Controlled Unclassified Information (CUI) is a category of unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. It is not "Classified" (like Secret or Top Secret), but it is sensitive enough that its loss or unauthorized disclosure could damage U.S. national security.

In the modern Defense Industrial Base (DIB), CUI is the primary focus of the CMMC 2.0 framework. For organizations, the challenge is no longer just storing CUI on a secure server; it is managing CUI as it sprawls into Shadow SaaS, Shadow AI prompts, and remote employee devices.

What Are the Most Common Types of CUI?

CUI is a broad umbrella covering over 125 categories. For technology and defense contractors, the most critical types include:

  • Controlled Technical Information (CTI): Technical data with military or space application, often subject to ITAR or EAR controls.
  • Export Controlled Information: Data that cannot be shared with foreign nationals without an export license.
  • Proprietary Business Information: Financial information, trade secrets, or intellectual property related to government contracts.
  • Privacy Information: Personally Identifiable Information (PII) of government employees or military personnel.
  • Legal and Law Enforcement Data: Sensitive information related to ongoing investigations or judicial proceedings.

Why Is CUI Management a Critical Business Risk?

For a CISO, mishandling CUI isn't just a security breach; it is a contractual default.

  • The CMMC 2.0 Mandate: To win any significant DoD contract, organizations must prove they can protect CUI at "Level 2" (Advanced) or higher. This requires strict adherence to NIST SP 800-171 standards.
  • The "Deemed Export" Trap: Sharing CUI with a foreign national—even an employee within your own U.S. office—can constitute an unauthorized export, leading to ITAR violations and millions in fines.
  • Ransomware and Extortion: CUI is a high-value target for state-sponsored actors. If stolen, it is used as leverage to extort defense contractors or degrade U.S. military advantages.
  • Sprawl in the Collaboration Era: CUI often "leaks" into Microsoft Teams, Slack, or unauthorized Generative AI tools, where traditional perimeter security cannot see or protect it.

How to Secure CUI for CMMC Compliance

Successfully managing CUI requires moving security from the "Network" to the "File."

  1. Identify and Categorize: Use automated data discovery to find CUI hidden in "dark" corners of your network.
  2. Enforce FIPS-Validated Encryption: NIST 800-171 requires that CUI be protected by FIPS 140-2 or FIPS 140-3 validated cryptographic modules.
  3. Implement Least Privilege (PoLP): Ensure that only users with a verified "Need to Know" and the correct identity can access sensitive files.
  4. Persistent File-Centric Protection: Since CUI is frequently shared with subcontractors, you must ensure that the security follows the file. File-Centric Security (FCS) ensures that even if a file leaves your environment, you maintain control over who can open it.

FAQs: Controlled Unclassified Information (CUI)

What is the difference between CUI Basic and CUI Specified?

CUI Basic is the subset of CUI for which the authorizing law, regulation, or government-wide policy does not set out specific handling or dissemination controls. CUI Specified is for data that has very specific, mandatory handling instructions (like ITAR technical data) that must be followed over and over Basic controls.

Does CUI have to be encrypted at rest?

Yes. Under NIST SP 800-171 (the standard for CMMC), CUI must be protected by At-Rest Encryption whenever it is stored on non-federal systems. Furthermore, the encryption must be FIPS-validated.

What happens if I accidentally share CUI with an unauthorized person?

This is considered a security incident and must be reported according to your contract’s DFARS 252.204-7012 requirements. In 2026, the average cost for U.S. organizations to remediate a data breach has reached a record $10.22 million.

How does Theodosian automate CUI protection?

Theodosian removes the "Human Factor" from CUI compliance.

  • Identity-Bound Encryption: We ensure that CUI is only accessible to the specific IAM identities authorized by your organization.
  • Automated Audit Logs: We provide the "Chain of Custody" and cryptographic Audit Trails required to pass a CMMC Level 2 assessment.
  • Geofencing Access: If a CUI file is subject to export controls, Theodosian can use Context-Aware Access Controls to block any access attempts from outside the United States, automatically preventing a "Deemed Export."

Additional Resources

Data Governance Doesn't End When the File Leaves: The Case for Persistent File-Level Governance

File-Centric Zero Trust: Why Security Has to Live in the File, Not the Network

Data Access Governance: Why DLP Fails at the File Boundary