CUI — Controlled Unclassified Information — is sensitive government-related information that is not classified under national security law but still carries legal protection requirements. For defense subcontractors, CUI typically includes technical drawings, engineering specifications, CAD files, and other data customers share with you for production. If your shop receives and stores that kind of information, federal cybersecurity rules apply to every system where that data lives.
Most Shops Handle CUI Without Knowing It Has a Name
Here is how it usually goes.
A customer sends over a drawing package. Maybe a set of manufacturing specs, a technical data package, or a CAD file attached to a purchase order. You save it to the server, assign a job number, and production moves forward. Nobody calls it anything special. Nobody tells you to treat it differently than any other customer file.
What that document often contains is CUI.
Most small manufacturers were not given a briefing on federal information categories when they started doing defense-adjacent work. The term does not come up in quoting conversations. It does not appear in the email subject line when the drawing arrives. But if your shop performs subcontracted work that eventually flows into Department of Defense programs, there is a real chance that some of the information moving through your facility has a federal designation — and that designation carries protection requirements whether or not anyone told you.
That is not an accusation of negligence. The requirements have changed faster than most small shops could reasonably track. But understanding what CUI is, and whether your environment handles it, is the foundation of nearly every compliance conversation that follows.
What CUI Actually Means
CUI stands for Controlled Unclassified Information. The formal definition is information the federal government creates or possesses that requires safeguarding or dissemination controls under applicable laws, regulations, or government-wide policies — but that does not meet the standard for classified information under Executive Order 13526.
The plain version: it is not Top Secret. It is not classified at all in the national security sense. Before CUI was standardized, federal agencies used a patchwork of overlapping labels — sensitive but unclassified, for official use only, and others — to handle sensitive information with no consistent rules. CUI replaced all of that with a single data classification framework. The federal government determined that certain categories of sensitive information require consistent protection, even when shared outside federal systems — including with private-sector contractors and subcontractors in the defense supply chain.
The CUI Program itself was established under Executive Order 13556 and is managed by the National Archives and Records Administration. The approved CUI categories are published in the federal CUI Registry, which defines how each category should be marked and what safeguarding or dissemination controls apply when it leaves federal hands.
For a machining shop or fabrication operation, the practical reality is straightforward: if you receive technical information tied to a Department of Defense program, you are likely handling CUI — and you likely have been for some time.
How CUI Gets to Your Shop
CUI does not arrive through a formal classification process. It arrives through contracts and the information that travels with them.
The standard legal mechanism is a clause called DFARS 252.204-7012 — a Department of Defense Federal Acquisition Regulation Supplement clause that governs the safeguarding of covered defense information. When that clause appears in a prime contractor’s contract, it typically flows down through the supply chain. A tier-two supplier passes the obligation to their vendors. Those vendors pass it to subcontractors through purchase orders and subcontracts.
When your shop receives technical data for a program covered by that clause, the obligation to protect it travels with the file.
In a manufacturing environment, CUI commonly looks like:
- Technical drawings and engineering specifications tied to DoD programs
- CAD and CAD/CAM design files with controlled technical data
- Technical data packages containing manufacturing processes or assembly instructions
- Export-controlled information attached to program documentation
- Contract and subcontract documentation referencing sensitive program details
These are files that routinely live on shared drives, file servers, email inboxes, and workstations in a small shop. The systems where they live — and who can access them — are exactly what cybersecurity and CMMC compliance requirements are built to address.
The Two Types of CUI: What They Mean for Your Shop
Not all CUI is handled the same way. The federal CUI Program divides it into two categories.
CUI Basic
CUI Basic is information that requires protection under applicable laws, regulations, or government-wide policies, where no additional handling requirements are imposed beyond the standard protection baseline. That baseline is NIST SP 800-171 — a framework of 110 security requirements covering access control, auditing, configuration management, incident response, media protection, system integrity, and more.
For most small defense subcontractors, CUI Basic is the category they encounter. When prime contractors send cybersecurity questionnaires, NIST SP 800-171 is the standard they are measuring against. When CMMC compliance is required, Level 2 maps directly to those same 110 requirements. CUI Basic is where most of the real-world compliance work for small shops lives.
CUI Specified
Specific laws and regulations require organizations to apply stronger handling controls to CUI Specified than CUI Basic. These requirements are more prescriptive and more restrictive. Certain export-controlled information, specific technical program categories, and data with dedicated statutory protection requirements may fall under CUI Specified. If your work involves these categories, the protection requirements go beyond what NIST SP 800-171 alone covers.
Knowing which category applies determines whether NIST SP 800-171 alone covers your requirements or whether additional obligations apply on top of that baseline.
CUI Is Why CMMC Exists
The Cybersecurity Maturity Model Certification program was built for one primary purpose: to enforce the protection of CUI across the defense industrial base.
For years, the requirement to implement NIST SP 800-171 controls existed on paper through DFARS 252.204-7012. Contractors self-reported compliance scores to the Supplier Performance Risk System, but without verification, gaps went undetected and controls were often planned rather than implemented.
CMMC changes the enforcement model. At Level 2 — which covers organizations handling CUI — the program requires demonstrated compliance rather than self-certification. Assessment mechanisms add accountability that self-reporting did not.
This is where a lot of small shops find themselves in a difficult position. They have been receiving defense-related technical data for years. DFARS 252.204-7012 may have appeared somewhere in their contract language without anyone explaining its implications. And now the compliance stakes are real in a way that can affect whether they are eligible for future contracts.
Getting ahead of that pressure starts with the same basic question: does your shop handle CUI?
How to Know Whether Your Shop Handles CUI
Most owners do not need a compliance attorney to get a working answer to this question. A few practical checks will get you close.
Start with your contracts. Pull the agreements tied to customers performing defense work. Look for DFARS 252.204-7012 or language referencing “covered defense information” or “controlled unclassified information.” If that clause appears — directly or as a flow-down from a customer’s prime contract — you have a clear signal that the CUI protection framework applies to your operation.
Next, look at the technical documents themselves. Are drawings or specifications marked with CUI designators or distribution control notices? Do files include export control warnings? Is the data tied to a program you know supports DoD end-use? Technical data packages with defense program connections, customer drawings for aerospace or defense components, and files with release restrictions are all indicators worth investigating.
If you are still uncertain, the answer is not to guess. A review of your contract obligations and your current IT environment — by someone who understands both sides — is the appropriate next step before a supplier audit forces the question for you.
What Protecting CUI Actually Requires
Understanding that you handle CUI is step one. Understanding what to do about it is step two.
NIST SP 800-171 defines the security requirements for protecting CUI in non-federal information systems. It is the federal information security benchmark for defense supply chain environments. Its 110 requirements span 14 control areas covering access, auditing, configuration management, incident response, system protection, and more.
For a small shop, the practical translation focuses on questions most owners can reason through:
- Where does CUI actually live in your environment — file servers, email, workstations, backups, remote systems?
- Who has access to it, and is that access controlled and documented?
- Is remote access secured, including any vendor connections to your network?
- Are systems monitored, patched, and maintained?
- Do you have a documented process for handling a cybersecurity incident?
- Can you produce evidence of your cybersecurity controls when a customer or assessor asks?
Getting honest answers to these questions is how a shop moves from guessing to knowing. A current CMMC compliance assessment gives you a clear picture of where your gaps are before anyone else asks for it.
CUI Compliance Is Contract Protection
CUI is not a bureaucratic label. For a small defense subcontractor, it is the direct link between your IT environment and your ability to stay in the supply chain.
If your shop handles CUI and cannot demonstrate that it is being protected according to the required standard, you face two compounding risks. First, you may already be out of compliance with contract obligations flowing through DFARS 252.204-7012. Second, as CMMC assessment requirements take effect, the inability to demonstrate compliance can affect your eligibility for work that requires it.
Neither outcome is a hypothetical — they are practical consequences of an unaddressed gap, and the right time to close them is before a customer questionnaire, a supplier audit, or a contract renewal forces the conversation.
If you want to understand whether your shop handles CUI and where you stand against the requirements that apply to it, Right Hand Technology Group helps defense subcontractors assess their current environments against NIST SP 800-171, identify their gaps, and build a practical plan toward compliance. Review our CMMC compliance services to understand what the process looks like — or schedule a free assessment to talk through where your shop stands before a customer questionnaire or contract renewal forces the conversation.
Frequently Asked Questions
What are the two types of CUI?
There are two types of CUI: CUI Basic and CUI Specified. CUI Basic follows standard protection rules under NIST SP 800-171, while CUI Specified requires additional safeguards under specific laws or regulations beyond that baseline.
How do I know if the information my shop receives is CUI?
Check your contracts and documents for DFARS 252.204-7012, CUI markings, or distribution control notices. Common examples include technical drawings, CAD files, and engineering data tied to Department of Defense programs. If the clause appears anywhere in your contract language — including as a flow-down from a customer’s prime contract — CUI protection requirements apply to your environment.
What is the relationship between CUI and NIST SP 800-171?
NIST SP 800-171 outlines the security requirements for protecting CUI in non-federal systems. Defense contractors handling CUI must follow these controls — 110 requirements across 14 control families — which also form the technical foundation of CMMC Level 2 certification.
