What is CUI?
CUI stands for Controlled Unclassified Information. CUI is government-created or -owned information that requires safeguarding under law, regulation, or government-wide policy, but is not classified.
Controlled Unclassified Information (CUI) is the category of sensitive-but-unclassified information that drives most CMMC requirements. If a defense contract involves CUI, the contractor generally needs CMMC Level 2 rather than Level 1.
CUI includes things like technical drawings, specifications, engineering data, and program information marked as controlled. Simply receiving or forwarding an email containing CUI puts that system in scope.
Correctly identifying whether you handle CUI — and which of the 80+ CUI categories applies — determines your assessment path (self-assessment vs. third-party C3PAO) and the boundary of your assessment.
- FCIFCI is information provided by or generated for the government under a contract that is not intended for public release — the trigger for CMMC Level 1.
- NIST SP 800-171NIST SP 800-171 is the federal standard of 110 security controls for protecting CUI in non-federal systems — the technical basis of CMMC Level 2.
- C3PAOA C3PAO is an organization authorized by the Cyber AB to conduct official CMMC Level 2 certification assessments.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
