI environment from the start.

CUI Marking Requirements

Proper CUI marking is both a legal obligation and a practical necessity. Markings tell every person who handles a document what protections apply and what they can or cannot do with the information. Incorrect markings create confusion, increase risk, and can result in findings during CMMC assessments.

Banner Markings

Every CUI document must carry a banner marking at the top of the first page. The banner follows a specific format defined in 32 CFR Part 2002 and the CUI Marking Handbook:

• CUI Basic: The banner reads simply CUI or CONTROLLED
• CUI Specified: The banner includes the specific category, e.g., CUI//SP-CTI for Controlled Technical Information or CUI//SP-EXPT for export-controlled information
• Multiple categories: Combine with double slashes, e.g., CUI//SP-CTI//SP-EXPT
• Limited dissemination: Add dissemination controls after the category, e.g., CUI//SP-CTI//NOFORN (no foreign nationals) or CUI//SP-CTI//FEDCON (federal employees and contractors only)

Portion Markings

Portion markings identify which specific paragraphs, sections, or data elements within a document contain CUI. While portion marking is required for CUI Specified information and recommended for CUI Basic, many organizations adopt portion marking universally as a best practice. The portion marking appears in parentheses at the beginning of the paragraph: (CUI) or (CUI//SP-CTI).

Designation Indicator

The CUI designation indicator block appears on the first page and includes four elements: the identity of the designating agency or authorized designator, the CUI category or categories, the dissemination controls (if any), and a decontrol date or event. For information generated by contractors, the designating entity is typically identified by contract number and the government contracting activity.

The CUI Registry as Your Authoritative Source

The CUI Registry at archives.gov/cui is the authoritative source for every valid CUI category, its associated marking, and the specific handling requirements. Before marking any document, consult the registry to confirm the correct category identifier and any CUI Specified requirements. Incorrect category identifiers are a common audit finding. Organizations pursuing CMMC training for their teams should ensure marking standards are a core part of the curriculum.

CUI Handling Requirements: Storage, Transmission, Destruction, and Sharing

CUI handling requirements cover the full lifecycle of controlled information, from the moment it enters your environment to the moment it is destroyed. Each phase has specific rules, and failure at any point in the chain creates compliance gaps.

Storage

CUI must be stored in a manner that prevents unauthorized access. For electronic CUI, this means:

• Encryption at rest: All CUI stored on any media must be encrypted using FIPS 140-2 validated cryptographic modules (or FIPS 140-3 for newer implementations). AES-256 is the standard. Whole-disk encryption tools like BitLocker (with FIPS mode enabled) or self-encrypting drives that carry FIPS validation meet this requirement.
• Access controls: Only personnel with a legitimate need-to-know and appropriate authorization should have access to CUI. This means role-based access controls, unique user accounts (no shared credentials), and multifactor authentication for remote access.
• Physical security: Servers and workstations that store CUI must be in controlled areas. This does not necessarily require a SCIF, but it does require locked rooms, visitor controls, and protections against unauthorized physical access. Portable media containing CUI (USB drives, laptops, external hard drives) must be encrypted and physically secured when not in use.
• Cloud storage: If you store CUI in the cloud, the cloud service provider must meet FedRAMP Moderate baseline (or equivalent) and the additional requirements in DFARS 252.204-7012. This effectively limits your options to providers with FedRAMP Moderate or High authorization, or those offering environments specifically designed for CUI such as Microsoft GCC High, AWS GovCloud, or Google Workspace with Assured Controls.

Transmission

CUI must be transmitted using methods that protect it from unauthorized interception or disclosure:

• Email: CUI transmitted via email must be encrypted in transit using TLS 1.2 or higher, and the email system itself must be within your CUI boundary. Standard Gmail, Outlook.com, or Yahoo Mail accounts do not meet this requirement. Using personal email for CUI is a violation of DFARS requirements, full stop.
• File transfers: Use encrypted transfer protocols (SFTP, SCP, HTTPS) with FIPS-validated encryption. Standard FTP is never acceptable for CUI.
• Physical shipment: CUI shipped physically must use USPS First Class or Priority Mail, UPS, FedEx, or another commercial carrier with package tracking. Double-wrap CUI: inner envelope marked with CUI markings, outer envelope with no CUI markings visible.
• Fax: If you still use fax machines (many defense environments do), the fax line must be in a protected area and the receiving fax must be in a similarly controlled environment. Verify the recipient's fax number before sending.

Destruction

When CUI reaches the end of its retention period or is no longer needed, it must be destroyed in a manner that prevents reconstruction. NIST Special Publication 800-88 (Guidelines for Media Sanitization) is the controlling standard:

• Paper documents: Cross-cut shredding to particles of 1mm x 5mm or smaller (DIN 66399 Level P-4 or higher). Strip-cut shredders do not meet the requirement.
• Electronic media: Depending on the media type, options include cryptographic erase (for self-encrypting drives), degaussing (for magnetic media), or physical destruction (shredding, disintegration, incineration). Simply deleting files or formatting a drive is never sufficient.
• Log destruction actions: Maintain records of what was destroyed, when, by whom, and using what method. These records support audit requirements and demonstrate your organization takes information lifecycle management seriously.

Sharing and Dissemination

CUI may only be shared with individuals who have a lawful government purpose and a need-to-know. For DoD subcontractors, this means:

• Authorized recipients: Government employees, contractors with appropriate contract clauses, and specific third parties identified in dissemination controls
• Foreign nationals: CUI marked NOFORN cannot be shared with non-U.S. persons. CUI with export control markings requires an export license or applicable exemption before disclosure to foreign nationals, even those working in your facility
• Need-to-know verification: Before sharing CUI, verify that the recipient has both authorization (contract clause, agency designation) and a need-to-know (they actually require the information to perform their work)
• Subcontractor flow-down: If you share CUI with your own subcontractors, the same handling requirements must flow down through the subcontract agreement

Building IT Infrastructure for CUI

Protecting CUI is not just a policy exercise. It requires purpose-built IT infrastructure, often called a CUI enclave, that enforces the controls required by NIST 800-171. Organizations working with defense contractor IT services should prioritize enclave design early in their compliance journey.

CUI Enclave Design

A CUI enclave is a logically or physically segmented portion of your network dedicated to processing, storing, and transmitting CUI. The enclave approach has a significant advantage: by limiting CUI to a defined boundary, you limit the scope of your NIST 800-171 assessment and reduce the cost and complexity of compliance.

Key elements of a CUI enclave include:

• Network segmentation: The CUI enclave must be separated from your general corporate network using firewalls, VLANs, or physical separation. Traffic between the enclave and the corporate network should be tightly controlled and monitored.
• FIPS 140-2 encryption: All encryption within the enclave, whether at rest, in transit, or in use, must use FIPS 140-2 (or 140-3) validated modules. This applies to VPN connections, disk encryption, email encryption, database encryption, and backup encryption.
• Access controls: Implement role-based access control (RBAC) with the principle of least privilege. Every user account should have only the permissions required for their role. Administrative accounts must be separate from standard user accounts.
• Multifactor authentication: Required for all remote access and recommended for all access to CUI systems. Hardware tokens (FIDO2, PIV) are preferred over SMS-based authentication.
• Audit logging: Every access to CUI, every login attempt, every configuration change, and every file transfer must be logged. Logs must be protected from modification and retained for at least three years. A SIEM (Security Information and Event Management) system is essential for correlating events and detecting anomalies.
• Backup and recovery: CUI backups must be encrypted with FIPS-validated encryption and stored in a location that meets the same physical and logical security requirements as the primary enclave. Test your backup restoration procedures regularly.
• Endpoint protection: Every workstation and server in the enclave needs endpoint detection and response (EDR), host-based firewall, and application allowlisting. USB ports should be disabled or controlled via device management policies.

Cloud Considerations

Many subcontractors are moving CUI workloads to the cloud to leverage the security investments of major cloud providers. This is a viable approach, but you must choose the right service tier. Standard commercial cloud offerings do not meet DFARS requirements. You need FedRAMP Moderate (at minimum) or a purpose-built DoD cloud environment. Microsoft 365 GCC High, AWS GovCloud, and Google Workspace with Assured Controls are the most common choices for DoD subcontractors.

Even in the cloud, you remain responsible for configuring the environment correctly. A misconfigured GCC High tenant is no more compliant than a misconfigured on-premises server. Use the provider's CUI configuration guides, enable all available security features, and validate your configuration against the NIST 800-171 control families.

DFARS 252.204-7012: Your Contractual Obligation

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) is the clause that makes CUI protection a contractual requirement for DoD contractors. Understanding this clause is essential for every subcontractor in the defense supply chain.

Adequate Security

The clause requires contractors to provide "adequate security" for Covered Defense Information (CDI). For information stored on contractor information systems, adequate security means implementing the 110 security requirements in NIST SP 800-171. There is no partial-compliance option: the clause requires implementation of all applicable requirements, with any unimplemented controls documented in a Plan of Action and Milestones (POA&M) and reported through the Supplier Performance Risk System (SPRS). You can calculate your current SPRS score using our free SPRS calculator.

72-Hour Incident Reporting

When a cyber incident affects CDI or the contractor's information system, the clause requires reporting to the DoD Cyber Crime Center (DC3) within 72 hours of discovery. This is a hard deadline, and it runs from discovery, not from the time you finish your investigation. The report must include a description of the incident, the compromised data, and a forensic image of affected systems. For many subcontractors, the 72-hour timeline means you need an incident response plan in place before an incident occurs, not after.

Flow-Down to Subcontractors

Section (m) of DFARS 252.204-7012 requires the clause to flow down to all subcontractors whose performance involves CDI or whose systems will store or transmit CDI. This is not optional. If you are a prime contractor using subcontractors, you must include this clause in every relevant subcontract. If you are a subcontractor receiving this flow-down, you bear the same obligations as the prime. There is no reduced standard for lower tiers.

Connection to CMMC

The Cybersecurity Maturity Model Certification (CMMC) program builds on DFARS 252.204-7012 by requiring third-party assessment of NIST 800-171 implementation. Under CMMC 2.0, contractors handling CUI must achieve Level 2 certification through assessment by a Certified Third-Party Assessment Organization (C3PAO). This shifts CUI compliance from self-attestation to verified compliance, a change that every subcontractor in the defense industrial base must prepare for. Petronella's CMMC readiness services guide organizations through every step of that preparation.

Common Mistakes in CUI Handling

After working with hundreds of defense subcontractors, we see the same mistakes repeated across organizations of every size. Avoiding these pitfalls will save your organization time, money, and audit findings.

Over-Scoping CUI

The most expensive mistake is treating all information as CUI. When every document, every email, and every file share is in scope, your compliance costs explode, your employees drown in unnecessary restrictions, and your NIST 800-171 assessment becomes exponentially more complex. Not every piece of information you receive from the government is CUI. Not every document related to a DoD contract is CUI. If there is no authorizing law, regulation, or government-wide policy requiring protection, it is not CUI. Work with your contracting officer and prime contractor to clearly identify the CUI boundary.

Under-Marking

The opposite problem: failing to mark CUI when it should be marked. This typically happens when employees create derivative documents (reports based on CUI source material, presentations incorporating CUI data) and do not carry the markings forward. Every document that contains or is derived from CUI must be marked. Training is the primary remedy.

Using Personal Email and Devices

Employees who use personal Gmail accounts to send CUI or store CUI on personal laptops create immediate compliance violations. Personal email services do not meet FIPS encryption requirements, personal devices are not within your security boundary, and you have no audit trail for information handled on systems you do not control. This is one of the most common findings in CMMC assessments and one of the easiest to prevent through clear policy and enforcement.

Inadequate Destruction

Tossing old hard drives in a dumpster or recycling printed CUI documents without shredding them is a violation. Less obviously, using a strip-cut shredder instead of a cross-cut shredder, or reformatting a hard drive instead of performing a NIST 800-88 compliant wipe, also fails to meet the standard. Document your destruction procedures, train your staff, and maintain destruction logs.

Missing Flow-Down

If you use subcontractors and fail to include DFARS 252.204-7012 in your subcontracts, you are in breach of your own contract. Equally problematic: including the clause but failing to verify that your subcontractors actually comply. You should request SPRS scores from subcontractors, verify their POA&Ms, and consider requiring evidence of CMMC certification when it becomes available.

No Incident Response Plan

Discovering a breach on a Friday afternoon and scrambling to figure out who to call and what to report is not a plan. You have 72 hours from discovery to report to DC3, and that clock runs through weekends and holidays. Your incident response plan should be documented, tested through tabletop exercises, and known to every employee who handles CUI.

CUI Training Requirements

Training is not optional when it comes to CUI. Both government policy and NIST 800-171 require organizations to provide security awareness training to all users and role-based training for personnel with significant security responsibilities.

General CUI Awareness Training

Every employee, contractor, or temporary worker who has access to CUI must receive CUI awareness training before they are granted access, and then on a recurring basis (at least annually). This training should cover:

• What CUI is and why it matters
• How to recognize CUI markings on documents, emails, and electronic media
• Basic handling rules: do not forward to personal email, do not store on personal devices, do not discuss in unsecured settings
• How to report potential incidents or suspected mishandling
• The consequences of non-compliance, including contract termination, civil liability, and potential criminal penalties for willful violations

Role-Based Training for CUI Handlers

Personnel whose roles involve creating, marking, or disseminating CUI need more detailed training beyond the general awareness program. This role-based training should include:

• CUI marking standards: How to apply banner markings, portion markings, and designation indicator blocks correctly
• Category-specific handling: If your personnel handle CTI, ITAR, or other CUI Specified categories, they need training on the additional requirements for those categories
• Destruction procedures: Hands-on training with your organization's approved destruction methods and documentation requirements
• Incident response roles: For designated incident responders, training on evidence preservation, DC3 reporting procedures, and forensic image creation
• IT administrator training: System administrators who manage the CUI enclave need training on NIST 800-171 control implementation, audit log review, and configuration management

Training must be documented. Maintain records of who received what training, when, and test results if applicable. These records are commonly requested during CMMC assessments. Organizations looking for structured compliance training can explore CMMC training programs that align with DoD requirements.

Building a CUI Program: Practical Steps for Subcontractors

With all of these requirements in view, here is a practical roadmap for building a CUI handling program that meets DFARS, NIST 800-171, and CMMC requirements.

Step 1: Scope your CUI environment. Review every active contract and subcontract. Identify which ones include DFARS 252.204-7012 or other CUI-related clauses. Determine exactly what categories of CUI you handle, where it enters your organization, where it is processed and stored, and where it exits. Document this in a system security plan (SSP).

Step 2: Conduct a gap assessment. Compare your current security posture against all 110 NIST 800-171 requirements. Document every gap in a Plan of Action and Milestones (POA&M) with realistic timelines and resource assignments. Calculate your SPRS score and submit it to the SPRS system.

Step 3: Design and build your CUI enclave. Based on your scoping exercise, design a network environment that isolates CUI from your general corporate systems. Implement FIPS-validated encryption, access controls, audit logging, and endpoint protection. If you are moving to the cloud, select a FedRAMP-authorized provider and configure the environment according to their CUI guidance.

Step 4: Develop policies and procedures. Write policies that address CUI marking, handling, storage, transmission, destruction, incident response, and training. These policies must be specific enough to be actionable, not generic boilerplate. Your assessor will verify that employees actually follow them.

Step 5: Train your workforce. Roll out CUI awareness training to all employees with access. Provide role-based training to CUI handlers, IT administrators, and incident responders. Test understanding and document completion.

Step 6: Implement and test incident response. Develop a cyber incident response plan that specifically addresses DFARS 252.204-7012 reporting requirements. Conduct at least one tabletop exercise annually. Ensure your IT team can create a forensic image of affected systems within the 72-hour reporting window.

Step 7: Monitor, audit, and improve. CUI compliance is not a one-time project. Conduct regular internal audits, review audit logs, test backups, update training, and close POA&M items on schedule. When your CMMC assessment arrives, your organization should be able to demonstrate not just implementation but ongoing operation of every control.

Key Takeaways

CUI handling requirements are not ambiguous. The regulations, the contract clauses, and the technical standards are all well-defined. What trips up most DoD subcontractors is not a lack of available guidance but a failure to scope properly, invest in the right infrastructure, train their people, and treat compliance as an ongoing operational requirement rather than a one-time checklist.

Start with your contracts. Identify what CUI you actually handle. Build an enclave that protects it. Train every person who touches it. Test your incident response plan before you need it. And most importantly, do not try to make everything CUI; scope it tightly and protect it thoroughly.

Petronella Technology Group specializes in helping defense subcontractors build CUI handling programs that meet DFARS, NIST 800-171, and CMMC requirements. Whether you need a gap assessment, enclave design, or full managed compliance support, our team has the experience to get your organization to assessment-ready status. Contact us to start the conversation.