Compliance
CUI Compliance for Defense Contractors: The 2026 Guide to NIST 800-171, DFARS 7012, and CMMC 2.0
A plain-English 2026 guide to CUI compliance for US defense contractors — what Controlled Unclassified Information (CUI) actually is, who is responsible for protecting it, how NIST SP 800-171 rev. 3, DFARS 252.204-7012, and CMMC 2.0 fit together, and the exact 30-step program our team uses to get subcontractors and primes audit-ready.

If you build, ship, code, machine, install, transport, or in any way support anything for the US Department of Defense — or you subcontract to a company that does — the words "CUI compliance" now sit at the top of your risk register. In 2026, DoD is actively flowing down CMMC 2.0 requirements into new solicitations, DIBCAC assessments are hitting existing DFARS 7012 contract holders, False Claims Act cases tied to inflated SPRS scores are being settled for eight figures, and prime contractors are quietly de-listing subs whose System Security Plans (SSPs) do not hold up. This is the guide the Cybrvault team wrote for the small-to-midsize defense contractors we work with across Miami, Fort Lauderdale, and the rest of the US — a plain-English, field-tested walkthrough of what CUI actually is, who is responsible for protecting it, how NIST 800-171, DFARS 7012, and CMMC 2.0 fit together, and the exact 30-step program to get audit-ready without blowing up your business.
If you're brand new to any of this, pair this article with our DoD SAFE guide, DoDI 8500.01 explainer, NIST SP 800-171 checklist, and CMMC 2.0 requirements guide. For a broader view of how we run compliance programs for SMBs in South Florida, see Miami cybersecurity and Managed IT services in Miami.
What is CUI (Controlled Unclassified Information)?
CUI stands for Controlled Unclassified Information. It is any information the US Government creates or possesses — or that a non-federal entity such as a contractor, university, or grant recipient creates, receives, transmits, or stores on behalf of the Government — that a law, regulation, or Government-wide policy requires to be safeguarded or subject to dissemination controls. CUI is not classified (Confidential/Secret/Top Secret), but it is not public either. It sits in the middle: sensitive, controlled, and legally protected.
CUI is defined by Executive Order 13556 (2010), implemented by 32 CFR Part 2002, and governed by the National Archives and Records Administration (NARA) Information Security Oversight Office (ISOO). The authoritative list of CUI categories and their handling rules lives in the CUI Registry at archives.gov/cui. There are more than 125 categories today, grouped into families like Defense, Export Control, Financial, Immigration, Intelligence, Law Enforcement, Nuclear, Patent, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax, Transportation, and Critical Infrastructure.
For DoD contractors specifically, the CUI you are most likely to touch falls into the Defense family: Controlled Technical Information (CTI), Naval Nuclear Propulsion Information (NNPI), and DoD Critical Infrastructure Security Information, plus Export Control categories (ITAR/EAR technical data), Procurement categories (source-selection information, contractor bid or proposal information), and Privacy categories (PII on service members, dependents, or contractors).
CUI vs CTI vs CDI — what's the difference?
These three acronyms get used interchangeably in DoD land and it causes real damage during audits. Here's the plain-English breakdown.
- **CUI (Controlled Unclassified Information)** — the umbrella term across the entire US Government. Defined by 32 CFR Part 2002 and NARA. Applies to every agency, not just DoD.
- **CTI (Controlled Technical Information)** — a specific CUI category inside the Defense family. Technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination per DoDI 5230.24. Think: engineering drawings, specifications, standards, process sheets, manuals, technical reports, technical orders, computer software executable code and source code — anything that could give a foreign adversary a design advantage.
- **CDI (Covered Defense Information)** — the contract-clause term used by DFARS 252.204-7012. CDI is the union of CTI and any other information the Government marks or identifies as requiring safeguarding under DFARS 7012, plus information collected/developed/received/transmitted/used/stored to perform the contract. In practice, DoD has aligned CDI with the broader CUI framework — if it's CUI on a DoD contract, treat it as CDI.
The rule of thumb: all CTI is CUI, all CDI is CUI, and inside a DoD contract, safeguarding CDI = safeguarding CUI = implementing NIST SP 800-171.
Who is responsible for protecting CUI?
This is one of the most-searched questions on the entire compliance internet — and one of the most misunderstood. The short, legally-accurate answer: **everyone who handles CUI is responsible for protecting it, at every level of the contract chain.**
Break it down by role:
- **The US Government (data owner)** — Under EO 13556 and 32 CFR Part 2002, the originating agency is responsible for identifying, marking, and specifying dissemination controls for CUI. NARA/ISOO oversees the program government-wide. DoD's CUI program is run under DoDI 5200.48.
- **The prime contractor** — Legally responsible under DFARS 252.204-7012 (and, where applicable, DFARS 252.204-7019/7020/7021 and CMMC 2.0) for protecting CUI on any non-federal information system it operates in support of the contract, and for flowing down the same requirements to every subcontractor whose work involves CUI.
- **Every subcontractor and teaming partner** — Individually responsible via flowdown clauses. "My prime is compliant" is not a defense. DIBCAC and the DoD IG can assess a sub directly, and False Claims Act liability attaches to whoever signed the SPRS score.
- **Every cloud/hosting/MSSP that stores, processes, or transmits CUI** — Must meet FedRAMP Moderate baseline (or equivalent under the DoD DISA SRG for CUI in the cloud) per DFARS 252.204-7012(b)(2)(ii)(D). Includes M365 GCC High for most CUI workloads, GCC (with caveats) for some, and never commercial M365 or commercial Google Workspace for CUI.
- **Every employee, contractor, and consultant with access to CUI** — Personally responsible under company policy and, for classified spillage or knowing unauthorized disclosure, potentially under 18 U.S.C. § 641 and § 793. Annual CUI training is mandatory (DoDI 5200.48).
- **The company's senior official (CEO, President, or designated Senior Agency Official)** — Signs the SPRS score in the Supplier Performance Risk System and personally attests to accuracy. This is the signature that False Claims Act cases are built on.
"You cannot outsource accountability for CUI. You can outsource the work — you cannot outsource the signature."— Cybrvault vCISO practice
The regulatory stack: NIST SP 800-171, DFARS 7012, CMMC 2.0
These three are not competing frameworks — they are one stack.
NIST SP 800-171 — the control catalog
NIST Special Publication 800-171 is the technical baseline: 110 security requirements (in Revision 3, published May 2024, restructured into 17 control families) covering access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity — extended in Rev 3 with new families for Planning, Program Management, Supply Chain Risk Management, and System and Services Acquisition. If your contract references CUI protection, this is the checklist you are being measured against.
DFARS 252.204-7012 — the contract clause
DFARS clause 252.204-7012 is what puts NIST SP 800-171 into your contract. It requires contractors to (1) provide adequate security on non-federal systems that process, store, or transmit Covered Defense Information — defined as implementing NIST SP 800-171 — and (2) rapidly report cyber incidents to DoD via DIBNet (dibnet.dod.mil) within 72 hours of discovery. It also imposes flowdown obligations, media preservation and protection for 90 days, malicious software submission to DoD Cyber Crime Center (DC3), and cloud service provider requirements at the FedRAMP Moderate baseline.
DFARS 252.204-7019 / 7020 / 7021 — the SPRS + assessment clauses
The 7019 and 7020 clauses (in effect since November 2020) require contractors to post a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS) and to submit to a DoD Assessment (Basic, Medium, or High) as a condition of award. The 7021 clause introduces CMMC-level requirements at contract award and flowdown.
CMMC 2.0 — the assessment framework
The Cybersecurity Maturity Model Certification (CMMC) 2.0 program (32 CFR Part 170, final rule effective 16 December 2024) turns self-attestation into a graded, verified certification. Three levels:
- **Level 1 (Foundational)** — 15 basic safeguarding practices from FAR 52.204-21. Annual self-assessment. Applies to contracts that involve only Federal Contract Information (FCI), not CUI.
- **Level 2 (Advanced)** — All 110 NIST SP 800-171 requirements. Third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) every 3 years for most contracts involving CUI; annual self-assessment allowed for a narrow subset. This is where the vast majority of CUI-touching contractors will land.
- **Level 3 (Expert)** — Level 2 + a subset of NIST SP 800-172 enhanced requirements. DIBCAC-led government assessment every 3 years. Reserved for the highest-priority, most sensitive programs.
CMMC contract clauses (DFARS 252.204-7021) begin phasing into DoD solicitations in 2025 and reach full implementation by 2028. If you want to bid on DoD work in that window, the practical target for anyone touching CUI is CMMC Level 2 with a C3PAO certificate.
The 30-step CUI compliance program (what actually works)
This is the exact program the Cybrvault team runs for defense subcontractors and small primes. It is designed to take a typical 10–200 person firm from "we heard about CMMC" to "we passed our C3PAO Level 2 assessment" in 6–12 months, without buying every product on the market.
Phase 1 — Scope and boundary (weeks 1–4)
- 1Identify every contract, task order, and grant that references DFARS 7012, CUI, CTI, CDI, ITAR, EAR, or CMMC. Pull the full clause list from each award.
- 2Map data flows: where does CUI enter your environment (email, portal, upload, USB, courier), where does it live at rest (file share, SharePoint, ERP, PDM, CAM, EDA), and where does it leave (subcontractor, prime, DCMA, DIBNet)?
- 3Draw the CUI enclave. This is the single most important architectural decision in the program: keep the CUI boundary as small as possible. Most SMBs land on a dedicated M365 GCC High tenant + a locked-down engineering VDI + a small on-prem file server for machine tools — not "the entire company network."
- 4Inventory every asset in the enclave: users, endpoints, servers, mobile devices, network gear, cloud tenants, SaaS apps, printers/MFPs, and CNC/PLC/OT devices that touch CUI.
- 5Write the CUI Enclave Definition memo. Get it signed by the CEO. This becomes the anchor for your SSP and your assessment scope.
Phase 2 — System Security Plan and gap assessment (weeks 3–8)
- 1Build the System Security Plan (SSP) using NIST SP 800-18 as the template. One SSP per assessment boundary — do not try to write one SSP for the whole company.
- 2Run a NIST SP 800-171 rev 3 gap assessment against every control. Score each requirement Implemented / Partially Implemented / Not Implemented. Document evidence pointers.
- 3Calculate the SPRS score (110-point starting scale, weighted deductions per DoD Assessment Methodology). Do not inflate it — this is the number the CEO will attest to and that FCA cases are built on.
- 4Build the POA&M (Plan of Action and Milestones) for every Not Implemented / Partially Implemented control, with owner, resource, and target date. Under CMMC 2.0, a limited set of controls may remain on a POA&M at assessment time (max 180 days to close) — most cannot.
- 5Post the SPRS score in the Supplier Performance Risk System within 30 days of a new self-assessment or upon contract requirement.
Phase 3 — Technical remediation (weeks 6–24)
- 1Move CUI email and collaboration to Microsoft 365 GCC High (or an equivalent StateRAMP/FedRAMP High enclave). Commercial M365 and commercial Google Workspace are not compliant for CUI.
- 2Enforce phishing-resistant MFA on every account with access to CUI — hardware FIDO2 keys or Windows Hello for Business, not SMS. NIST SP 800-171 rev 3 3.5.3.
- 3Deploy FIPS 140-2/140-3 validated cryptography for CUI at rest and in transit (BitLocker with FIPS mode, TLS 1.2+ with validated modules, AES-256).
- 4Stand up SIEM + 24/7 monitoring (Sentinel, Splunk, Elastic, or an MSSP) with 90-day log retention minimum, 12 months preferred.
- 5Deploy EDR on every endpoint in the enclave (Defender for Endpoint P2 in GCC High, CrowdStrike Falcon Gov, SentinelOne Gov). Signature AV alone does not satisfy 3.14.x.
- 6Segment the CUI enclave from the corporate network with a next-gen firewall and explicit allow-lists. Block outbound to everywhere except approved GovCloud / GCC High endpoints.
- 7Encrypt removable media, disable USB by default, and log every file transfer in and out of the enclave.
- 8Implement privileged access management: no daily-driver admin accounts, JIT elevation, session recording for admin RDP/SSH into the enclave.
- 9Patch cadence: 30 days for high, 15 days for critical, tracked in the SSP.
- 10Backups: 3-2-1, immutable, tested restore quarterly, held in the CUI enclave (backup targets are in scope).
Phase 4 — People, process, and evidence (weeks 8–24)
- 1Annual CUI training for every user with access, per DoDI 5200.48. Document completion in a training LMS.
- 2Insider threat program per NISPOM/DoDD 5205.16 where applicable, including reporting channels and briefings.
- 3Incident response plan aligned with NIST SP 800-61 rev 3. Include the 72-hour DIBNet report workflow, DC3 malicious software submission, and 90-day media preservation.
- 4Tabletop exercise at least annually — walk the team through a ransomware-plus-CUI-exfiltration scenario end to end, including the DIBNet filing.
- 5CUI marking program: cover sheets (SF 901), banner and portion marking per DoDI 5200.48 and NARA marking handbook, destruction per NIST SP 800-88.
- 6Subcontractor flowdown: 7012 clause + CMMC-level requirement in every sub agreement that touches CUI, plus a technical questionnaire and evidence exchange.
- 7Configuration management baseline documented and enforced (Group Policy, Intune, or equivalent). Deviations recorded.
- 8Physical protection: badge access to CUI areas, visitor logs, printer PIN release, clean-desk policy, locked shred bins.
Phase 5 — Assessment readiness (months 6–12)
- 1Mock assessment against the CMMC Assessment Guide Level 2 by an internal team or a Registered Practitioner Organization (RPO) that is not your future C3PAO.
- 2Evidence package: for every one of the 110 controls, three artifacts (policy, procedure, and proof-of-execution). Store in a controlled evidence repository inside the enclave.
- 3Book the C3PAO. Book early — assessment slots into 2026–2027 are tight.
- 4Sit the assessment. On pass, receive the CMMC Level 2 certificate (3-year validity). Maintain continuous compliance — do not "unplug" after cert.
- 5Continuous monitoring: quarterly control review, annual SSP/POA&M refresh, SPRS score re-post on any material change, and re-assessment before the 3-year expiry.
CUI marking requirements — the short version
Every piece of CUI must be marked so anyone who handles it knows what it is. DoDI 5200.48 and the CUI Marking Handbook (NARA) define the exact format.
- **Banner marking** at the top and bottom of every page: `CUI` on its own, or `CUI//SP-CTI//NOFORN` for CUI Specified with a category and dissemination control.
- **Portion marking** where required by the originator: `(CUI)` at the start of each paragraph containing CUI.
- **CUI Designation Indicator** on the first page: controlled by name/office, category, distribution statement, POC.
- **Cover sheet** (SF 901) when transmitted physically or left unattended.
- **Email**: subject line prefixed with `[CUI]`, banner in body, attachments individually marked.
- **Destruction**: paper — NSA/CSS-listed high-security shredder; digital media — NIST SP 800-88 sanitization; document destruction with an unclassified destruction certificate.
72-hour incident reporting — the DIBNet workflow
DFARS 252.204-7012(c) requires you to report any "cyber incident that affects a covered contractor information system or the covered defense information residing therein" to DoD via DIBNet within 72 hours of discovery. This is one of the most-tested items in a DIBCAC assessment.
- 1Detect: SIEM/EDR alert, user report, or third-party notification. Log the time of discovery — the 72-hour clock starts here.
- 2Triage: is CUI/CDI in the affected system? If yes, this is a reportable incident even if you're not yet sure data was exfiltrated.
- 3Report to DIBNet at dibnet.dod.mil using a DoD-approved medium-assurance certificate (ECA cert). The report includes company info, contract numbers, incident description, and technical indicators.
- 4Preserve and protect all known affected media for at least 90 days.
- 5Submit any malicious software to DC3 per the clause.
- 6Support any subsequent DoD damage assessment. Do not delete, wipe, or reimage until DoD releases the media.
- 7Notify the prime contractor (if you are a sub) and any affected teaming partners per contract flowdown.
The most common CUI compliance mistakes we see in South Florida
- Storing CUI in commercial M365, commercial Google Workspace, personal Dropbox, or a QuickBooks server — none are compliant. Move to GCC High.
- Scoping the entire company network as "the CUI enclave." It makes the assessment 10x harder and the tooling bill 10x bigger. Shrink the boundary.
- Inflating the SPRS score. Every point above reality is a paragraph in a future False Claims Act complaint.
- Assuming the prime is responsible for the subcontractor's compliance. The 7012 clause flows down; DIBCAC can and does assess subs directly.
- No annual CUI training. This is the easiest control to close and the most common one to fail.
- Treating CMMC as a one-time project. It is a continuous program — SSP, POA&M, evidence, and monitoring live forever.
- Skipping FIPS-validated crypto because "AES-256 is AES-256." NIST requires the validated module, not just the algorithm. Turn on FIPS mode.
How Cybrvault helps Miami and South Florida defense contractors get CUI-compliant
Cybrvault is a Miami-based cybersecurity firm serving defense subcontractors, small primes, aerospace machine shops, marine defense suppliers, and R&D firms across Miami-Dade, Broward, and Palm Beach — plus clients across the US remotely. Our vCISO team runs the exact 30-step program above end to end: enclave design in Microsoft 365 GCC High, SSP and POA&M authorship, SPRS scoring, 24/7 MDR/SIEM inside the enclave, annual CUI training, and full assessment support with our C3PAO partners.
If you have a DFARS 7012 contract in hand — or you're being asked by a prime to hit CMMC Level 2 — get in touch or call +1-305-988-9012 for a free 30-minute scoping call. We'll tell you honestly whether you need six months or eighteen, and roughly what it will cost. See also our CMMC 2.0 requirements guide, NIST SP 800-171 checklist, DoDI 8500.01 explainer, and Miami cybersecurity services.
The bottom line
CUI compliance in 2026 is not optional for anyone in the DoD supply chain. The regulatory stack — NIST SP 800-171, DFARS 252.204-7012, CMMC 2.0 — is now enforceable, assessable, and litigable. Everyone in the contract chain is responsible: prime, sub, cloud, MSSP, employee, and the CEO who signs the SPRS score. The path to compliance is well-understood: shrink the CUI enclave, write an honest SSP, close the POA&M, deploy the right technical controls in a FedRAMP-Moderate-or-better environment, train your people, and rehearse the 72-hour DIBNet response. Do that, and CMMC Level 2 is a milestone — not a crisis.
// frequently asked
Questions teams ask us
Who is responsible for protecting CUI?+
Everyone who handles CUI is responsible for protecting it. The originating US Government agency identifies and marks CUI, but the prime contractor, every subcontractor, every teaming partner, every cloud/MSSP provider, and every individual user with access all share responsibility under DFARS 252.204-7012 and CMMC 2.0. The company's senior official personally attests to the SPRS score. You can outsource the work; you cannot outsource the accountability.
What is CUI in simple terms?+
CUI (Controlled Unclassified Information) is unclassified information the US Government requires to be safeguarded under a law, regulation, or Government-wide policy. It's not classified, but it's not public — engineering drawings for defense hardware, ITAR technical data, source-selection information, and PII on service members are all common examples. The authoritative list of categories is in the NARA CUI Registry at archives.gov/cui.
Is CUI the same as CTI or CDI?+
No, but they overlap. CUI is the government-wide umbrella (32 CFR Part 2002). CTI (Controlled Technical Information) is one specific CUI category inside the Defense family. CDI (Covered Defense Information) is the contract-clause term used by DFARS 252.204-7012, and DoD has aligned CDI with the broader CUI framework. On a DoD contract, protecting CDI = protecting CUI = implementing NIST SP 800-171.
What is the difference between NIST 800-171, DFARS 7012, and CMMC 2.0?+
They are one stack, not three competing frameworks. NIST SP 800-171 is the 110-control technical baseline. DFARS clause 252.204-7012 is the contract clause that requires you to implement NIST SP 800-171 and report incidents to DIBNet within 72 hours. CMMC 2.0 is the assessment framework (32 CFR Part 170) that verifies you actually did it, at Level 1 (self-assessment for FCI), Level 2 (C3PAO assessment for CUI), or Level 3 (DIBCAC assessment for the most sensitive programs).
How long does it take to become CMMC Level 2 compliant?+
For a typical 10–200 person defense subcontractor starting from a baseline commercial IT environment, 6–12 months is realistic if the CUI enclave is scoped tight and leadership is committed. Firms that try to certify their entire company network usually take 18–24 months and spend 3–5x more. The single biggest lever is boundary size — the smaller the enclave, the faster and cheaper the program.
Can I store CUI in commercial Microsoft 365 or Google Workspace?+
No. DFARS 252.204-7012(b)(2)(ii)(D) requires cloud services handling CUI to meet the FedRAMP Moderate baseline or equivalent DoD SRG requirements. For most CUI workloads that means Microsoft 365 GCC High. Commercial M365, commercial Google Workspace, and standard Dropbox/Box are not compliant. Some CUI can live in GCC (not GCC High) if the specific category and dissemination controls allow it — verify per-category with your Contracting Officer.
What happens if I misreport my SPRS score?+
It can be a False Claims Act violation. Multiple settlements since 2022 have hit contractors for tens of millions of dollars for inflated NIST SP 800-171 self-assessment scores posted to SPRS. The DoD IG and DOJ actively pursue these cases, and whistleblowers (often former IT staff) get a share of the recovery. Score honestly, POA&M the gaps, and close them on schedule.
Does Cybrvault help defense contractors in Miami with CUI compliance?+
Yes. Cybrvault runs full CUI/CMMC 2.0 Level 2 programs for defense subcontractors, small primes, aerospace machine shops, and marine defense suppliers across Miami-Dade, Broward, Palm Beach, and the rest of the US. We handle enclave design in Microsoft 365 GCC High, SSP and POA&M authorship, SPRS scoring, 24/7 MDR/SIEM inside the enclave, annual CUI training, and full C3PAO assessment support. Call +1-305-988-9012 for a free 30-minute scoping call.
// miami, fl services
Cybersecurity built for South Florida
// need help applying this?
Book a free, confidential consultation.
Our engineers can map this to your environment in 30 minutes.
Get secured// keep reading
Related articles

Compliance
NIST 800-171 Compliance Checklist (2026): The Complete Guide for DoD Contractors
A practical, plain-English NIST SP 800-171 Rev. 2 checklist for 2026 — all 14 control families, all 110 controls, SSP & POA&M guidance, SPRS scoring, CMMC Level 2 alignment, and a 90-day implementation roadmap for small and mid-sized DoD contractors.

Compliance
CMMC 2.0 Requirements: The Complete 2026 Guide for DoD Contractors (Levels 1, 2 & 3)
The CMMC 2.0 final rule (32 CFR Part 170) is live and DFARS clause 252.204-7021 is now flowing into DoD contracts. This guide breaks down all three CMMC 2.0 levels, the 110 NIST 800-171 controls, C3PAO assessments, POA&M rules, affirmations, timelines, and what Miami-area defense contractors need to do in 2026 to stay contract-eligible.

Compliance
CMMC Level 1 Requirements: The Complete 2026 Guide for Small DoD Contractors
If your small business sells anything to the Department of Defense — even bolts, uniforms, or IT services — CMMC Level 1 is now mandatory. This guide breaks down the 17 practices, the self-assessment, the affirmation, and exactly what a small contractor needs to do this year to stay eligible for DoD contracts.
