Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS

What is CMMC CUI?

Home Glossary CMMC CUI and What It Means

Controlled unclassified information (CUI) under CMMC is information the government determines necessitates safeguarding or dissemination controls. It does not have the legal protection of classified information, but instead is subject to regulations and requirements for safeguarding, control, and use. It includes information not specified as intelligence, law enforcement, or national security related and is typically labeled in the form of tags, markings, or legends. CUI is one of two primary information types that the CMMC exists to protect. The other is federal contract information (FCI).

/

What Is CMMC?

The Cybersecurity Maturity Model Certification, or CMMC is certification program initiated by the Department of Defense (DoD) to ensure the security of DoD’s supply chain and data, the framework was remodeled in 2021 to consolidate the initial five levels into three. The new framework is designated CMMC 2.0. The certification measures and validates implementation of security practices ranging from basic cybersecurity hygiene to advanced threat management. It also includes measures such as assessing organizational performance and capabilities.

CUI must be protected by statute or national policy. It includes government and business data that is sensitive but not classified. CUI includes information that is subject to restricted disclosure or dissemination, either because it is sensitive or because it is regulated in some other way. CUI includes any information that must be safeguarded to prevent unauthorized disclosure. A primary objective of CMMC is to protect the DoD against cyberattacks on its vast supply chain.

Who Needs CMMC Certification?

Organizations within the Defense Industrial Base (DIB) that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must obtain Cybersecurity Maturity Model Certification (CMMC) at the level specified in their DoD contracts. This includes prime contractors holding direct contracts with the DoD, as well as subcontractors and suppliers at all tiers providing goods or services to prime contractors.

The requirement extends to various entities, including software vendors, cloud service providers, and consulting partners supporting DoD contracts. Essentially, if your organization creates, processes, transmits, or stores FCI or CUI as part of its work for the DoD, CMMC certification is necessary.

There are three CMMC 2.0 levels and the specific CMMC level required depends on the type of information handled: CMMC Level 1 applies to contractors handling only FCI, requiring implementation of basic safeguarding practices outlined in FAR 52.204-21. CMMC Level 2 is required for organizations handling CUI, mandating compliance with the 110 security controls specified in NIST SP 800-171 Rev 2, as required by DFARS Clause 252.204-7012. CMMC Level 3 is for organizations handling CUI associated with critical programs or high-value assets, requiring additional enhanced controls from NIST 800-172 to counter advanced persistent threats (APTs).

Prime contractors are responsible for ensuring their subcontractors achieve the appropriate CMMC level based on the information flowed down to them, as mandated by DFARS Clause 252.204-7021. International suppliers within the DIB are also subject to CMMC requirements if they handle FCI or CUI.

For example, a small manufacturer supplying parts to a prime contractor and only handling basic contract details (FCI) would need Level 1, while a software developer whose product processes sensitive technical specifications (CUI) for a defense system would likely need Level 2 or potentially Level 3 depending on the program’s criticality. Understanding the relationship between CUI CMMC requirements is crucial for maintaining contract eligibility.

Types of Controlled Unclassified Information (CUI)

There are various types of CUI, and it can be classified into two categories:

  • Basic CUI: Basic CUI is a type of CUI that requires basic safeguarding measures to protect the information from unauthorized disclosure. Examples of basic CUI can include information about government contracts, sensitive but unclassified information, or information subject to regulatory compliance, which includes data privacy laws and standards (GDPR, HIPAA, PCI DSS, NIST CSF, CCPA, etc.), or executive orders.
  • Specified CUI: Specified CUI is a type of CUI that requires additional safeguarding measures to protect the information from unauthorized disclosure. Specified CUI can include information related to national security, law enforcement, or any other information that requires protection under specific laws or regulations.

Some specific examples of CUI include:

  • Personally Identifiable and Protected Health Information: Information such as names, addresses, Social Security numbers, as well as health information like lab results, drug histories, and doctors’ notes, constitute PII/PHI and are regulated by GDPR, PCI DSS and many others for PII, and HIPAA and HITECH for PHI.
  • Export-controlled or International Trade Data: Data related to exports, imports, and international trade.
  • Intellectual Property: Patents, copyrights, and trademarks.
  • Contractor-sensitive Information: Information related to contracts, subcontracts, and bids.
  • Proprietary Business Information (PBI), which also is referred to as Confidential Business Information (CBI).
  • Unclassified Controlled Technical Information (UCTI): Information that contains sensitive military information that is not classified but requires protection. Examples include operational plans, developing technologies, mission-essential equipment, surveillance methods, and other sensitive information.
  • Sensitive But Unclassified (SBU): Non-classified information that is still considered sensitive and requires special handling. Can include protected personal information, business information, and government information that require security and protection from unauthorized viewing and access.

When Is CMMC Compliance Mandatory?

The Department of Defense (DoD) is implementing CMMC 2.0 through a phased rollout approach. The CMMC Program Final Rule (32 CFR Part 170) was published on October 15, 2024, and became effective on December 16, 2024.

However, the inclusion of CMMC requirements in actual DoD contracts hinges on the finalization of the associated DFARS rule (48 CFR, DFARS Case 2019-D041), which codifies CMMC into acquisition regulations. This rule is anticipated to be finalized around Q2 or Q3 2025. Once the 48 CFR rule is final, the DoD will begin inserting CMMC requirements into new solicitations and contracts based on the following phased timeline:

  1. Phase 1 (Starting ~Q2/Q3 2025): DoD will begin including CMMC Level 1 and Level 2 self-assessment requirements in applicable solicitations.
  2. Phase 2 (Starting ~Q2/Q3 2026): DoD will start including CMMC Level 2 certification assessment (conducted by a C3PAO) requirements in relevant solicitations.
  3. Phase 3 (Starting ~Q2/Q3 2027): CMMC Level 2 certification requirements will begin appearing as a condition for exercising option periods on applicable contracts. CMMC Level 3 assessments (conducted by DIBCAC) will also likely begin appearing in relevant solicitations during this phase or later.
  4. Phase 4 (Full Implementation, expected by Oct 1, 2026 – 2028): All new DoD solicitations and contracts involving FCI or CUI are expected to include the appropriate CMMC level requirements.

    5. While the official inclusion in contracts starts with the finalization of the 48 CFR CMMC Proposed Rule, a “market roll-out” has effectively begun, with CMMC assessments available from Q1 2025.

    Prime contractors are increasingly requiring their subcontractors to demonstrate compliance now in preparation. Organizations handling CUI must already comply with NIST 800-171 via DFARS 252.204-7012 and report self-assessment scores in SPRS per DFARS 252.204-7019/7020.

    Given that achieving compliance can take 6-18 months, organizations should not delay preparations. Preparatory steps include conducting a gap analysis against the required CMMC level, developing a System Security Plan (SSP), creating Plans of Action & Milestones (POA&M) for gaps, and ensuring SPRS scores are submitted accurately. Understanding the CUI CMMC timeline is vital for uninterrupted DoD business.

    Handling Requirements for Controlled Unclassified Information (CUI)

    The handling of CUI requires specific measures to ensure its protection, including:

    • Access Controls: Access to CUI should be protected by robust access controls that restrict access to CUI to individuals with the proper clearance and a need-to-know basis.
    • Storage: CUI should be stored in a secure location and protected with physical or electronic security measures.
    • Dissemination: CUI should be disseminated only to individuals with the proper clearance and a need-to-know basis.
    • Destruction: CUI should be destroyed when it is no longer needed or when it is required by law or regulation.

    Why Is It Important to Protect Controlled Unclassified Information (CUI)

    The protection of CUI is important for several reasons, including:

    • National Security: Unauthorized disclosure of CUI can cause significant harm to national security.
    • Privacy: Unauthorized disclosure of PII can cause harm to individuals’ privacy and can lead to identity theft.
    • Economic Interests: Unauthorized disclosure of proprietary business information can cause significant harm to a company’s economic interests.

    Safeguarding CMMC CUI: CMMC 2.0 Levels 1, 2, and 3

    CMMC is a set of standards and best practices for protecting CUI. It is used by the United States Department of Defense (DoD) and other government agencies to ensure that contractors are taking CUI protection seriously. CMMC 2.0 consists of three levels of assessment for organizations seeking certification to handle CUI:

    • CMMC Level 1: Foundational. This level of protection requires the implementation of basic cybersecurity measures, such as identity management, access control, and data protection.
    • CMMC Level 2: Advanced. This level of protection includes more advanced security measures, such as system authentication and encryption.
    • CMMC Level 3: Expert. This level of protection includes the most advanced security measures, such as continuous monitoring and security incident response plans.

    CMMC Level 1: Foundational Safeguards for FCI

  1. Scope: Applies to contractors that process, store, or transmit Federal Contract Information (FCI), but not CUI.
  2. Requirements: Mandates implementation of the 15 basic safeguarding requirements outlined in FAR 52.204-21 (sometimes referred to as 17 practices in CMMC documentation, though aligned with the 15 FAR controls). These requirements represent basic cyber hygiene.
  3. Example Practices (aligned with FAR 52.204-21): Includes practices such as limiting information system access to authorized users, authenticating users before granting access, protecting systems from malicious code (e.g., antivirus), performing regular system updates/patching, controlling physical access to systems, and sanitizing media before disposal or reuse.
  4. Assessment Type: Requires an annual self-assessment conducted by the contractor.
  5. Affirmation: A senior company official must annually affirm compliance via the Supplier Performance Risk System (SPRS).
  6. Typical Stakeholders: Organizations across the DIB, including small businesses, subcontractors, and suppliers, that handle only FCI as part of their DoD contract work. This level applies to nearly all non-COTS DoD contracts.

CMMC Level 2: Advanced Security for CUI

CMMC Level 2 is designed for organizations that handle Controlled Unclassified Information (CUI) and significantly elevates cybersecurity requirements beyond Level 1.

This level directly aligns with and requires the implementation of all 110 security controls specified in NIST 800-171 Revision 2, which has been a requirement for contractors handling CUI under DFARS Clause 252.204-7012 since 2017.

The primary goal of Level 2 is to ensure robust protection for CUI against more sophisticated cyber threats. Depending on the specific contract requirements and the sensitivity of the CUI involved, organizations seeking Level 2 compliance will need either a triennial third-party assessment conducted by an accredited CMMC Third-Party Assessment Organization (C3PAO) or, for certain contracts involving less sensitive CUI, a triennial COPPA. Regardless of the assessment type, an annual affirmation of compliance by a senior company official submitted via SPRS is required.

Effectively protecting CUI includes steps outlined in the 110 NIST SP 800-171 controls. Key implementation steps often involve establishing strong access controls (limiting who can access CUI), implementing multi-factor authentication (MFA), encrypting CUI both at rest and in transit, developing comprehensive incident response plans, conducting regular security awareness training, performing continuous monitoring and vulnerability management, and maintaining secure system configurations.

Achieving Level 2 demonstrates a significant commitment to safeguarding sensitive defense information within the CUI CMMC framework.

CMMC Level 3: Expert-Level Controls for Complete Protection

CMMC Level 3 represents the highest level of cybersecurity maturity within the CMMC 2.0 framework, designed for organizations handling CUI associated with the DoD’s most critical programs and technologies.

This level builds upon the 110 controls of Level 2 (NIST SP 800-171) by incorporating a subset of the enhanced security requirements from NIST 800-172. These additional controls focus on providing enhanced protection against advanced persistent threats (APTs) and sophisticated nation-state adversaries through proactive cyber defense capabilities.

Key areas of focus include enhanced incident response (potentially requiring a Security Operations Center or SOC), advanced threat hunting, supply chain risk management, and designing systems for cyber resiliency.

Unlike Levels 1 and 2, Level 3 assessments are not conducted by C3PAOs or via self-assessment; instead, they are led by government personnel from the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on a triennial basis.

Achieving Level 3 requires significant investment in resources, technology, and personnel. Organizations pursuing Level 3 should conduct thorough resource planning and consider how these advanced controls integrate with their existing security frameworks, such as ISO 27001 or other NIST guidelines. It’s estimated that only a small percentage of DIB contractors (perhaps less than 1%) will require Level 3 certification, specifically those involved in programs deemed critical or handling particularly sensitive CUI CMMC data.

How Do I Know if I Have CUI in My Environment?

CUI can be found in many different places, including databases, networks, websites, and documents. To identify CUI in an environment, it’s important to understand where the data is stored and who has access to it. Common sources of CUI include customer lists, financial records, and business plans. Additionally, CUI can be found in emails, text messages, and other communications.

What Type of CUI Do I Have?

Once you’ve identified CUI in your environment, it’s important to determine what type of CUI it is. CUI is divided into several categories, including PII, PHI, export-controlled data, intellectual property, contractor-sensitive information, and sensitive national security information that is not classified. Each category of CUI requires its own set of protections.

 

How Do I Protect CUI and Meet Compliance Requirements?

CUI can contain confidential, sensitive, and/or proprietary information—data that must be protected at all costs. As noted above, it is critical to protect CUI and meet compliance requirements, as failure to do so may result in financial loss and, worse yet, loss of trust by customers, suppliers, and employees.

The first step to protecting CUI and meeting compliance requirements is to determine the laws and regulations applicable to data at your organization. It’s important to have a clear understanding of these standards, including the risks and vulnerabilities associated with your specific industry. Once you’ve identified applicable standards, organizations must implement appropriate measures to protect CUI. This process should include a range of technical, physical, and administrative security measures, such as encryption, malware protection, secure backup, and password protection. Additionally, access policies should be in place to control who can access and modify CUI, as well as to institute processes for tracking, recording, and reporting on CUI.

Organizations must also have a system in place for incident and vulnerability management to ensure that any security issues or exposure to CUI are addressed swiftly. Incident response plans should include processes for responding to incidents, gathering and analyzing evidence, and mitigating any damage. Regular security reviews and testing should also be conducted to validate the effectiveness of current security measures and identify any areas of improvement.

By taking the necessary steps to protect CUI and meet compliance requirements, organizations can ensure their data is secure and that their operations remain in compliance with applicable laws. Doing so is critical for an organization’s reputation and security of its information.

Additional steps to ensure that CUI is properly protected by organizations include:

  • Implementing robust cybersecurity measures, such as identity and access management (IAM), email encryption, and multi-factor authentication (MFA).
  • Establishing protocols for handling CUI, such as limiting access to authorized personnel and monitoring access to CUI through audit logs analysis.
  • Ensuring that all personnel with access to CUI are properly trained on CUI protection procedures via proper security awareness training.

The Kiteworks Private Data Network Is Key to Protecting CUI

Every day, organizations face increasingly higher challenges to keep sensitive data such as CUI safe from malicious third parties, cyberattacks, and data breaches. To ensure the safety of this sensitive data, Kiteworks offers a Private Data Network (PDN) that unifies, tracks, controls, and secures sensitive content communications with comprehensive security and compliance governance. With Kiteworks, organizations can secure sensitive information like CUI across all communication channels with centralized controls, automated enforcement, and comprehensive visibility—without sacrificing operational efficiency.

Kiteworks uses a hardened virtual appliance to protect sensitive content communications from malicious cybercriminals and rogue nation-states. Its use of security layers that embrace double AES 256 encryption at the file and disk volume make it extremely difficult for a cyberattack to gain access to any content. Because of the level of security Kiteworks employs, the vulnerability and impact severity of vulnerabilities is dramatically reduced.

Kiteworks unifies file and email data communications into a single platform that delivers consolidated tracking and controls to manage content sends, shares, receives, collaboration, and stores. With secure email, secure file sharing, secure managed file transfer, secure web forms, and SFTP consolidated into one platform, organizations achieve dramatic improvements in operational compliance, efficiencies, and security.

Data encryption is a key element of the Kiteworks PDN. It protects sensitive data by encoding it so that only authorized individuals can access it. What’s more is that neither Kiteworks nor cloud providers have access to your key management and encryption. Kiteworks customers retain full ownership and access to their encryption keys. Government agencies, lawyers, and courts are unable to gain access to your sensitive content in Kiteworks through legal measures.

Schedule a custom-tailored demo to learn how you can protect CUI under CMMC Level 2 with Kiteworks—which supports nearly 90% of CMMC Level 2 requirements out of the box

Back to Risk & Compliance Glossary

 

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo
Share
Tweet
Share
Explore Kiteworks