Three SaaS products live · OpsTicket · Winrove · OnboardIQ·SAM.gov UEI PR9KWJPM4JU9 · CAGE 91CE1
IT Custom SolutionFour Practices, One Firm · Est. MMXXI
§ SAM.gov UEI · PR9KWJPM4JU9§ CAGE · 91CE1§ NYC MBE · MWCERT2022-353

Data Handling for Controlled Unclassified Information: A Practical CUI Checklist

A missed CUI label on one emailed document can trigger a federal contract suspension. Here is a concrete checklist to close the gap before an auditor does.

A subcontractor emails a draft technical report to a prime. The file contains design specifications covered under the Defense Federal Acquisition Regulation Supplement. Nobody applied a CUI header. Nobody flagged the personal email account used to send it. Six weeks later, a DCSA review surfaces the incident and the prime's contracting officer opens a corrective action request. That sequence plays out across federal supply chains every month, and it is almost always preventable.

Controlled Unclassified Information (CUI) is not classified, but mishandling it carries real consequences: contract suspension, loss of facility clearance eligibility, and civil liability under applicable federal regulations. The National Archives and Records Administration (NARA) CUI Registry lists more than 100 authorized categories, from export-controlled technical data to law enforcement sensitive records. If your organization touches federal contracts, you almost certainly handle CUI, whether or not you have formally acknowledged it.

This checklist is organized around the five operational failure points where mid-market and SMB contractors most commonly fall short.

1. Identification: Know What You Are Holding

CUI status is determined by law, regulation, or government-wide policy, not by a contracting officer's preference. Before you can protect information, you have to recognize it.

  • Map your data flows. List every system, shared drive, email account, and collaboration platform where project deliverables, technical drawings, personally identifiable information (PII), or procurement-sensitive data reside.
  • Cross-reference the CUI Registry. Visit archives.gov/cui and match your data types to authorized categories. Common ones for contractors include: Controlled Technical Information (CTI), Export Controlled, Privacy (PII/PHI), and Procurement and Acquisition.
  • Flag inherited data. Data you receive from a government agency or a prime contractor may already carry CUI designation. Receiving it does not transfer the labeling obligation, but it does transfer the handling obligation.

2. Marking: Apply Labels Before You Move Anything

NARA's CUI Marking Handbook specifies exact placement and format. Non-compliance with marking requirements is itself a reportable incident under many agency contracts.

  • Header and footer on every page. Documents must display "CUI" (or the specific category marking such as "CUI//CTI") in the header and footer of each page, not just the cover.
  • Subject line marking for email. Email transmitting CUI must include "CUI" in the subject line. Body-only disclosure is insufficient.
  • Portion marking where required. Some agency contracts require portion-level marking (paragraph by paragraph). Check your contract's DD Form 254 (for classified requirements) or equivalent CUI-specific data handling clause.
  • No improvised labels. Terms like "Sensitive," "Proprietary," or "Company Confidential" are not CUI designations and provide no regulatory protection.

3. Storage: Limit Access and Enforce Encryption

NIST SP 800-171 Revision 2, which governs CUI handling in non-federal systems, requires organizations to control access to CUI, enforce least privilege, and protect CUI at rest and in transit. CMMC 2.0 Level 2 maps directly to these 110 controls for defense contractors.

  • Encrypt at rest. FIPS 140-2 (or 140-3) validated encryption is the standard. Consumer-grade cloud storage without validated encryption does not meet the requirement.
  • Restrict folder and share permissions. CUI repositories should be accessible only to personnel with a documented need. Audit permissions quarterly, not annually.
  • Separate CUI from general business data. Commingling CUI with routine business files in the same shared drive increases exposure and complicates incident scoping.
  • Document your system boundary. Your System Security Plan (SSP) must define which systems process or store CUI. If a new tool gets added to a project workflow, update the SSP before using it for CUI.

4. Transmission: Control Every Handoff

Transmission failures are the most common CUI incident vector. An unencrypted email, a personal Dropbox link, or a USB drive handed to a subcontractor without a written agreement can each constitute a spillage event.

  • Use encrypted email or secure file transfer. Standard SMTP email is not acceptable for CUI unless end-to-end encryption is applied. Acceptable options include DoD SAFE, agency-approved secure portals, or email systems with S/MIME or equivalent encryption.
  • Prohibit personal accounts and consumer cloud. Gmail, personal OneDrive, and similar consumer services are not authorized CUI transmission channels regardless of convenience.
  • Verify recipient authorization before sending. Confirm the recipient's organization has a CUI handling agreement (typically a teaming agreement with explicit data handling clauses or a government-issued data sharing agreement) before transmitting.
  • Log outbound CUI transfers. Maintain a transmission log: date, sender, recipient, file name or description, and transmission method. This log is essential during incident response.

5. Incident Response: Report Fast and Document Everything

A CUI incident does not automatically mean a breach of classified information, but it does require prompt action. Most agency contracts specify a 72-hour or shorter reporting window from discovery to notification.

  • Define what constitutes an incident. Sending CUI to an unauthorized recipient, storing it on a non-compliant system, or losing a device containing CUI are all reportable events. Train staff to recognize them.
  • Designate a CUI Incident Response Point of Contact. This person receives internal reports, initiates containment, and contacts the contracting officer or agency security officer.
  • Preserve evidence before remediation. Do not delete emails or wipe devices before documenting what happened. Premature remediation can obstruct an agency investigation.
  • Conduct a root cause analysis. Every incident should produce a written corrective action plan. Agencies expect to see systemic fixes, not just acknowledgment of the event.
  • Update your SSP and training records. If an incident reveals a gap in your documented controls or employee awareness, close it formally and record the update.

Ongoing Maintenance: The Checklist Is Not a One-Time Exercise

CUI programs degrade without active maintenance. Personnel turn over. New tools get adopted informally. Contract scopes expand to cover new data categories. Build these recurring tasks into your operations:

  1. Annual CUI training for all personnel with system access, with signed acknowledgment records.
  2. Quarterly access permission reviews for all CUI repositories.
  3. Annual SSP review and update, triggered also by any new contract award or significant system change.
  4. Subcontractor flow-down verification: confirm that every subcontractor handling CUI on your behalf has its own compliant program and that your agreements explicitly require it.
  5. Tabletop incident response exercise at least once per year.

Quick Reference: CUI Handling Minimum Standards

  • Marking: CUI header/footer on every page, subject line on email
  • Storage: FIPS-validated encryption, least-privilege access, documented system boundary
  • Transmission: Encrypted channel only, no consumer cloud, transmission log maintained
  • Incident reporting: Notify contracting officer within contract-specified window (often 72 hours)
  • Training: Annual, documented, role-specific

Takeaway: CUI compliance is an operational discipline, not a paperwork exercise. The organizations that avoid incidents are the ones that have made marking, access control, and transmission hygiene into daily habits rather than audit-season scrambles. Start with your data map, cross-reference the CUI Registry, and work through each failure point above before your next contract deliverable goes out the door.

If you are working through a CMMC assessment or need to build out a CUI handling program from scratch, our Consulting and AI Advisory practice works with contractors on exactly these compliance frameworks. Reach out when you are ready to pressure-test your controls.

#cui#cmmc#nist-800-171#federal-contractors#data-handling#cybersecurity-compliance
§ ShareX / TwitterLinkedIn
§ Need a quote?

Tell us about the work.

IT Custom Solution delivers cybersecurity, cloud, managed IT, and custom software for federal, state, and local agencies.

Analytics cookies? Details: cookies policy or privacy policy.