You're reviewing a new opportunity and see language about sensitive information or NIST 800-171 in the SOW, which means CUI is in play. The problem most govcon teams face isn't understanding what CUI is, it's tracking which pursuits require it across your entire pipeline so compliance checks happen before proposals ship. Treating CUI as an afterthought creates False Claims Act exposure, but surfacing those obligations early in your capture process lets you validate readiness when it actually matters.

TL;DR

• CUI is sensitive federal information requiring protection under NIST 800-171's 110 security controls

• Misrepresenting CUI compliance triggers False Claims Act liability; DOJ recovered $52M in 2025

• CMMC Level 2 mandates third-party assessment of NIST 800-171 controls for DOD contracts handling CUI

• Mark CUI documents with banners at top and bottom plus category indicators from the official Registry

• GovDash is CMMC compliant and lets you tag CUI requirements at the opportunity level across your pipeline

What Is Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is sensitive but unclassified information that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. This includes contract performance data, personnel records, technical specifications, and other government work product that sits between public information and classified material.

Executive Order 13556 created the CUI program in 2010 to replace dozens of inconsistent agency labels like FOUO (For Official Use Only), SBU (Sensitive But Unclassified), and LES (Law Enforcement Sensitive). Before the order, each agency maintained different rules, leaving contractors uncertain which protections applied.

CUI exists in the gap between classified national security information (governed by Executive Order 13526) and public data. Information qualifies as CUI when federal law, regulation, or policy requires protection but classification isn't warranted. The program provides contractors with consistent marking requirements and security standards across all federal agencies.

Why CUI Matters for Government Contractors

The DOD currently conducts business with more than 350,000 contractors, all of whom must understand CUI requirements to maintain eligibility for federal work. Failing to protect CUI can result in contract termination, suspension from bidding, and False Claims Act liability.

The 2014 and 2015 breaches at the Office of Personnel Management exposed security clearance records for over 22 million people, including government employees, contractors who had undergone background checks, and their family members. Attackers accessed fingerprints, social security numbers, and detailed background investigation files. This incident remains one of the most damaging CUI compromises in federal history and changed how agencies view contractor security posture.

CUI Requirements and Federal Regulations

Three core regulatory frameworks govern how contractors protect CUI. NIST Special Publication 800-171 defines 110 security controls that nonfederal systems must implement when handling CUI. These controls cover access management, incident response, media protection, and system monitoring.

For DOD contractors, DFARS 252.204-7012 mandates compliance with NIST 800-171 and requires reporting cyber incidents within 72 hours. This clause appears in most defense contracts and subcontracts involving CUI.

On January 5, 2026, GSA issued CIO-IT Security-21-112 Revision 1, setting new CUI protection requirements for contractors. While not codified as a FAR rule, the guide creates a mandatory approval framework that contracting officers can apply immediately to new contracts.

NIST is transitioning from 800-171 Revision 2 to Revision 3, which reorganizes controls and adds requirements around supply chain risk management.

Understanding the CUI Registry and Categories

The CUI Registry is the single authoritative source for determining what qualifies as CUI. Maintained by the National Archives, it lists every approved CUI category and subcategory, along with the law, regulation, or policy that requires protection.

The Registry divides CUI into two types. CUI Basic requires standard safeguarding under NIST 800-171 controls. CUI Specified triggers extra requirements beyond the baseline, such as limited dissemination lists or special storage protocols defined by the authorizing statute.

When you receive government information, check the Registry to confirm whether it qualifies as CUI. Common categories include Export Control, Federal Tax, Legal Privilege, and Procurement and Acquisition. If the information doesn't match a Registry category, it cannot be marked or treated as CUI.

Contracting officers and agencies may not create new CUI categories outside the Registry.

CUI Marking Standards and Best Practices

Every CUI document needs standardized markings that show handlers how to protect it. Proper marking prevents mishandling and satisfies your contractual obligations under DFARS and NIST 800-171.

Place "CUI" at the top and bottom of every page containing controlled information. This banner appears centered on documents and emails, making the protection level immediately visible.

Below the top banner, include a designation indicator block that specifies the CUI category from the Registry. For example, "CUI//SP-PRCMT" indicates procurement-sensitive information requiring CUI Specified controls. Basic CUI without special handling needs no additional notation beyond the banner.

Add dissemination markings when sharing restrictions apply. NOFORN prohibits release to foreign nationals. FED ONLY limits access to federal employees. FEDCON allows federal employees and contractors. NOCON restricts information to federal employees only, excluding contractors.

FOUO and SBU markings no longer carry authority. Convert legacy documents to CUI markings when you create new versions or derivatives.

CMMC and CUI Compliance for DOD Contractors

CMMC 2.0 began appearing in DOD solicitations during fiscal year 2026, requiring defense contractors to prove CUI protection through third-party assessment. CMMC Level 2 mandates implementing all 110 NIST 800-171 controls, ending the self-attestation method.

DOD contractors handling CUI must register systems in the Supplier Performance Risk System (SPRS) and obtain a CMMC Unique Identifier before contract award. This identifier links assessment results to your CAGE code so contracting officers can verify certification status.

The shift to independent assessments marks the biggest compliance change for the defense industrial base since DFARS 252.204-7012 took effect.

False Claims Act Enforcement and Cybersecurity

Misrepresenting your CUI compliance status to win or retain government contracts triggers False Claims Act liability. The DOJ doesn't prosecute contractors for being breach victims. It goes after companies that falsely certify compliance with NIST 800-171 or DFARS security clauses while knowing their systems fall short.

In January 2026, DOJ announced it recovered $52 million through nine cybersecurity-related FCA settlements in fiscal year 2025, part of a record $6.8 billion in total False Claims Act recoveries that year. These cases centered on contractors who submitted proposals or invoices while misrepresenting their implementation of required security controls.

Recent settlements involved defense contractors who claimed full NIST 800-171 compliance but lacked basic protections like multifactor authentication, encryption, or access logging. Document every control you implement and every gap you remediate. Maintain system security plans that reflect actual conditions, not aspirational states.

How to Identify CUI in Your Contracts

Start by checking Section H (Special Contract Requirements) for DFARS 252.204-7012 or FAR 52.204-21. These clauses explicitly require CUI protection and reference NIST 800-171 controls. Review the contract data requirements list (CDRL) and statement of work for language about sensitive information, export-controlled data, or security requirements.

DOD contracts include DD Form 254, which lists classified information and CUI you'll handle during performance. The form specifies categories, access requirements, and whether you'll receive government-furnished CUI or generate it yourself. Request this form from your contracting officer if it wasn't included in your award package.

When CUI obligations aren't clear, ask your contracting officer three questions: Does this contract require me to handle government-furnished information beyond public data? Will I create deliverables containing sensitive procurement, technical, or mission-critical information? Which CUI categories from the Registry apply to this work?

You have no CUI obligations unless your contract explicitly requires it.

Common CUI Compliance Challenges and Gaps

Most contractors struggle with the 110 controls in NIST 800-171 despite requirements dating back to 2017. The gap isn't knowledge. It's execution across systems, people, and subcontractors.

Access controls and encryption present persistent problems. Contractors often grant excessive network permissions, skip multifactor authentication on remote access, or leave CUI in unencrypted email or cloud storage. Configuration management also falls short when teams fail to maintain security baselines or patch systems consistently.

Incident response plans exist on paper but lack testing. When breaches occur, contractors miss the 72-hour reporting window under DFARS 252.204-7012 because no one knows who holds responsibility or how to contact the DOD Cyber Crime Center.

Subcontractor compliance creates another layer of risk. Prime contractors remain liable for CUI protection failures anywhere in their supply chain, yet many skip verification of subs' NIST 800-171 implementation. Flow-down clauses appear in subcontracts, but primes rarely audit whether smaller partners actually deploy required controls.

Real compliance demands buy-in from leadership, capture teams, contracts, IT, and program managers. Treating CUI as solely an IT problem guarantees gaps.

Managing CUI Across Your Opportunity Pipeline with GovDash

GovDash lets you tag CUI requirements at the opportunity level, so your entire team knows which pursuits need NIST 800-171 controls before you bid. When you identify a new opportunity in the pipeline, you can flag it for CUI and trigger compliance checks across capture, proposal, and pricing workflows.

This matters because bidding on CUI contracts without adequate protections creates False Claims Act exposure. The tagging system prevents that gap by surfacing CUI obligations early, giving your IT and security teams time to validate readiness before proposal submission.

Most GovCon tools lack any way to track CUI status across your pipeline, forcing teams to manage it in spreadsheets or email chains. GovDash centralizes that visibility in the same system where you build proposals and manage contracts.

Final Thoughts on Building a CUI Compliance Program

Federal agencies expect contractors to protect CUI from day one of contract performance. Using GovCon systems that centralize CUI tracking across your opportunity pipeline prevents the gaps that trigger False Claims Act liability. Your compliance program needs buy-in from capture teams, proposal managers, and leadership to work. Start by identifying which contracts in your current portfolio contain CUI obligations, then build repeatable processes that verify NIST 800-171 implementation before you bid on new work.

FAQs

What's the difference between CUI and classified information?

CUI is sensitive but unclassified information that requires protection under federal law or policy, while classified information (governed by Executive Order 13526) involves national security data. CUI sits between public information and classified material, covering items like contract performance data, technical specifications, and personnel records that need safeguarding but don't warrant classification.

How do I know if my contract requires CUI protection?

Check Section H (Special Contract Requirements) for DFARS 252.204-7012 or FAR 52.204-21, review the contract data requirements list (CDRL), and look for DD Form 254 on DOD contracts. If these clauses or forms aren't present and the statement of work doesn't mention sensitive information or security requirements, you likely have no CUI obligations unless explicitly stated by your contracting officer.

What happens if I misrepresent my NIST 800-171 compliance status?

Falsely certifying compliance with NIST 800-171 or DFARS security clauses triggers False Claims Act liability. DOJ recovered $52 million through nine cybersecurity-related FCA settlements in fiscal year 2025, targeting contractors who claimed full compliance while lacking basic protections like multifactor authentication, encryption, or access logging.

Can I still use FOUO or SBU markings on government documents?

No. FOUO (For Official Use Only) and SBU (Sensitive But Unclassified) markings no longer carry authority after Executive Order 13556 standardized CUI requirements. Convert legacy documents to proper CUI markings (with "CUI" banners at top and bottom of each page) when you create new versions or derivatives.

How does CMMC 2.0 change CUI compliance for defense contractors?

CMMC 2.0 requires defense contractors handling CUI to prove protection through third-party assessment instead of self-attestation. You must achieve CMMC Level 2 (full implementation of all 110 NIST 800-171 controls), register systems in SPRS, and obtain a CMMC Unique Identifier before contract award.