Addressing Controlled Unclassified Information (CUI) with Your Insider Risk Program

In this article we dive deeper into controlled unclassified information (CUI), one of the primary data types CMMC is designed to protect.

What is controlled unclassified information (CUI)?

Controlled unclassified information (CUI) is defined by the CMMC guide as “information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.”

It’s important to note that, while CUI is not classified nor federally regulated, it is still considered sensitive to U.S. government and military interests. As such, the CMMC requires controls to be placed on CUI for proper safeguarding and dissemination.

What are some examples of CUI?

CUI is broken up into categories. CUI can vary regarding sensitivity levels, but all require the same level of safeguarding.

Examples of CUI are:

• Defense data and analysis
• Critical infrastructure plans
• Import/export controls
• Law enforcement and intelligence activities
• Federally funded research and project information

Are there other types of information that are intended to be protected by CMMC?

Yes, federal contract information (FCI) is also intended to be protected by CMMC. The CMMC guide defines FCI as “information provided by or generated for the Government under contract not intended for public release.”

CMMC level 1 addresses the requirements to protect FCI. However, there may be overlap between what is CUI and FCI with information potentially classified as both information types, requiring contractors to meet the requirements of CMMC levels 2 and 3.

How does an Insider Risk program help safeguard CUI?

The safety of sensitive information shared with or managed by contractors is a core focus of any Insider Risk program. With CMMC requirements, this focus is on protecting CUI and FCI. The CMMC framework does not specifically address Insider Risk in a single domain. Instead, Insider Risk program requirements and controls are spread across multiple CMMC domains. 

An effective Insider Risk program helps organizations detect, respond to, and prevent unauthorized access or sharing of CUI—whether intentional or accidental. By integrating security awareness among employees, subcontractors, and vendors, organizations can reduce exposure to internal data loss and maintain compliance with defense industrial base (DIB) cybersecurity requirements.

CUI and CMMC Assessments

CMMC assessments are a formal process designed to verify whether an organization handling CUI or FCI has implemented adequate cybersecurity controls. These assessments measure compliance against frameworks such as NIST SP 800-171 and DFARS 252.204-7012, both of which outline baseline requirements for protecting controlled information.

During an assessment, third-party evaluators review an organization’s systems, processes, and documentation—including policies, training, and incident response measures. Results are then uploaded to the Supplier Performance Risk System (SPRS), where compliance scores help determine eligibility for future contract awards within the defense supply chain.

Organizations can find additional guidance through official websites such as:

• The Cyber AB (the official accreditation body for CMMC)
• The Department of Defense (DoD) CMMC website
• The NIST CUI Registry

These sites provide the most current information on certification milestones, policy updates, and recognized assessment organizations.

How Subcontractors and Employees Help Maintain Compliance

Compliance with CMMC does not stop at the prime contractor level. Subcontractors who process or store CUI must also adhere to the same protection and cybersecurity requirements. Ensuring that every link in the supply chain meets these obligations is critical to achieving full compliance.

This requires continuous awareness training, monitoring, and reporting to ensure all employees and subcontractors understand their roles in safeguarding CUI. Clear communication channels and accountability structures reinforce a culture of protection that aligns with CMMC principles.

An Insider Risk program can further support this by promoting responsible data handling behaviors and enabling early detection of potential insider threats before they impact compliance or contract eligibility.

The Bottom Line

The protection of Controlled Unclassified Information represents a fundamental responsibility for every organization within the defense industrial base. While CUI may not carry a classified designation, its sensitivity to U.S. government and military interests demands the same rigorous safeguarding as more restricted data types. By implementing comprehensive Insider Risk programs and maintaining robust cybersecurity frameworks, organizations ensure that CUI remains protected across all touchpoints—from initial contractor receipt through subcontractor handling and eventual disposition.

As CMMC requirements continue to mature, the focus on CUI protection will only intensify. Organizations that excel at identifying, tracking, and safeguarding CUI throughout their operations—and across their entire supply chain—position themselves as trusted partners in the defense ecosystem. This means going beyond baseline compliance to create a culture where every employee, contractor, and system treats CUI with the vigilance it deserves. 

Mimecast's Human Risk Management Platform helps organizations maintain continuous visibility over CUI handling and movement, enabling proactive detection of potential exposure risks before they compromise your CMMC compliance status. By automating CUI monitoring and providing real-time alerts on policy violations, you can demonstrate to assessors and government partners that your CUI protection measures exceed requirements.

Take the next step in safeguarding your controlled unclassified information. Request a demo of Mimecast's Human Risk Management Platform today.