- CUI identification isn't an IT problem — it's a **contracts problem**. The marking system is unreliable; the contract clauses are what determine your obligations. DFARS 252.204-7012 in the contract *is* the determination, even when the documents aren't marked.
- **Five CUI categories cover roughly 95% of what defense contractors handle:** Controlled Technical Information (CTI), Export Controlled, Procurement & Acquisition, Privacy, and Defense Operational. Others exist, but rarely apply.
- The DoD's own Inspector General has twice confirmed (DODIG-2023-078 in June 2023; a January 2026 management advisory) that the Department doesn't mark its own CUI consistently. **You cannot rely on markings.**
- FY2025 saw **$52 million in DoJ cybersecurity FCA recoveries across nine settlements**, with whistleblowers initiating five of them. In December 2025, the first individual criminal indictment was returned under the same enforcement theory.
- 32 CFR § 170.22 creates an annual affirmation duty. **18 USC § 1001 and 31 USC § 3729 create the personal liability behind a false one** — the CEO or CFO who signs is the one exposed, not the IT team.
Identifying CUI is one of the hardest questions in CMMC. If you find the rules confusing, you’re not alone. The marking system DoD relies on doesn’t always work as designed, the rules can feel contradictory, and even the agencies that wrote them sometimes give inconsistent answers.
We’ve walked this question with contractors at every tier — from primes with mature compliance teams to two-person engineering shops trying to figure out whether a Navy spec is CUI. There is a clear, defensible path through it, and this article is that path.
The stakes have changed. In fiscal year 2025, the US Department of Justice recovered more than $52 million across nine cybersecurity-related False Claims Act settlements1 and noted that cyber settlements have more than tripled in each of the past two years. The DoJ’s Civil Cyber-Fraud Initiative is five years old now and accelerating — and in December 2025 a federal grand jury returned the first criminal indictment of an individual over cybersecurity-compliance misrepresentations. The charges use traditional fraud and obstruction statutes, not the criminal False Claims Act, and the Civil Cyber-Fraud Initiative remains civil — but the criminal route is now in play.2
What follows takes about an hour to read and a day of focused work to put into practice. It’s structured around four steps any senior leader can walk through with their compliance and engineering teams, this week.
What CUI is, in plain English.
The legal definition lives in 32 CFR § 2002.4, written by the National Archives:3
Information the government creates or possesses, or that someone else creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires to be protected.
Two things matter in that sentence.
First, you create CUI. If your engineering team produces a drawing for the Navy under a defense contract, that drawing is CUI — even though the Navy never touched it. You produced it on behalf of the government. That “or that an entity creates or possesses for or on behalf of the Government” clause is where most defense contractors live.
Second, a specific law or policy has to require the protection. Not just nervousness about sensitive content. The catalogue of those laws lives in two registries: the National CUI Registry at archives.gov/cui (the master list, 100+ categories across the entire federal government) and the DoD CUI Registry at dodcui.mil (a DoD-specific subset aligned to DoD policies). DoD contractors should consult the DoD Registry first, then cross-check the National Registry for non-DoD contract elements. For defense contractors, five categories cover roughly 95 percent of everything you’ll encounter. More on those below.
Four terms that get confused
The terms below get used as if they mean the same thing. They don’t.
FCI (Federal Contract Information). From FAR 52.204-21. Information not for public release, provided by or generated for the government under a contract — basic admin, contract paperwork, low-sensitivity work product. FCI is broader than CUI. All CUI is FCI; not all FCI is CUI. FCI gets CMMC Level 1. CUI gets Level 2.
CDI (Covered Defense Information). The DoD’s term for CUI in its own contract clauses, specifically DFARS 252.204-7012. Effectively the same as CUI. Treat them as identical for practical purposes.
CTI (Controlled Technical Information). One specific category of CUI — technical information with military or space application. Marked CUI//SP-CTI. A subset, not a synonym.
Quick way to keep them straight: FCI is the largest category. CUI sits inside FCI. CTI is one specific kind of CUI.
The five categories that matter.
Defense contractors run into the same five CUI categories over and over. Others exist but rarely apply.
| Category | Marking | What it is | Typical example |
|---|---|---|---|
| Controlled Technical Information (CTI) | CUI//SP-CTI | Technical info with military or space application | Engineering drawings, specs, source code for defense systems, test data, manufacturing procedures, repair manuals |
| Export Controlled | CUI//SP-EXPT | Data on items in the US Munitions List (ITAR) or Commerce Control List (EAR) | Technical data on USML items, controlled encryption tech, dual-use technology |
| Procurement and Acquisition | CUI//SP-PROC or CUI//PROC | Source-selection info, bid data, contract pricing | Competing bids, contracting officer evaluation memos, source-selection records |
| Privacy | CUI//SP-PRIV or CUI//PRIV | PII collected in connection with government work | PII on military personnel, government employees, cleared contractor staff, TRICARE beneficiaries |
| Defense operational | CUI//SP-DCRIT, SP-NNPI, SP-DCNI, others | Defense capabilities, vulnerabilities, critical infrastructure detail | Force protection details, threat assessments, vulnerability data, naval nuclear propulsion info |
The SP- prefix means “Specified.” Most CUI in defense contracts is Specified, which simply means there are extra handling rules beyond the basic cybersecurity controls — like the foreign-national access restrictions in ITAR for export-controlled data, or the sharing limits under privacy law for PII. You don’t need to memorise the distinction. What matters in practice: if a marking includes SP-, additional rules from the underlying law apply, and a breach can draw tougher sanctions because the underlying statute has its own penalty regime on top of the False Claims Act exposure.
Information that isn’t CUI on its own can become CUI when combined with other information. A list of contractor employees isn’t CUI. A list of contractor employees with access to a specific defense program probably is. DoD Manual 5200.01 acknowledges this. There is no clean rule. When in doubt, ask in writing.
Why finding your CUI is harder than it should be.
There are three reasons this question is genuinely difficult, and it helps to know them up front.
The DoD doesn’t mark its own CUI consistently. The Department’s Inspector General has said this twice now: in June 2023 (Report DODIG-2023-078) and again in a 29 January 2026 management advisory. The 2023 audit found that nearly 50% of reviewed documents had no designation indicator block at all, and 70% of the document types reviewed were either unmarked or carried outdated labels like FOUO.4 The 2026 advisory came out of an investigation triggered by the Defense Secretary’s use of Signal to discuss Yemen airstrikes — reviewers found DoD components were still failing to apply required markings, or defaulting to the most restrictive dissemination controls regardless of context. If the originator doesn’t mark, the recipient cannot tell whether the absence of marking means “not CUI” or “we just didn’t mark it.”
Markings get stripped on the way to you. A prime contractor receives a properly marked document from the government. Someone on the project team opens it, copies parts into a working file, and emails that down to the subs. By the time the file arrives three steps later, the marking is buried in an archived email no one is going to reopen. The data hasn’t changed, and neither has the protection obligation — but the marking is gone.
Even DoD’s own people give contradictory answers. The Defense Counterintelligence and Security Agency published a CUI FAQ in May 2025 with this contractor question quoted unedited: “We have been told yes, then no, then yes again from different DCSA reps.”5 DCSA’s response was to clarify the rule. The fact that the question made it into a published FAQ tells you how this is working in practice.
The takeaway: you cannot rely on markings alone. You have to do the identification yourself, using the contract clauses and the data itself as your evidence.
Shared Responsibility Matrix
Every NIST SP 800-171 control mapped across four cloud platforms — GCC High, Azure Government, AWS GovCloud, GCP Assured. Useful alongside this article if you’re trying to work out which controls apply to your CUI environment vs. your cloud provider.
How to find your CUI in four steps.
Four steps. They’re sequential — each one depends on what you found in the one before. None require new tools, software, or budget. They do require your contracts file and the right conversations with the right people.
Step 1: Read your contracts
Pull every active prime contract and subcontract. Open each. Search for four specific clauses:
| Clause | What it means |
|---|---|
| DFARS 252.204-7012 | CUI is in scope. Implement all 110 NIST SP 800-171 Rev 2 controls. Report cyber incidents to DIBNet within 72 hours. Flow the clause down to your subs. |
| DFARS 252.204-7021 | A specific CMMC level is mandated — the clause itself states which. Achieve and maintain that level: Level 1 (annual self-assessment), Level 2 (a CMMC Third-Party Assessor Organization, or C3PAO, runs the assessment every three years), or Level 3 (the Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, runs the assessment). Your status must appear in the Supplier Performance Risk System — SPRS, DoD’s contractor database — before contract award. |
| FAR 52.204-21 | FCI is in scope (not CUI, unless 7012 is also present). Implement the 15 basic safeguarding controls in the clause and complete a CMMC Level 1 self-assessment annually. |
| DFARS 252.204-7019 / -7020 | Legacy clauses you’ll find in pre-2026 contracts. -7019 required you to upload a NIST 800-171 self-assessment score to SPRS; -7020 required cooperation with DoD-led assessments. Both have been replaced or renumbered, but the underlying obligations now live under 7021 — treat the contract as if 7021 applies. |
If any of these are in your contract, the government has already decided CUI handling rules apply to you. The clause is the determination. The marking is just downstream evidence of it.
NIST finalized Revision 3 in May 2024 (97 requirements, restructured). DoD Class Deviation 2024-O0013 keeps Revision 2 as the standard for CMMC, DFARS 7012, and SPRS scoring.6 DoD has published Organization-Defined Parameters for Rev 3 in preparation, but Rev 3 is not expected to become enforceable for defense contractors before 2027 at the earliest. Implement Rev 2 today.
If you’re a subcontractor, this is your first protection. Under DFARS 252.204-7012(m)(1), your prime is required to include the substance of the clause in your subcontract “without alteration, except to identify the parties,” whenever your subcontract performance involves covered defense information. Check your subcontract. Is the clause there?
If your work seems to involve CUI but the clause is missing, your prime likely made a mistake. What to do about it:
- Write to your prime’s contract administrator requesting that the clause be added via contract amendment. State which work appears to involve CUI and why. Reference DFARS 252.204-7012(m)(1) so they know you know the obligation exists.
- Keep the correspondence. This is your defensive record if the gap becomes a question later.
- Continue protecting the data as if the clause applied. Your obligation under federal law to safeguard CUI doesn’t disappear because the contractual chain has a gap.
- If the prime won’t amend or doesn’t respond, ask them to escalate the question to the contracting officer under (m)(2). You now have a written record that you flagged it, asked for resolution, and acted appropriately in the meantime.
Step 2: Look at what you actually receive
For each contract where Step 1 found CUI-relevant clauses, examine the documents and data flowing in from the government or your prime. Two layers:
Layer 1: the markings (when they exist). Look for documents marked with CUI//, FOUO (an older label that should have been replaced by now), Distribution Statements B through F (under DoDI 5230.24), or any specific handling instructions in the cover email. Documents arriving via secure portals (Box Federal, GovEnclave, SAFE) are usually marked. Catalogue what is marked and how.
Layer 2: the substance (always). Ignore the file names and markings for a moment. Look at what the data actually is. Use the five categories above as your checklist and walk through your environment:
For CTI: Walk through your engineering team’s deliverables. Ask your program manager or senior engineer one question: does this describe how a defense or space product works, is built, performs, or is maintained? If yes, it’s CTI. Distribution Statements B through F on technical documents are CUI//SP-CTI by definition.
For Export Controlled: Check whether what you make or work on appears on the US Munitions List (22 CFR 121) or the Commerce Control List (15 CFR Part 774). If your firm has an ITAR registration, an Empowered Official, or a current EAR classification on file, every technical document for that item is CUI//SP-EXPT. If you’re not sure, your contracts or trade compliance team will know. Common contract indicators: ITAR, EAR, “Export Controlled,” or specific USML/CCL category numbers.
For Procurement and Acquisition: Look at documents tied to government solicitations, competing bids, source-selection materials, or contracting officer evaluation memos. If anyone in your organization has access to information about competing bids during evaluation, or how the government will evaluate offers before award, that’s Procurement and Acquisition CUI. Common indicators: documents marked “Source Selection Sensitive” or “SSI,” and any FAR 3.104 references.
For Privacy: Pull your data inventory. Do you store PII on military personnel, government civilian employees, cleared contractor staff (in connection with government work), or program beneficiaries like TRICARE recipients? If yes, that PII is Privacy CUI. Common locations: HR systems holding government-related records, security clearance investigation files, beneficiary or claims databases. Generic PII for your own commercial business doesn’t count — the federal-purpose connection is what makes it CUI.
For Defense operational: Look at contracts involving operational support, threat or vulnerability assessment, force protection, mission planning, infrastructure security, or naval nuclear propulsion. If your work touches defense capabilities, vulnerabilities, or critical infrastructure detail, that data is Defense operational CUI. Common indicators: contracts with combatant commands, intelligence-adjacent work, or any reference to NNPI, DCRIT, or DCNI.
If you answer yes to any of these, the data is CUI in that category — whether or not anyone marked it. The protection obligation moves with the data, not with the label.
Derivatives are the easiest thing to miss. Your team builds a working document from a marked source. The working version has no markings because no one thought to copy them over. The data is still CUI. Both documents are in scope.
Step 3: Ask — in writing
When uncertainty remains, ask. Write it down. The format matters because the correspondence becomes part of your defensive record later.
If you’re a prime: send the request to the contracting officer. State the data type you’re uncertain about, the contract it relates to, your best guess at the answer (“we believe this is CUI//SP-CTI on the basis of…”), and ask for written confirmation. Contracting officers are required to identify CUI under FAR and DFARS. This is a legitimate request within their job.
If you’re a sub: send the same request to your prime’s contract administrator or program manager. Under DFARS 252.204-7012(m)(2), the prime is required to determine whether the information at your tier requires protection under the clause, and “if necessary, consult with the Contracting Officer.” Document their response. If they cannot or will not answer within a reasonable window, ask them to escalate per (m)(2). Going around your prime directly to the contracting officer is possible but damages relationships — reserve it for cases where the prime is genuinely non-responsive.
Keep the correspondence. If you later face a False Claims Act case about what you knew, “we asked in writing and acted on the response” beats “we assumed.”
The proposed FAR CUI Rule (published 15 January 2025; comment period now closed) would impose an 8-hour notification window for unmarked or mismarked CUI you discover.7 The rule is not final yet, but it’s coming. The clock starts when discovery happens — whoever discovers, whenever. Plan the escalation path now, not when the 8 hours are already running.
Step 4: Map where it lives
Once you know what CUI you have, trace it through your environment. For each type:
- Where does it come in? (Email, secure portal, USB, paper, customer-supplied system.)
- Where is it stored? (Specific file servers, mailboxes, cloud tenants, paper repositories.)
- Where does it move? (Internal collaboration, subcontractor flow-down, cloud services.)
- Who can see it? (Specific people, roles, populations of cleared and uncleared staff.)
- Where does it leave? (Delivery to government, return to prime, archival, destruction.)
The output is two artefacts:
- A CUI inventory — a spreadsheet listing each type of CUI you handle, the contract that brings it in, the category, and the systems where it lives.
- A data flow diagram — a visual map of how CUI moves through your environment. This becomes your assessment boundary.
Together these define the scope of your CMMC assessment. They feed your System Security Plan (the SSP — your formal record of how you implement each control). They become the boundary that a C3PAO assessor walks during the assessment. Without them, every conversation downstream is harder.
If you have to pick one of the four steps to do first, this is the one.
What happens if you get this wrong.
The US Department of Justice launched the Civil Cyber-Fraud Initiative (CCFI) in October 2021. It uses the False Claims Act (31 USC § 3729) to bring action against contractors who knowingly misrepresent compliance with cybersecurity requirements — for civil cases, the FCA allows treble damages (three times the original amount) and per-claim penalties. A few cases set the pattern.
Real cases, real money
2022
The whistleblower was Brian Markus, Aerojet's own Senior Director of Cyber Security, Compliance & Controls. He alleged that Aerojet entered contracts requiring DFARS 252.204-7012 compliance while knowing its systems didn't meet that requirement. He raised concerns internally, refused to sign compliance documents, and was terminated. He then filed a qui tam suit — a whistleblower action on the government's behalf, with the whistleblower entitled to a share of the recovery. The case settled on the second day of trial. Of the $9M settlement, $2.61 million went to Markus as the whistleblower's share. If a CISO or compliance lead raises concerns about compliance accuracy, ignoring them isn't a defensible posture.
First case to trial · whistleblower-initiated2024
Failure to protect Privacy CUI (PII) collected under a federal contact-tracing contract.
Privacy CUI · contractual obligation2024
Failed to implement NIST controls, misrepresented implementation dates, used a non-compliant cloud service. Civil settlement.
University · multi-contract2024
Smaller settlement, but the DoJ pursues sub-$500K cases. Privacy CUI (CUI//SP-PRIV) stored in plain sight.
Sub-$500K · DoJ still pursued2025
Cybersecurity certifications kept getting signed when internal and external audits had flagged serious risks. Senior leadership knew. They certified anyway. The largest civil settlement in the FY2025 cyber-FCA record.
Largest FY2025 settlement · senior leadership knew2025
Missing SSP documentation, inadequate third-party email host security, no written cybersecurity plan, across Army and Air Force contracts. The case turned on the gap between claimed and actual implementation. Not on a breach.
Missing SSP · multi-service contracts2025
No System Security Plan in place for a key internal network used across 29 DoD contracts. Basic FAR 52.204-21 controls were missing entirely. If Raytheon-sized contractors get caught, smaller ones definitely will.
Large prime · 29 contracts2025
Defense contractor cybersecurity misrepresentations. Notable as the first cyber-FCA case to also settle with the contractor's private equity owner — extending FCA exposure up the corporate ownership chain. If you're a PE-backed DIB firm, the parent fund is now in scope.
First PE-owner co-settlement2025
Didn't install antivirus tools at the relevant lab. Submitted a false NIST 800-171 score to DoD. Tried a "fundamental research is exempt" defense. It didn't work.
Research entity · false SPRS scoreAcross the full picture: FY2025 saw $6.8 billion in total False Claims Act recoveries — the largest single-year total in the Act’s history.8 Of that, $52 million came from cybersecurity cases across nine settlements, with whistleblowers initiating five of the nine. The DoJ has been clear that whistleblowers will continue to play a central role in cyber-fraud enforcement.
The pattern
Every one of these cases has the same shape. The contractor certified compliance with something. Somebody inside the organization knew the certification was incomplete or false. The False Claims Act does not require proof of a breach or proof of harm. It requires proof that the certification was knowingly false, or made with reckless disregard for the truth.
If you don’t know what CUI you have, you can’t honestly certify you’re protecting it. If you certify anyway — submitting an SPRS score, signing an annual affirmation — that’s the conduct the FCA penalises.
Personal liability for the person who signs
This is the part that doesn’t always make it from the compliance team to the CEO or CFO. It should.
32 CFR § 170.22 requires that a senior official at the contractor sign the annual affirmation in SPRS, attesting to continuing compliance.9 The regulation creates the duty. When the affirmation turns out to be false, the signer can face personal exposure under separate federal statutes:
- 18 USC § 1001 — false statements to the federal government, with criminal penalties up to 5 years in prison
- 31 USC § 3729 — False Claims Act civil liability, with treble damages and per-claim penalties
For most small and mid-sized DIB firms, the Affirming Official is the CEO or CFO. Not the CISO. Not the IT director. The senior executive whose signature goes on the affirmation is the one who answers to DoJ if the affirmation turns out to be wrong. “I trusted what IT told me” is a weak defense when the FCA test is whether the affirmation was knowingly false or made with reckless disregard.
Until late 2025, individual criminal prosecution over cybersecurity-compliance misrepresentations was theoretical. That changed in December 2025, when a federal grand jury in the District of Columbia returned the first criminal indictment of an individual over cybersecurity-compliance misrepresentations.2 A former senior manager at a government contractor was charged on five counts under traditional fraud and obstruction statutes — not the criminal False Claims Act:
- Two counts of wire fraud (18 USC § 1343, maximum 20 years each)
- One count of major fraud against the United States (18 USC § 1031, maximum 10 years)
- Two counts of obstruction of a federal audit (18 USC § 1516, maximum 5 years each)
All for misrepresenting cybersecurity controls on a cloud platform used by the US Army and at least five other federal agencies, including the Department of State and the Department of Veterans Affairs. The Civil Cyber-Fraud Initiative remains civil; this is a separate criminal action under different statutes. But the criminal route is now in play, and more cases are expected.
A second enforcement mechanism also came online in December 2024. The Administrative False Claims Act lets federal agencies pursue contractor cybersecurity claims independently of DoJ, recovering their own investigation costs in the process.10 Cybersecurity lapses too small to attract DoJ attention can now be pursued directly by DoD, GSA, or whichever agency holds the contract.
Subcontractor exposure
A few specific traps apply to subcontractors that don’t apply to primes.
Primes are pushing certifications down the chain. Because primes are exposed for their subs’ misconduct under the FCA, primes are increasingly demanding written CMMC compliance attestations from their subs. If you sign one and it’s false, your firm is exposed. If your prime then signs a government certification that depended on your attestation, your prime is exposed too — and they’ll pursue contractual remedies against you.
Your CMMC level follows the data, not the contract chain. Under 32 CFR § 170.23, the required CMMC level for a sub is set by the information the sub receives or generates — not by the prime’s level or how the prime classified the sub’s work.11 A tier-three sub handling CUI needs Level 2 even if no one above them ever raised the question. The further down the chain you sit, the more likely it is that nobody above did the analysis.
Subs are now being prosecuted directly. In a separate December 2025 case — distinct from the criminal indictment above — the DoJ settled with a precision machining supplier in the defense supply chain. The supplier had allegedly failed to provide adequate cybersecurity under DFARS 252.204-7012 for the technical drawings of parts it supplied to defense contractors. The qui tam suit was filed by the company’s own former quality control manager. The case shows that the DoJ is now reaching past the prime to pursue subs directly when the underlying data was CUI.
What to do this week.
Three actions to take, in order:
Before your next affirmation cycle.
- Build the contract inventory. Pull every active contract and subcontract. Spreadsheet, one row per contract, one column per clause (7012, 7021, 52.204-21, 7019/-7020). A day's work for your contracts team. If you're a sub, flag any subcontract that doesn't contain 7012 but appears to involve CUI-relevant work — that gap is itself a finding.
- Find the data owners. For each contract, the program manager or senior engineer can answer "what data type is this." The IT lead usually can't. Have those conversations. Document what they describe.
- Send one written clarification request. Pick the contract you're most uncertain about. Primes write to the contracting officer; subs write to the prime's contract administrator. The response — or its absence — gives you a defensible record. If you need a third route, the DCSA CUI Branch Hotline (571-305-4878, M–F 0800–1500 ET) and 24/7 support mailbox (
[email protected]) are the official escalation routes. Document whatever they tell you.
No tool, no consultant, no budget. An afternoon of focused work and access to your contracts file is all this needs. The contracts review is the part most teams put off because it doesn’t feel urgent — but it is, and doing it now makes everything that follows in your CMMC journey clearer.
CUI scoping is Phase 1 of our Gap Assessment — get the scope right, then we measure against all 110 controls.