Who Is Responsible For CUI (Controlled Unclassified Information)?

Handling Controlled Unclassified Information (CUI) is a contractual requirement for many organizations in the Defense Industrial Base (DIB). But it’s also a common source of compliance risk, as companies struggle to align complex CUI handling rules with operational goals. 

Who holds responsibility for CUI at each stage of its lifecycle? Is it the originating agency, the prime contractor, or the subcontractor? Who decides what qualifies as CUI, who applies the markings, and who is accountable for keeping it secure? 

This article provides a clear overview of CUI responsibilities. If your organization handles CUI, we’ll explain what you’re accountable for, and how to stay compliant under DFARS, NIST SP 800-171, and CMMC 2.0. 

What Is CUI? 

CUI, a category of sensitive information, falls under legal, regulatory, or contractual protections, but remains unclassified under federal law. For organizations in the DIB, CUI commonly includes technical drawings, specifications, contract details, and cybersecurity data. Understanding the definition of CUI and its differences from classified or public information forms the foundation of a compliant CUI handling program. 

CUI: The Legal Basis 

The Controlled Unclassified Information program was established by Executive Order 13556 in 2010. Previously, agencies followed inconsistent policies for information safeguarding and marking, which created confusion for agencies and contractors, especially around secure and compliant information sharing. 

For companies in the DIB, the more relevant authority derives from how defense-specific regulations implement this policy. Such as: 

• 32 CFR Part 2002: Outlines baseline CUI handling requirements for all executive branch entities. It defines general safeguarding, access, marking, and destruction practices. 
• DFARS 252.204-7012: Requires contractors to implement NIST SP 800-171 to protect CUI. 
• NIST SP 800-171: Specifies 110 technical and procedural safeguards for protecting CUI in non-federal information systems. It is the core standard for demonstrating compliance under DFARS and CMMC requirements.  
• CMMC 2.0: The Cybersecurity Maturity Model Certification requires contractors to implement NIST 800-171 controls and, for some, pass third-party assessments. Level 2 of CMMC applies to contractors who handle CUI. 
• DoD Instruction 5200.48: Clarifies how the Department of Defense implements the CUI program, including instructions for identifying, marking, disseminating, and decontrolling CUI within defense contracts. 

Together, these frameworks determine how DIB contractors must manage CUI throughout its lifecycle. 

What is CUI Basic? 

CUI Basic is, to be specific, the default. CUI Basic is the most common category (handling designation) for CUI that DIB contractors handle. It refers to information that requires safeguarding under laws, regulations, or government-wide policies (LRGWP), but where these authorities do not specify handling controls that are different from or more stringent than the baseline CUI controls.  

Because most DoD contracts involve CUI Basic, organizations must apply the following:  

• Baseline protections from 32 CFR Part 2002 
• Implement NIST SP 800-171 controls 
• Ensure proper marking and access restrictions 

For most DIB contractors, managing CUI Basic is a core compliance requirement that must be addressed to meet NIST, DFARS, and CMMC obligations. 

What is CUI Specified? 

CUI Specified is a subset of controlled information subject to enhanced handling requirements. Unlike CUI Basic, the LRGWP governing CUI Specified explicitly states how to protect the information and who can access it. 

For example, data controlled under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) often falls under CUI Specified. Controls typically restrict access to U.S. persons or limit dissemination based on export control laws. 

While most DoD contractors primarily handle CUI Basic, CUI Specified can appear in programs involving export-controlled technology, foreign military sales, or classified annexes. In these cases, contractors must comply with both general CUI requirements and the additional conditions set by the controlling authority. 

Misclassifying or mishandling CUI Specified can lead to serious regulatory violations, so it’s important to . identify these cases early and apply the proper controls beyond standard NIST 800-171 safeguards 

CUI Accountability for the Defense Industrial Base 

Multiple roles share responsibility for CUI within the DIB, but contractors ultimately bear the burden of compliance once CUI enters their environment. Government agencies and prime contractors are responsible for designating and marking CUI, but safeguarding obligations apply the moment that information is shared with a DIB company. 

For prime contractors, that includes flowing down CUI requirements to subcontractors. Subcontractors, in turn, are required to implement equivalent protections, even if they didn’t generate or mark the information themselves. 

Contractors must: 

• Protect CUI in accordance with NIST SP 800-171, as well as any additional requirements for CUI Specified.  
• Ensure employees understand handling procedures through training and policy enforcement.  
• Prevent unauthorized access or dissemination, including to foreign nationals if export controls apply.  
• Mark any derivative documents containing CUI.  
• Report any suspected compromise of CUI to the DoD within 72 hours. 

The Department of Defense does not assign a single point of responsibility across the CUI lifecycle. Instead, each party must understand and act on its role. In practice, this means DIB companies cannot assume CUI has been properly designated or marked when they receive it. They must assess, apply safeguards, and retain records that demonstrate compliance. 

The Minimum Marking Requirements for CUI 

Controlled Unclassified Information must be clearly marked to ensure it is handled appropriately across its lifecycle. While a government agency or prime contractor typically applies the original CUI markings, DIB organizations are still responsible for maintaining them and ensuring CUI is not inadvertently disclosed. 

You can find complete guidance in the CUI Marking Handbook. 

Physical CUI 

Printed materials containing CUI should display an authorized CUI banner marking at the top and bottom of each page. This banner includes the control marking (‘CONTROLLED’ or ‘CUI’), applicable CUI categories, and any limited dissemination controls. 

Documents with multiple CUI categories may require additional markings. Physical access must be restricted and storage must meet safeguarding standards (e.g., locked cabinets). 

Digital CUI

Electronic files must include the CUI banner in the header, footer, and, where possible, metadata fields. Email messages transmitting CUI should include appropriate markings in the subject line and body, and attachments must be individually marked. Files must be stored in systems compliant with NIST SP 800-171 and protected from unauthorized access or exfiltration. 

Files must be stored in NIST SP 800-171-compliant systems. Physical media, such as USB drives or hard drives, must have external labels identifying the contents as CUI. 

Who Is Responsible for Marking Controlled Unclassified Information? 

The originating government agency is responsible for initially designating CUI, but contractors must preserve existing CUI markings and apply them to any derivative or newly created documents. 

That obligation includes cases where the contractor is the originator of the information. According to Section 3.6.a of DoDI 5200.48, “the authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category.” If it does, the contractor must mark it accordingly. The policy is reinforced in Section 5.1, which outlines the shared responsibilities between DoD and industry for the “identification, creation, sharing, [and] marking” of CUI under contract.  

In short, if your organization creates CUI under a DoD contract, you are required to identify it, apply proper markings, and ensure it is protected according to the terms of the contract and applicable law. 

Streamline CUI Compliance with Exostar 

CUI compliance is complex, especially when policies, markings, and cybersecurity controls must align with NIST SP 800-171 and CMMC 2.0. Whether you’re struggling with documentation, policy enforcement, or assessment preparation, Exostar helps Defense Industrial Base organizations simplify and strengthen their approach. 

Exostar’s CMMC Ready Suite offers a comprehensive set of tools and services designed to support compliance at every step. From documentation and scoring to collaboration and policy management, it brings structure, automation, and expert support into a single environment. 

With the CMMC Ready Suite, you can: 

• Assess and track CMMC 2.0 readiness with guided workflows and real-time dashboards 
• Reduce documentation burden by automating SSPs, POA&Ms, and SPRS scoring with Certification Assistant 
• Collaborate securely on CUI with partners and suppliers through Managed Microsoft 365, hosted in a FedRAMP-authorized Microsoft GCC High environment 
• Create and maintain clear, assessor-ready policies using PolicyPro, with guidance aligned to NIST SP 800-171 controls 

Each component of the suite addresses common compliance roadblocks, giving your team the tools it needs to stay organized, reduce risk, and prepare with confidence for third-party assessments. 

Need help getting started? 

Schedule a consultation to learn how Exostar can help you simplify CUI compliance and support your CMMC 2.0 goals.