What is CUI? | A Quick Guide to Controlled Unclassified Information (CUI)

📌 What is CUI?

Controlled Unclassified Information (CUI) is information the U.S. government creates or possesses that requires safeguarding or dissemination controls but isn't classified. In short, it's still sensitive and must be protected.

Think: contract details, system diagrams, export control info, or anything marked “CUI.”

🎓 Where Can I Take CUI Training?

All users—whether you're a contractor, federal employee, or vendor—should complete CUI awareness training. The official source of truth for CUI training is:

👉 CDSE: Controlled Unclassified Information Training

• Free
• It takes about 30 minutes
• Includes certificate of completion
• Updated to meet Executive Order 13556 requirements

We strongly recommend this course to every team member who may work with CUI, mainly if you aim for CMMC compliance.

📂 CUI Categories: What Counts as CUI?

The U.S. National Archives maintains the official CUI Registry, which lists every category of CUI recognized by the government.

👉 CUI Category List

Examples:

• Export Control
• Critical Infrastructure
• Procurement and Acquisition
• Legal

If you’re not sure whether something is CUI—start here. It’s your best reference.

🔐 What’s the Connection Between CUI and CMMC?

Protecting CUI is a core part of your compliance obligations under the Cybersecurity Maturity Model Certification (CMMC) if you're a government contractor.

We recommend using the DoD CIO’s official site for all up-to-date info on CMMC levels, requirements, and updates:

👉 DoD CIO: CMMC

This is our source of truth for all things CMMC—don’t trust random blogs or consultants that don’t link back to this.

🧾 Submitting Your CMMC Self-Assessment to SPRS

You must submit a Basic Self-Assessment to the Supplier Performance Risk System (SPRS) to handle CUI.

🔑 How to Get to SPRS:

1. Go to: https://www.sprs.csd.disa.mil
2. Click “Login” (you’ll need a CAC, ECA certificate, or login.gov)
3. Go to the “NIST SP 800-171 Assessment” section
4. Submit your score or check your submission status

📚 Recommended Training Resources:

• 🧾 SPRS Submission Job Aid (PDF) – Official from DCMA
  This step-by-step guide walks you through preparing and submitting your score.
• 🎓 Cyber Readiness Training Videos by Project Spectrum
  Great for small businesses. Covers the basics of NIST 800-171, scoring, and entering data in SPRS.

🔐 What’s the Connection Between CUI and CMMC?

Protecting CUI isn’t optional for government contractors—it’s already required under DFARS 252.204-7012, which is included in over 90% of all DoD contracts involving CUI.

This clause requires:

• Implementation of NIST SP 800-171 cybersecurity controls
• Reporting cyber incidents to DoD
• Submitting your self-assessment score to the SPRS portal

So even if CMMC isn’t being enforced yet at your level, DFARS is already included in your contract. If you’re handling CUI, you’re expected to follow these controls now.

👉 Need a simple explanation?

Check out this free video from DVIDS:

🎥 Cybersecurity Compliance: An Introduction to DFARS 252.204-7012 and NIST SP 800-171 Requirements (2021)

It’s short, clear, and easy to follow—perfect for teams, vendors, or anyone trying to understand why these requirements matter.

✅ Final Takeaways

• Do CUI Training through CDSE
• Reference the CUI Registry for what needs protection
• Stay current with CMMC updates via the DoD CIO site
• Submit NIST 800-171 assessments through SPRS

CyberMyte clients, we’ve got you. Contact our team if you need help managing CUI or completing compliance steps.