CUI — Controlled Unclassified Information — is the trigger. If your contracts involve CUI, you almost certainly need CMMC Level 2. Knowing whether you handle it is the first question every defense contractor should answer.
What CUI is
CUI is government-created or government-owned information that isn't classified but still requires safeguarding under law, regulation, or government-wide policy. In defense work it shows up as technical drawings, specifications, engineering data, source code, test results, and other sensitive program information — often the very data you need to do the job.
FCI vs. CUI
| Type | What it is | Triggers |
|---|---|---|
| FCI | Federal Contract Information — non-public info provided or generated under a contract | CMMC Level 1 |
| CUI | Controlled Unclassified Information — sensitive info requiring specific safeguarding | CMMC Level 2 |
How to tell if you handle CUI
You very likely handle CUI if any of the following are true:
- Your contract or purchase order includes the clause DFARS 252.204-7012 (or 7019/7020/7021).
- A prime contractor sends you marked CUI or government technical data to perform the work.
- You produce parts or services from government-furnished specifications or drawings.
- Your work involves export-controlled technical data (ITAR/EAR), which is treated as CUI.
Why CUI means CMMC Level 2
Because CUI is exactly the data NIST SP 800-171 was written to protect. If it lives in your environment, you're expected to implement all 110 controls — and from late 2026, prove it through certification. If you're not sure whether you handle CUI, that's the first thing we'll help you nail down.
Not sure if you handle CUI?
We will help you scope it — and tell you exactly what compliance requires.