Controlled Unclassified Information

Controlled Unclassified Information, or CUI, is information the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the U.S. Government. The Cybersecurity Maturity Model Certification, or CMMC, is a Department of Defense initiative designed to strengthen Defense Industrial Base cybersecurity and better safeguard DoD information.

CUI is most often used to refer to a standard developed by the National Institute of Standards and Technology (NIST) to protect sensitive data designated by the U.S. Government (USG) as CUI. That standard is documented in NIST Technical Series Publication 800-171, often referred to simply as 800-171. Over the years, this standard has undergone several revisions, the current of which is revision 3 or 800-171r3.

The National Archives and Records Administration (NARA) is the U.S. Government entity responsible for designating categories of sensitive information as CUI. NARA created 126 categories of CUI including the following as relevant examples: Export Controlled Research, General Privacy information (Personally Identifiable Information), Health Information, and Student Records (FERPA).

CMMC stands for Cybersecurity Maturity Model Certification and is the program by which the Department of Defense will verify DOD contractors have implemented the required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC Model contains three progressively advanced levels shown below. To protect CUI information, the University will need to meet the requirements of Level 2.

 

Chart summarizing the CMMC Model with three certification levels. Level 1 requires 15 FAR 52.204-21 controls with annual self-assessment and affirmation. Level 2 requires 110 NIST SP 800-171 controls with a triennial C3PAO assessment or limited self-assessment, plus annual affirmation. Level 3 requires 134 controls from NIST SP 800-171 and 800-172 with a DIBCAC assessment every three years and annual affirmation

 

On October 15, 2024, 32 CFR Part 170 was added to the Federal Register and was effective on December 16, 2024. This rule allows DOD to confirm a defense contractor, or subcontractor, has implemented the security requirements for a specified CMMC level and will maintain that status across the contract period of performance. The program also requires protection of information flowed down to subcontractors.

On September 10, 2025, 48 CFR Part 204 was added to the Federal Register and was effective on November 10, 2025. This rule requires defense contractors, or subcontractors, to meet specific CMMC requirements for contracts that involve handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). As a result, contracting officers are authorized to include CMMC requirements in new solicitations and contracts. Separate from this, DOD may include CMMC requirements by including DFARS clause 252.204-7021, commonly referred to as the 7021 clause.

There are a combined 110 technical and physical controls required by 800.171r2 and r3 for CUI. The University has performed a self assessment on its environments and has confirmed they are CUI and CMMC Level 2 (Self Certification) compliant. Use of these environments has associated costs and training requirements.

If a solicitation or contract has these requirements, contact GRS to develop a Technology Control Plan (TCP) for budgeting, training, and compliance. 

Links

Still have questions?

Please call or email GRS@ku.edu to discuss or schedule a training session.