CUI Handling for Defense Contractors: The Complete Guide to Identifying, Marking, Storing, and Transmitting Controlled Unclassified Information

Here's a story I've seen play out at least a dozen times in the last year alone: A defense contractor passes their CMMC self-assessment with flying colors. Every technical control is in place — multifactor authentication, endpoint detection, encrypted drives, the works. Then an assessor asks a single question: "Show me how you identify and mark CUI when it enters your environment."

Blank stares.

The contractor had spent six figures on security tools and zero hours on the fundamental question: do your people actually know what CUI is, where it lives, and how to handle it?

After 30 years in cybersecurity — including years as a CIO managing environments where CUI flows through email, file shares, cloud platforms, and mobile devices every single day — I can tell you that CUI handling is the single biggest gap in the Defense Industrial Base right now. It's not a technology problem. It's a process problem. And it's the problem that will sink more CMMC assessments than any missing firewall rule or unpatched server.

With GSA issuing new CUI protection requirements in March 2026 that explicitly reference NIST SP 800-171 Revision 3, and CMMC Phase 2 assessments ramping up for November, the time to get your CUI handling right is now.

This guide covers the complete CUI lifecycle — from the moment sensitive data enters your environment to the moment it's destroyed.

What Is CUI and Why Should You Care?

Controlled Unclassified Information is government-created or government-provided information that requires safeguarding but doesn't meet the threshold for classification. Think of it as the massive gray zone between "public information" and "classified."

For defense contractors, CUI typically includes:

• Technical data — engineering drawings, specifications, test results, manufacturing processes
• Export-controlled information — data governed by ITAR or EAR
• Contract performance data — cost estimates, schedules, contractor bid information
• Personnel information — privacy-protected data about government or contractor employees
• Proprietary business information — trade secrets shared under NDA with the government
• Operations security information — vulnerability assessments, security plans, critical infrastructure data

Here's what makes CUI dangerous: It doesn't always arrive with a neon sign saying "HANDLE ME CAREFULLY." Technical drawings might come in an email attachment from a prime contractor with no markings whatsoever. A subcontractor might share specifications via a cloud link. An engineer might download reference data from a government portal without realizing it's CUI.

The absence of markings does not mean the absence of obligations. Under 32 CFR Part 2002 and DoD Instruction 5200.48, if you know or reasonably should know that information qualifies as CUI, you are responsible for protecting it — regardless of whether it was properly marked by the originator.

That's the part that gets contractors in trouble.

Step 1: Identifying CUI in Your Environment

The first step in handling CUI is knowing what you have and where it lives. This sounds straightforward. It isn't.

Check Your Contracts First

Every DoD contract that involves CUI should include one or more of these clauses:

• DFARS 252.204-7012 — Safeguarding Covered Defense Information
• DFARS 252.204-7019 — NIST SP 800-171 Assessment Requirements
• DFARS 252.204-7020 — NIST SP 800-171 Examination
• DFARS 252.204-7021 — CMMC Requirements

These clauses are your legal trigger. If they're in your contract, CUI is in your environment (or will be). The contract itself should identify what categories of CUI apply, but in practice, many contracts are vague or incomplete.

Pro tip: Don't wait for perfect guidance. Contact your Contracting Officer's Representative (COR) or the program manager directly and ask: "Can you identify the specific CUI categories and subcategories applicable to this contract?" Document their response. If they can't answer clearly, escalate. This question — and the documented answer — will be gold during your CMMC assessment.

Conduct a Data Flow Analysis

Once you know CUI exists in your environment, map exactly how it flows:

1. Entry points — How does CUI enter your systems? Email? File transfers? Cloud portals? Physical media?
2. Storage locations — Where does it live? File servers? SharePoint? Local drives? Cloud storage? Paper files?
3. Processing points — Who works with it? What applications touch it? What happens during processing?
4. Transmission paths — How does it move? Internal network? VPN? Email? Removable media?
5. Exit points — How does it leave your environment? Deliverables? Subcontractor sharing? Archival?
6. Destruction points — How and when is it destroyed?

This data flow map becomes the foundation of your System Security Plan (SSP) and directly defines the scope of your CMMC assessment boundary. Get it wrong, and your entire compliance posture is built on sand.

The CUI Registry Is Your Bible

The National Archives maintains the CUI Registry at archives.gov/cui. It lists every CUI category and subcategory, along with the specific safeguarding and dissemination requirements for each.

Here's what most contractors miss: not all CUI is created equal. There are two levels:

• CUI Basic — The default. Requires the baseline safeguarding standards in 32 CFR Part 2002.
• CUI Specified — Has additional handling requirements defined by the authorizing law, regulation, or government-wide policy. Examples include ITAR data (which has export control handling requirements) and HIPAA data (which has health information handling requirements).

Your SSP and your handling procedures must account for the specific categories you deal with. A blanket "we protect CUI" policy won't cut it.

Step 2: Marking CUI Correctly

CUI marking isn't optional or cosmetic. It's a legal requirement under 32 CFR Part 2002, and under DoD Instruction 5200.48, defense contractors who generate CUI-qualifying information are responsible for applying proper markings.

Banner Markings

Every document containing CUI must include a banner marking at the top of each page:

For CUI Basic:

CUI

For CUI Specified (example with export control):

CUI//SP-EXPT

For CUI with limited dissemination:

CUI//NOFORN

or

CUI//FEDCON

Designation Indicator

The first page (or the body of an email) must include a designation indicator block that identifies:

• The CUI category or subcategory (e.g., CTI — Controlled Technical Information)
• The authorizing authority (the law, regulation, or policy that makes it CUI)
• The dissemination controls (who can receive it)
• Decontrol instructions (when and how the CUI designation expires)

Portion Markings

While not always required for defense contractors (DoD does not currently mandate portion marking for CUI), it's a best practice to mark individual paragraphs, sections, or data elements — especially in documents that contain a mix of CUI and non-CUI content. This makes it easier to know what can be shared freely and what can't.

Email Markings

Email is the most common CUI transmission vector and the most commonly mishandled. Every email containing CUI must include:

• Subject line: Include CUI or CONTROLLED in the subject
• Banner: CUI marking at the top of the email body
• Attachments: Each attachment must be independently marked

If your organization handles CUI via email regularly, a CUI email banner template should be part of your standard operating procedures. Better yet, configure email rules or DLP policies that flag outgoing emails containing CUI indicators without proper markings.

What About Legacy Data?

Here's a question I get constantly: "We have years of technical data on our servers that was never marked. What do we do?"

The answer is uncomfortable but clear: you need to conduct a retrospective review. Identify legacy data that qualifies as CUI based on your contract requirements and apply appropriate markings. You don't need to do this overnight, but you do need a documented plan with a timeline. Assessors will ask about it.

Step 3: Storing CUI Securely

Storage is where technical controls and process controls intersect. You need both.

Digital Storage Requirements

CUI must be stored in systems that meet the NIST SP 800-171 control baseline. In practical terms, this means:

• FIPS 140-2 validated encryption at rest — Full disk encryption (BitLocker, FileVault) with FIPS-validated modules. This isn't optional. Standard encryption modes that aren't FIPS-validated don't count.
• Access control — Role-based access with the principle of least privilege. Not everyone in your company should have access to CUI. Define who needs it, document it, and enforce it technically.
• FedRAMP Moderate authorized cloud services — If CUI lives in the cloud, the cloud provider must hold FedRAMP Moderate authorization (or equivalent). This eliminates personal Google Drive, standard Dropbox, and consumer OneDrive. Microsoft GCC High, AWS GovCloud, and Google Workspace with Assured Controls are common compliant options.
• Audit logging — Every access to CUI must be logged, and those logs must be reviewed. Not "collected and forgotten" — actually reviewed.

Physical Storage Requirements

CUI in physical form (printed documents, removable media, prototypes) requires:

• Controlled areas — CUI must be stored in areas where access is limited to authorized personnel. This doesn't require a vault, but it does require locked offices, cabinets, or drawers with access limited to those with a need to know.
• Clean desk policy — CUI documents cannot be left in the open when unattended. Period.
• Visitor controls — If visitors enter areas where CUI is stored, they must be escorted and their access must be documented.

The Cloud Storage Trap

This is the single biggest CUI storage mistake I see: contractors using standard commercial cloud services for CUI. Let me be absolutely clear:

• Google Drive (personal/business): Not FedRAMP Moderate authorized. Not compliant.
• Dropbox (standard): Not FedRAMP Moderate authorized. Not compliant.
• OneDrive (commercial): Not FedRAMP Moderate authorized. Not compliant.
• iCloud: Not FedRAMP Moderate authorized. Not compliant.

If your engineers are sharing technical drawings via standard cloud services — and they probably are — you have a CUI handling violation happening right now. This requires a combination of technical controls (blocking unauthorized cloud services), approved alternatives (GCC High, GovCloud), and training.

Step 4: Transmitting CUI Safely

CUI in transit is CUI at its most vulnerable. The rules here are non-negotiable.

Digital Transmission

• Encryption in transit is mandatory. TLS 1.2 or higher for email and web-based transfers. FIPS 140-2 validated encryption for VPN tunnels.
• Email encryption — Standard SMTP email is not encrypted end-to-end. If you're sending CUI via email, you need either S/MIME, PGP, or a compliant email gateway that enforces TLS with recipient domains. Microsoft 365 GCC High with mandatory TLS is a common solution.
• File transfer — Use SFTP, SCP, or HTTPS-based transfer platforms with FedRAMP Moderate authorization. Avoid consumer-grade file sharing services.
• Fax — Yes, fax is still used in defense contracting. Standard fax over PSTN is generally considered acceptable for CUI Basic (the phone network provides a degree of protection). Internet fax services vary — check their security posture before using them for CUI.

Physical Transmission

Sending CUI in physical form (printed documents, USB drives, hard drives) requires:

• Double wrapping — The inner wrapping must be opaque and marked with CUI markings. The outer wrapping must not reveal that CUI is inside.
• Approved carriers — USPS First Class or Priority, FedEx, UPS, or other carriers that provide tracking and accountability. Do not use standard ground mail for CUI.
• Receipt confirmation — Document that the intended recipient received the shipment. Follow up on anything that doesn't arrive.

The Wireless Warning

DoD Instruction 5200.48 explicitly states: "Avoid wireless telephone transmission of CUI when other options are available." This means discussing CUI details on cell phone calls is a compliance risk. If your engineers routinely discuss technical specifications over phone calls, you need to address this in your training and establish secure communication channels (encrypted voice, secure messaging) for CUI discussions.

Step 5: Destroying CUI When It's No Longer Needed

The CUI lifecycle doesn't end when the contract closes. Retention and destruction requirements are specific and enforceable.

Digital Destruction

• Media sanitization must follow NIST SP 800-88 (Guidelines for Media Sanitization). Simple file deletion is not destruction — data remains recoverable.
• For magnetic media: degaussing or physical destruction
• For SSDs and flash media: cryptographic erase (if supported with FIPS-validated encryption) or physical destruction
• For cloud data: verify with your provider that deletion meets NIST 800-88 standards. Get it in writing.

Physical Destruction

• Paper: Cross-cut shredding (minimum 1mm x 5mm particles) or pulping. Strip-cut shredders do not meet the requirement.
• Optical media (CDs/DVDs): Shredding, disintegration, or incineration
• Other media: Physical destruction rendering data unrecoverable

Documentation

Document every destruction event. A CUI destruction log should include:

• What was destroyed (description, not the content itself)
• Date and method of destruction
• Who performed or witnessed the destruction
• Certification that destruction was complete

This log is part of your compliance evidence and assessors will ask for it.

Step 6: Training Your People

Technology handles maybe 40% of CUI protection. The other 60% is human behavior. If your people don't understand CUI, every technical control you implement is undermined.

What CUI Training Must Cover

At minimum, every employee with access to CUI must understand:

1. What CUI is and how to recognize it — even when it arrives unmarked
2. Their specific responsibilities for handling CUI in their role
3. Marking requirements — how to apply proper markings to CUI they create or receive
4. Storage rules — where CUI can and cannot be stored (with specific examples relevant to your environment)
5. Transmission rules — how to send CUI safely and what methods are prohibited
6. Incident reporting — what constitutes a CUI incident and how to report it immediately
7. Consequences — what happens to the company and to them personally if CUI is mishandled

Make It Real

The worst CUI training I've ever seen was a 45-minute slide deck full of regulatory citations that put half the room to sleep. The best was a 20-minute session where the instructor showed real examples of CUI from the company's own contracts (sanitized), walked through a "spot the violation" exercise, and ended with a tabletop scenario.

People remember stories and scenarios. They forget bullet points and regulation numbers.

Training Frequency

Annual training is the minimum requirement. But for organizations that handle significant volumes of CUI, I recommend:

• Annual comprehensive training for all CUI-authorized personnel
• Quarterly micro-training (10-15 minutes) focused on specific scenarios or recent incidents
• Onboarding training before any new employee is given access to CUI systems
• Event-driven refresher when policies change or incidents occur

Document everything. Training records are one of the first things assessors request.

Common CUI Handling Mistakes (and How to Avoid Them)

After guiding dozens of defense contractors through compliance assessments, these are the CUI handling failures I see most frequently:

1. "We Don't Have CUI"

This is the most dangerous assumption in the DIB. If you have a DoD contract with DFARS 252.204-7012, you almost certainly have CUI. The fact that nobody has identified it doesn't mean it doesn't exist — it means you have an unmanaged compliance gap.

2. Relying on the Government to Mark Everything

The government should mark CUI before sending it to you. In practice, they often don't. Unmarked CUI is still CUI. Train your people to recognize it and apply markings when they receive unmarked information that clearly qualifies.

3. CUI Sprawl

CUI starts in a controlled location and gradually spreads — to email attachments, local desktops, personal cloud accounts, printed copies left on desks. Without periodic data discovery and access reviews, CUI sprawl is inevitable. Schedule quarterly reviews of where CUI lives in your environment.

4. No CUI Boundary Definition

Your CMMC assessment boundary should encompass all systems that store, process, or transmit CUI. If you haven't clearly defined this boundary, assessors will define it for you — and they'll almost certainly include systems you weren't expecting.

5. Ignoring the Human Layer

I've seen organizations spend hundreds of thousands on security technology and then have an employee forward CUI to their personal Gmail because "it was easier." Technical controls must be paired with training, awareness, and a culture that takes CUI seriously.

Building a CUI Handling Program: The Action Plan

If you're starting from scratch or need to overhaul your current approach, here's the sequence:

Week 1-2: Discovery

• Review all contracts for CUI clauses and categories
• Interview program managers and engineers about data flows
• Document initial CUI inventory and data flow map

Week 3-4: Policy and Procedures

• Write or update your CUI handling policy
• Create standard operating procedures for marking, storage, transmission, and destruction
• Define your CUI boundary and update your SSP

Week 5-6: Technical Controls

• Validate encryption at rest and in transit (FIPS 140-2)
• Implement or verify access controls
• Configure DLP rules for CUI indicators
• Block unauthorized cloud services

Week 7-8: Training and Rollout

• Develop role-specific CUI training materials
• Conduct initial training for all CUI-authorized personnel
• Distribute CUI marking guides and quick-reference cards

Week 9-10: Validation and Documentation

• Conduct an internal audit of CUI handling practices
• Verify evidence collection (training records, access logs, destruction logs)
• Perform a mock assessment focused on CUI handling

Ongoing: Maintenance

• Quarterly CUI data discovery reviews
• Annual training with quarterly micro-training
• Continuous monitoring of access and transmission controls

How TalonPoint PolicyPack Fits In

If the prospect of writing CUI handling policies, marking procedures, and training documentation from scratch feels overwhelming, that's because it is — especially if you're trying to build it all while running a business.

The TalonPoint PolicyPack includes pre-built, CMMC-aligned policy templates that cover CUI handling, marking procedures, media protection, access control, and the other security domains that intersect with CUI management. These aren't generic templates downloaded from the internet — they're written by a practicing CIO and CMMC specialist who implements these exact controls in real environments.

They give you a professional starting point that you customize to your operations, saving weeks of policy development time and ensuring you don't miss the requirements that assessors specifically look for.

The Bottom Line

CUI handling isn't glamorous. It doesn't involve exciting technology purchases or impressive dashboards. It's the fundamental, unglamorous work of knowing what sensitive data you have, where it is, how it moves, and who can access it.

But here's the reality: when CMMC Phase 2 assessors show up, they're not going to be impressed by your security tool stack. They're going to ask your employees what CUI is. They're going to look at how documents are marked. They're going to check whether your cloud storage is FedRAMP authorized. They're going to review your destruction logs.

The contractors who pass will be the ones who treated CUI handling as a foundational discipline — not an afterthought.

Get this right, and the rest of your CMMC compliance program has a solid foundation. Get it wrong, and no amount of technology investment will save you.

Start with your contracts. Map your data. Train your people. Document everything.

The clock is ticking.

---

TalonPoint Security helps defense contractors navigate CMMC compliance with practical, actionable guidance. Our PolicyPack provides the documentation foundation that makes compliance achievable — even on a small business budget.