CMMC GLOSSARY // CUI

What is CUI?

CUI stands for Controlled Unclassified Information. CUI is government-created or -owned information that requires safeguarding under law, regulation, or government-wide policy, but is not classified.

Controlled Unclassified Information (CUI) is the category of sensitive-but-unclassified information that drives most CMMC requirements. If a defense contract involves CUI, the contractor generally needs CMMC Level 2 rather than Level 1.

CUI includes things like technical drawings, specifications, engineering data, and program information marked as controlled. Simply receiving or forwarding an email containing CUI puts that system in scope.

Correctly identifying whether you handle CUI — and which of the 80+ CUI categories applies — determines your assessment path (self-assessment vs. third-party C3PAO) and the boundary of your assessment.

FROM TERMS TO READINESS

See where you actually stand on the 110 controls.

PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.

SYS: ONLINE
FOCUSCMMC L2 / L3
BUILD0aed52
CMMC DEADLINET-d
©2026 POLICYCORTEX, INC.