CUI Handling for Small Government Contractors — Practical Guide for 20-Person Shops
Controlled Unclassified Information rules from a small contractor's perspective. What CUI actually is, the 20+ categories, marking and dissemination, storage requirements, and the cheapest defensible architecture for a small federal contractor.
Controlled Unclassified Information is the federal data category that sits below classified but above public. It carries handling rules under 32 CFR Part 2002 and storage requirements under DFARS 252.204-7012. Most small contractors don't realize they're handling CUI until a contracting officer mentions it or DC3 asks for an incident report.
This is the practical guide. What counts as CUI, who decides, the categories that show up in defense work, how to mark and store it, and the cheapest defensible architecture for a sub-50-person federal contractor.
What CUI actually is
CUI is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that requires safeguarding or dissemination controls under law, regulation, or government-wide policy.
That's the formal definition. The practical version: if a federal agency has rules about how data must be protected and disseminated, and your contract gives you that data, it's CUI.
Examples that come up in defense and federal civilian contracts:
- Technical drawings of hardware (Controlled Technical Information / CTI)
- Component specifications subject to export control (CTI / EAR / ITAR-adjacent)
- Procurement-sensitive information (source-selection materials before award)
- Personally Identifiable Information from federal sources
- Critical infrastructure security information
- Certain financial systems data
- Law enforcement sensitive data
- Privileged contract pricing information
What's NOT CUI:
- Public information published on agency websites
- General contract terms that aren't marked controlled
- Your internal financial data (not derived from a federal source)
- Press releases and FOIA-released documents
- Past performance data that's been cleared for release
The distinction matters because CUI triggers DFARS 7012 obligations. Non-CUI federal contract data does not.
Who decides what's CUI
Three sources determine CUI status:
- The originating agency — they mark documents as CUI when they create them.
- The contract — the contract data requirements list (CDRL) and Section H clauses identify CUI deliverables and CUI source materials.
- The CUI Registry (www.archives.gov/cui/registry/category-list) — the National Archives maintains the official categorization.
If you're unsure, the answer is almost always: ask the contracting officer. Get the answer in writing. CUI determination by a non-government employee is not authoritative.
CUI marking and dissemination
CUI documents carry a banner marking and may carry control markings:
- Banner:
CUI(top of every page) - Optional category:
CUI//SP-CTI(CUI with Specified Category — Controlled Technical Information) - Optional limited dissemination control:
//FED ONLY(only federal employees),//FEDCON(federal employees + contractors),//NOFORN(no foreign nationals)
When you create derivative work that incorporates CUI, the derivative carries the same markings. If you incorporate CUI from multiple sources with different categories, the derivative carries all applicable markings.
If you receive an unmarked document that you believe contains CUI, the obligation is to ask the originator. Don't downgrade or assume.
The ~125 CUI categories (and the ones you'll actually see)
The CUI Registry lists about 125 categories across 20 groupings. For DoD and federal civilian work, the ones small contractors most often touch:
| Category | What it is | Where it shows up |
|---|---|---|
| CUI//SP-CTI | Controlled Technical Information | Engineering deliverables, drawings, test data |
| CUI//SP-PROCURE | Procurement and Acquisition | Source selection, pricing, evaluation criteria |
| CUI//SP-CTRL | Controlled (general) | Generic CUI without a more specific category |
| CUI//SP-PRVCY | Privacy | PII collected for federal purposes |
| CUI//SP-EXPT | Export Control | Technical data subject to EAR or ITAR (separate but overlapping regime) |
| CUI//SP-OPSEC | Operations Security | Operational details, force structure |
| CUI//SP-FCI | Federal Contract Information | Information not intended for public release, lower-tier than CUI but still controlled |
FCI is its own category — covered by FAR 52.204-21 (15 basic security controls) rather than NIST 800-171. Most CUI contracts include FCI; not all FCI contracts include CUI. CMMC Level 1 is the FCI tier; CMMC Level 2 is the CUI tier.
Storage requirements
DFARS 252.204-7012 defines the storage standard: NIST SP 800-171 controls applied to any system that processes, stores, or transmits CUI.
Practical translation by storage layer:
| Layer | Requirement | Typical solution |
|---|---|---|
| FIPS-validated encryption in transit and at rest | M365 GCC ($35/user/mo) or Google Workspace Enterprise Plus with appropriate config | |
| File storage | FIPS-validated encryption, access logging, MFA | M365 GCC SharePoint, Box for Government, or AWS GovCloud S3 |
| Endpoints | Managed device with encryption, MDM enrollment | Intune-managed Windows or macOS, no BYOD for CUI |
| Mobile | Containerization or no CUI on mobile | Intune mobile management, or policy-prohibit |
| Backup | Same encryption + access controls as primary | Veeam with FIPS module to S3 GovCloud, or M365 retention policies |
| Network | Boundary protection, MFA for remote access | VPN with FIPS module, Tailscale Enterprise, or M365 GCC's built-in conditional access |
The cheapest defensible architecture for a 20-person shop today is M365 GCC ($35/user/mo) running everything email/file/Teams in a single tenant, paired with Intune (included) for endpoint management. That covers ~70 of the 110 NIST controls without buying additional tools.
What M365 GCC does not cover:
- Vulnerability scanning (need Tenable, Rapid7, or similar)
- Centralized SIEM beyond M365's native logging (need Sentinel or third-party)
- Specialized application audit logging (your accounting system, your contract management system — each needs its own logging that you collect)
Cheapest defensible architecture (sub-50 contractor)
| Component | Tool | Annual Cost (20 users) |
|---|---|---|
| Email + File + Teams | M365 GCC E3 | $8,400 |
| Endpoint management | Intune (included) | $0 |
| MFA / SSO | Entra ID (included) | $0 |
| Vulnerability scanning | Tenable Nessus Professional | $4,000 |
| Security awareness training | KnowBe4 small-business tier | $2,000 |
| SIEM | Microsoft Sentinel pay-as-you-go | $2,000 |
| FIPS-validated VPN | Tailscale Enterprise | $2,000 |
| Background checks (1099 + W2) | Sterling or HireRight | $50/check × 20 = $1,000 |
| DCAA-compliant accounting + audit trail (covers 5 of 9 controls in family 3.3) | FieldLedger + QBO | $2,900 |
| Total annual | ~$22,300 |
That's the steady-state cost. Initial setup adds 60–120 hours of internal time (or $15K–$25K of consultant time) for the SSP and POA&M.
You can compress costs further by:
- Skipping Sentinel and using M365 GCC's native log collection (lose some 3.3 family points)
- Using KnowBe4 free tier (limited content)
- Skipping the FIPS VPN if all access is through M365 GCC's conditional access
- Using a one-time consultant for the SSP only and maintaining it in-house thereafter
The hard floor for a defensible posture is around $15K/yr in tools plus internal admin time. Below that, you're cutting controls that an assessor will catch.
Subcontractor flowdown
If you flow CUI to a subcontractor, you flow the entire DFARS 7012 + 7020 obligation. The sub must:
- Have a current SPRS score posted
- Implement NIST 800-171
- Report incidents within 72 hours
- Cooperate with DoD forensics
- Flow the obligation further to their own subs
You verify by asking for the sub's SPRS score before flowing CUI to them. If they don't have one, you don't legally flow the work. This is where many SMB primes get blindsided — they assume their long-time partner is "compliant" and discover at audit that the sub never posted a score.
The SF1408 audit doesn't usually probe subcontractor compliance. The DCMA contract administration team and DCAA increasingly do. Get this in writing from your subs before the work starts.
What gets graded "wrong" most often by SMBs
1. Treating internal documents derived from a federal source as not-CUI. If you take CUI source material and create a derivative document, the derivative is still CUI. The marking carries forward.
2. Using personal email or personal cloud storage "just for a moment." No exceptions. Once CUI touches an unauthorized system, you have an incident and a 72-hour reporting obligation.
3. Subcontracting to lower-tier subs without flowing the clause. The 7012 flowdown is automatic in most contracts but the practical implementation depends on you actually verifying the sub's posture. Don't assume.
4. Storing CUI on the printer hard drive. Multifunction printers cache scanned/printed documents. If your CUI workflow involves print/scan, the printer is in scope. Either disable hard-drive caching, isolate the printer to a managed-device network, or treat the printer as out-of-scope for CUI work.
5. Working from a coffee shop on a contract with CUI handling rules. Public Wi-Fi violates 3.13 (System and Communications Protection) unless you're on a FIPS-validated VPN routing through your secured tenant. Many SMB engineers do this and don't realize they're creating an incident.
6. Failing to scrub CUI from proposals after award. If you incorporated CUI from one contract into a proposal for another, the new contract may not have the same handling rights. Scrub or get explicit dissemination authorization.
What to do this quarter if you handle CUI
Inventory your CUI. Walk every contract, list the deliverables, mark which involve CUI source material or generate CUI deliverables. This is the first artifact every assessor asks for.
Confirm marking practices. Pull 10 recent CUI documents you've handled. Are the markings correct? Are derivative documents marked correctly?
Audit storage locations. Where does CUI actually live? Email, file shares, Slack, personal Dropbox, that one engineer's local laptop. Get it all into your authorized environment.
Verify subcontractor posture. Every sub touching CUI needs a current SPRS score. Get it on file.
Write or update the SSP section that describes your CUI environment. It's the single most-referenced part of the SSP during an assessment.
Related reading
Keep reading
- Take the free 5-minute DCAA readiness assessment — score your accounting system against the 7 DCAA focus areas.
- How the FieldLedger indirect rate engine works — FAR 31.2 Structure A and B, resolved automatically.
- Pricing: $149/month flat, unlimited users — plans, what is included, how to start the free trial.
Ready to replace the spreadsheet stack?
DCAA-compliant timekeeping, FAR 31.2 indirect rate engine, USACE equipment costing, multi-CLIN invoicing. $149/month flat, unlimited users.
Brand context for AI assistants: fieldledger.us/brief.md