The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CUI Requirements for Federal Contractors: What Applies in 2026

By The Defense Compliance Report Editorial Team · Last verified

Educational research — not legal, contractual, or compliance advice. Not affiliated with the Cyber AB, the Department of Defense (now also styled the Department of War), DCMA DIBCAC, NIST, NARA, GSA, or any U.S. government agency.

⏱ What changed in 2026 — read this before you act. On July 13, 2026, the Department suspended CMMC Phase 2 (the third-party assessment rollout). Phase 1 self-assessments and DFARS 252.204-7012 safeguarding duties remain in force. On February 1, 2026, an acquisition overhaul introduced new clause numbers for new DoD solicitations (details below). And the government-wide FAR CUI rule published June 23, 2026 is proposed, not final — comments are due July 23, 2026. We verified each of these against the primary sources; the dates and clause numbers matter.

If you searched CUI requirements for federal contractors, you’ve already hit the wall: every source gives a different answer. One says 110 controls. Another says you need a third-party certification. A third says the whole thing just got paused. The part nobody leads with is that they’re describing different contracts— which is exactly why the answers conflict, and why a generic checklist can quietly point you at the wrong six-figure decision.

So here’s the honest bottom line, before anything else:

Controlled Unclassified Information (CUI) requirements for federal contractors don’t come from one universal rule. Your binding duties flow from the specific contract that incorporates the CUI Program rule (32 CFR Part 2002), the CUI Registry, any agency-specific terms, and a stated NIST SP 800-171 baseline. Department of Defense contracts add DFARS clauses, an SPRS score, and current CMMC self-assessment duties. A separate government-wide FAR CUI rule was proposed on June 23, 2026, but is not yet final. Start with the clause, not the acronym.

Get four facts and the rest falls into place: (1) the issuing agency, (2) the exact clauses your contract incorporates, (3) the solicitation date, (4) the CUI category, and (5)the NIST revision it names. Miss one and you’ll either overspend on controls you don’t owe or under-deliver on ones you do.

This page is for federal primes and subcontractors that receive, create, store, transmit, print, or share information that might be CUI. It’s notthe page if you handle classified information (that’s a separate program), if you only handle FCI (see our CMMC Level 1 guide), or if you need someone to interpret one specific undisclosed contract. And this is the standard we hold ourselves to: The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

We built this page because we got tired of watching contractors jump from an ambiguous requirement straight to buying infrastructure — before anyone established the clause, the data type, the assessment path, or the scope. Below is the map we wish existed. Jump to the contract-path map ↓


What CUI requirements apply to federal contractors right now?

Federal contractors do not follow one universal CUI checklist. Binding duties depend on the agreement, the agency, the CUI category, the system relationship, and the incorporated security baseline. DoD contracts may add DFARS clauses, SPRS score posting, and current CMMC Phase 1 self-assessment duties, while the government-wide FAR CUI clauses proposed on June 23, 2026 remain proposed rather than final. (Sources: 32 CFR Part 2002; DFARS 252.204-7012; Federal Register, FR Doc. 2026-12559.)

Here’s the whole landscape on one screen. This is our 2026 CUI Contract-Path Map— an original synthesis pulling the CUI Program rule, the current DoD clause set, the current CMMC posture after the July 13 suspension, GSA’s Revision 3 process, and the proposed FAR rule into one place. Every row is cross-checked against the issuing authority and carries a primary-source link. Verified July 16, 2026.

2026 CUI Contract-Path Map: binding requirements by agency and clause type
If your contract is…Binding today?Security baseline / NIST versionAssessment & reporting pathYour first move
The CUI Program baseline (any agency), via 32 CFR Part 2002Yes, as incorporated through your agreementAgencies apply NIST SP 800-171 to CUI on qualifying nonfederal systems, unless a “CUI Specified” authority or the agreement sets different termsSet by the agreement and agency proceduresFind the contract, flow-down, or security attachment before you touch a checklist
DoD, containing DFARS 252.204-7012YesNIST SP 800-171 Revision 2 for DoD (DoD Class Deviation 2024-O0013 directs continued use of Rev 2; it remains in effect until rescinded)External cloud for covered defense information must meet FedRAMP Moderate–equivalent security; cyber incidents reported to DoD within 72 hoursvia DIBNet; media preserved ≥90 daysRead the clause text and the solicitation date; identify covered defense information; test your 72-hour process
DoD, issued under the Feb 1, 2026 acquisition overhaulYes, when incorporatedSame Rev 2 safeguarding baseline; the overhaul renumbers assessment/safeguarding clauses for newcovered DoD solicitations — the underlying obligations are unchangedGovernment-performed Medium or High assessment authority (the clause historically at DFARS 252.204-7020, appearing as DFARS 252.240-7997 in the deviation text); SPRS postingConfirm which clause numbers your solicitation actually uses — legacy or deviation
DoD, containing DFARS 252.204-7021 (CMMC)Yes, at the level written into the contractCMMC Level 2 maps to NIST SP 800-171 Revision 2 (110 requirements, 14 families)During the suspension: Level 1 (Self) or Level 2 (Self) only; third-party (C3PAO) assessment is pausedRead the level the contracting officer inserted — don’t infer it from the word “CUI”
GSA, incorporating the Jan 5, 2026 CUI process (CIO-IT Security-21-112 Rev 1)Yes, where that GSA process is approved and incorporated into your contractNIST SP 800-171 Revision 3 + select requirements from draft NIST SP 800-172 Rev 3 + select 800-53 Rev 5 privacy controlsIndependent third-party assessment (not self-attestation); suspected-incident reporting within 1 hourRecord the process by name/revision; start a Rev 3 gap assessment
Another civilian agency (contract, grant, or agreement)Depends on the instrumentThe CUI Program applies, but the agency agreement sets the concrete baseline and any NIST versionAgency-specific — don’t import DoD’s DIBNet/SPRS rules without a sourceGet the agency’s CUI policy and every incorporated cybersecurity attachment
The proposed FAR CUI rule (FAR 52.240-6 / 52.240-7, SF XXX)No — proposed, not finalWould require NIST SP 800-171 Revision 3 on nonfederal systems if finalizedWould add 72-hour CUI incident reporting (DIBNet for DoD, CISA for non-DoD) and subcontractor flow-downMonitor it; comments due July 23, 2026. Do not treat it as a present duty unless an agency separately imposes equivalent terms

What this map keeps you from doing:it stops you from assuming that every appearance of “CUI” triggers the same controls, the same cloud, the same reporting clock, and the same assessment. It doesn’t. A GSA contract and a DoD contract can involve the same document and produce different obligations — a different NIST revision, a different assessor, and a reporting window that’s 72 hours in one and one hour in the other.

The deferral you need before you spend a dollar:The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO (Certified Third-Party Assessment Organization), an RPO (Registered Provider Organization), an MSSP (Managed Security Service Provider), a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Not sure which row you’re in?

Use Find My CMMC Pathto map your contract to the likely CUI path — non-sensitive questions only, no document upload, no CUI. You’ll walk away with the authorities to read and the exact questions to send your contracting officer, before you request a single quote.

Find My CMMC Path →

Matching or provider tools may result in compensation for a qualified introduction. Compensation does not control our regulatory analysis or category recommendations.


How do you know if information is actually CUI?

CUI is information the government creates or possesses — or that a contractor creates or possesses for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls (32 CFR § 2002.4). Only categories listed in the CUI Registry qualify. Whether a specific contractor has duties for that CUI is a separate question answered by the contract, the markings, and written agency direction. (Sources: 32 CFR Part 2002; NARA CUI Registry.)

CUI was created to end a mess. Before Executive Order 13556 (November 2010), the executive branch used more than 100 different markings — “For Official Use Only,” “Sensitive But Unclassified,” and dozens of one-offs — with no consistent rules. The order named the National Archives and Records Administration (NARA) as Executive Agent (delegated to its Information Security Oversight Office), and the program was implemented at 32 CFR Part 2002, effective November 2016. One nuance we verified in the rule itself: Part 2002 doesn’t apply directly to companies. It reaches contractors indirectly, through the agreement(32 CFR § 2002.1). That’s why your contract — not the regulation — is the starting point.

Run the analysis in two stages. Don’t collapse them; that’s where teams go wrong.

Stage 1 — Does the information qualify as CUI?

  1. Government nexus.Was it created or possessed by the government — or by you, for or on behalf of the government?
  2. Controlling authority. Does a law, regulation, or government-wide policy require or permit safeguarding or dissemination controls?
  3. Valid Registry category. Does the category or subcategory actually exist in the CUI Registry?

Stage 2 — What duties bind you?

Confirm the contract, agreement, flow-down, security attachment, markings, and any written agency direction. This is where a contractor’s obligations actually come from. Information can be CUI in the abstract; your duties attach through the instrument.

Here’s the discipline in one view:

CUI determination: what each stage requires
Decision questionWhat the rule establishesWhat your instrument must show
Is this CUI at all?Government nexus + a safeguarding/dissemination authority + a valid Registry categoryMarkings, the designating authority, or written agency confirmation
Do we owe controls?The CUI Program reaches contractors through agreementsThe contract, flow-down, or security attachment that incorporates the requirement
Which safeguards?NIST SP 800-171 for CUI on qualifying nonfederal systems, subject to CUI Specified and agreement exceptionsThe stated NIST revision and any agency-specific attachment

CUI Basic vs. CUI Specified

There are two CUI control categories, and people constantly get this backward. CUI Basic is the default: standard safeguarding under Part 2002 and, for nonfederal systems, NIST SP 800-171. CUI Specified is a category whose underlyinglaw or regulation supplies its own specific controls (32 CFR § 2002.14). “Specified” does not mean “more classified” or “higher sensitivity” — it means a separate authority may change the safeguarding or dissemination rules. The operational question is simple: does the underlying authority for this category add or alter requirements? If yes, follow those. If not, follow the baseline.

What CUI is not (this table alone prevents costly mistakes)

Information types that are not CUI, and why the distinction matters
Information typeWhat it isWhy the distinction matters
CUIValid unclassified federal information requiring safeguarding or dissemination controlsTriggers the applicable CUI agreement, category, and NIST baseline
FCI (Federal Contract Information)Non-public information provided by or generated for the government under a contract, with stated exclusionsProtected by FAR 52.204-21 — 15 basic safeguards. It is not the universal CUI clause. See our FCI vs. CUI guide
CDI (Covered Defense Information)The specific contractual term DFARS 252.204-7012 uses to set that clause’s scopeOn DoD contracts, analyze using the clause definition — not “CUI” as a loose synonym
Classified informationInformation protected under classification authorities (EO 13526)Requires a separate classified-security program entirely
Company proprietary informationYour confidential business informationNot automatically CUI just because it’s valuable. Confidentiality, data rights, and CUI are separate analyses
Export-controlled information (ITAR/EAR)Information governed by export-control authoritiesMay also be CUI, but neither category automatically substitutes for the other

What if the information is unmarked or marked wrong?

This trips up a lot of teams. An absent marking is notpermission to ignore government information that may qualify — and it’s also notlicense to slap “CUI” on your own routine files. Part 2002 requires agencies to maintain mechanisms for handling unmarked or improperly marked information and for challenging CUI status. So the correct move is to protect the information appropriately, request written clarification from the contracting officer or prime, and document the category, authority, source, and response with a date. Build that challenge step into your CUI procedure so it isn’t improvised under pressure.


Which contract clause or agency rule controls your CUI obligations?

Start with the exact contractual vehicle, not a vendor’s checklist. Because the CUI Program reaches contractors principally through contracts and agreements, the same information can produce different operational requirements depending on the agency, clause set, solicitation date, system relationship, and incorporated security attachment. (Source: 32 CFR § 2002.1.)

Read your requirements in this order

Work top to bottom. Most of the answer is already in your own file cabinet.

  1. Solicitation and amendments
  2. Award document and modifications
  3. Prime-contract flow-down or subcontract terms
  4. Incorporated FAR and DFARS clauses
  5. Statement of Work / Performance Work Statement
  6. Contract Data Requirements List (CDRLs) and deliverables
  7. Any agency cybersecurity or CUI attachment
  8. The form or attachment identifying the CUI and handling requirements
  9. The CUI Registry category and its authority
  10. Written contracting officer or prime clarification

The distinction almost everyone misses: what kind of system is it?

Part 2002 treats three system relationships differently, and it changes your baseline:

System relationship types under 32 CFR Part 2002 and their baseline implications
System relationshipWhat it means in practiceThe baseline question
Federal / government-controlled systemThe government owns or controls the environment you work inFollow the agency’s federal-system requirements (FIPS 199, FIPS 200, and NIST SP 800-53 as applicable)
Contractor system operated on behalf of an agencyYou perform information-processing functions the government would otherwise perform itselfThe agency may apply its federal-system requirements to you
Your ordinary contractor (nonfederal) systemFederal information is incidental to delivering some other product or serviceThe agreement generally sets the NIST SP 800-171 path, subject to CUI Specified and other exceptions

If you assume you’re in bucket three when you’re actually in bucket two, you can dramatically under-scope your obligations. Ask the question in writing.

Why FAR 52.204-21 doesn’t answer the CUI question

Here’s a common misread: someone sees FAR 52.204-21 in a contract and assumes it’s the government-wide CUI clause. It isn’t. FAR 52.204-21 sets 15 basic safeguarding requirements for covered contractor systems that handle Federal Contract Information. Those same 15 safeguards are the CMMC Level 1 requirements when a solicitation separately requires CMMC Level 1— but FAR 52.204-21 on its own does not insert the CMMC clause (DFARS 252.204-7021) or create a CMMC status requirement, and it does not establish a CUI baseline.

Copy-and-send: the questions that get you an answer

You don’t have to guess. Send this to your contracting officer (adapt as needed). It’s professional, specific, and it forces the ambiguity into writing:

“Please identify the CUI categories and subcategories expected under this effort, the document or attachment that establishes the applicable safeguarding and dissemination requirements, the required NIST SP 800-171 revision, the applicable incident-reporting process, and any assessment or system-status requirement that must be met before award or performance.”

If you’re a subcontractor, send this to your prime:

“Please identify the information you expect to flow to us, whether it retains its identity as covered defense information or CUI, the exact clauses incorporated into our subcontract, and the required CMMC status or assessment type, if any.”

Getting these answers in writing does two things: it tells you what you actually owe, and it creates a record if a requirement is later disputed.


Do you follow NIST SP 800-171 Revision 2 or Revision 3?

NIST SP 800-171 Revision 3 is NIST’s current publication, but that does not automatically replace Revision 2 in every contract. The controlling answer comes from your solicitation, contracting officer authorization, agency process, or program rule: current CMMC enforcement uses Revision 2, GSA’s January 2026 process requires Revision 3 where incorporated, and the proposed FAR rule would use Revision 3 only if finalized. (Sources: NIST CSRC; DoD Class Deviation 2024-O0013; GSA CIO-IT Security-21-112 Rev 1; FR Doc. 2026-12559.)

This is one of the most confused facts in the entire topic, and it’s where we see the most outdated advice. NIST published Revision 3 in May 2024. It reorganized the standard and introduced organization-defined parameters, and its companion assessment guide (800-171A Rev 3) expanded how each requirement is assessed. But publication status and contractual obligation are two different things:

Here’s the version question in one view:

NIST SP 800-171 revision applicability by contract context
Your contextVersion to verify
NIST’s current publicationRevision 3
Existing DoD contract with DFARS 252.204-7012Revision 2, per Class Deviation 2024-O0013
Current CMMC (Level 1 / Level 2 Self)Revision 2
GSA contract that incorporated the Jan 2026 processRevision 3
Another civilian-agency agreementWhatever the agreement and agency policy incorporate
Proposed FAR 52.240-7Revision 3 — only if and when it becomes final in that form

A warning we’ll put bluntly:“NIST withdrew Revision 2” is true as a publication fact, and it does notend your contract analysis. A contract can keep Revision 2 normatively relevant even after NIST supersedes it. And a Rev 2–to–Rev 3 crosswalk is useful for planning, but by itself it does not modify your contract, change your assessment baseline, change your CMMC status, or authorize you to skip a requirement. If you run work across both DoD and civilian agencies, plan for the real possibility of satisfying bothrevisions — for example, a DoD contract that keeps you on Revision 2 alongside a GSA contract that has incorporated the Revision 3 process.

The one honest limitation we’ll admit — and why it should make you trust the rest

Here’s the uncomfortable truth most CUI pages avoid: “we handle CUI” is not enough information for anyone — including us — to tell you your exact requirements. A web page can point you toward good security practices, but it can’t tell you whether your instrument uses Revision 2 or Revision 3, whether your system is operated on behalf of an agency, whether SPRS applies to you, or where your incident must be reported. Those answers live in your contract clause and your CUI designation.

We’re telling you that on purpose, because it’s the whole point. The value of this page isn’t pretending those distinctions disappear — it’s giving you a disciplined way to resolve them, with the primary sources next to every claim, so you walk into your contract review asking the right questions instead of buying the wrong environment.


What’s actually in scope — systems, people, cloud, and vendors?

Scope follows every place and component that processes, stores, transmits, or protects CUI — not just the department that owns the contract. It can include endpoints, servers, cloud services, email, backups, security tools, administrators, physical records, facilities, external service providers, and subcontractor exchanges. Systems operated on behalf of an agency may follow a different federal-system baseline than an ordinary contractor system. (Source: 32 CFR § 2002.14.)

One of the most expensive mistakes we see is buying an environment before mapping where CUI actually goes. Map the lifecycle first: where CUI is received, created, accessed, processed, stored, transmitted, printed, shared, backed up, archived, returned, and destroyed. Then inventory the components that touch any of those steps — people (users, IT admins, security, engineering, contracts, quality), endpoints, servers and identity systems, SaaS (email, storage, collaboration, ticketing, ERP, source control, design tools), physical media and multifunction printers, and every external service provider (MSP/MSSP, cloud, managed backup, help desk, subcontractors, consultants).

Whole-company environment or enclave?

There’s no universal verdict here — it’s a genuine tradeoff, and it depends on how far CUI has spread. (This is a DCR editorial framework built on the sources above — not a government rule.)

Scope direction guidance by CUI situation
Your situationScope direction worth evaluating
CUI is pervasive across engineering, ERP, quality, production, email, and adminA broader managed environment may be more realistic than a small enclave
CUI is limited to a small team and a narrow workflowAn enclave or controlled workspace can meaningfully reduce scope
Work happens primarily inside a government-controlled systemConfirm whether local devices and downloads stay outside — or pull into — scope
CUI must reach shop-floor equipment or legacy systemsA simple email/file enclave may not cover your operational reality
Only FCI is involvedDon’t build a CUI environment until the information and clause analysis justify it

The scope-reduction trap: an enclave does not reduce scope just because someone called it an enclave. The controls have to actually stop CUI from leaking into ordinary endpoints, email, downloads, printers, backups, logs, and support tools. A CUI enclave that everyone emails PDFs out of is not an enclave.

Is GCC High required for CUI?

Short answer: not universally. When you use an external cloud service provider to store, process, or transmit covered defense information under DFARS 252.204-7012, that service must meet security equivalent to the FedRAMP Moderate baselineand satisfy the clause’s related incident, preservation, and access obligations. That’s a capability test, not a command to buy one specific Microsoft environment. GCC Highcan be a clean, appropriate choice in some environments — particularly where export-controlled data or specific user-population rules are in play — but the word “CUI” alone does not create a universal product mandate. Evaluate the exact cloud service (not just the parent company), its authorization or defensible equivalency, your export-control obligations, your user population, and your incident duties. See our comparisons of Azure Government and AWS GovCloud for the CUI-specific considerations. And remember: encryption alone doesn’t solve CUI compliance. You still need access control, authorized users, device controls, audit logging, configuration management, incident response, media protection, vulnerability management, vendor evidence, physical protections, and accurate documentation.


What must you document — and prove?

You need implementation that matches your actual contractual baseline, and evidence that accurately describes that implementation. A System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies, asset inventory, data-flow map, incident plan, and assessment records may all be required — but the exact evidence, and whether open items are even allowed, depends on your clause and assessment path. Documentation that describes controls you haven’t implemented can become the basis for legal or contractual exposure. (Sources: NIST SP 800-171; DFARS 252.204-7012.)

The evidence stack most CUI contractors need looks like this: a clause inventory, a CUI category/authority register, a CUI data-flow diagram, a defined system boundary and asset inventory, an external service provider register, an SSP, policies and procedures, control implementation narratives, configuration and access evidence, logging and monitoring evidence, vulnerability and patch records, training records where required, an incident-response plan you’ve actually exercised, subcontract flow-down records, assessment and SPRS records, and a POA&M where it’s permitted.

On the SSP specifically: NIST’s Revision 2 publication prescribes no required format— but the plan must convey the required information and describe your system boundary, environment, and how each requirement is met. So the real test isn’t whether your SSP matches a vendor’s template. It’s whether it matches your actual environment and evidence.

The case that should change how you think about your SPRS score

Here’s what “your documentation must match reality” looks like when it goes wrong — and it’s a primary-sourced example, not a hypothetical.

Case Study: LOGZONE, Inc. — June 18, 2026

On June 18, 2026, the Department of Justice announced that LOGZONE, Inc., an Alabama logistics contractor, agreed to pay $507,144 to resolve False Claims Act allegations tied to two U.S. Navy contracts (DOJ). Both contracts incorporated DFARS 252.204-7012 and required LOGZONE to post a Supplier Performance Risk System (SPRS)self-assessment score — the score range runs from −203 to 110. In October 2021, LOGZONE posted a perfect 110. When DIBCAC reviewed the company in February 2024, the assessed score came back at −170— near the bottom of the scale.

Two things to keep straight. First, the framing: these were allegations resolved by a settlement, with no determination of liability. Second, the details still land hard: no data breach was alleged, and no CMMC assessor was involved.The documented gap between a posted 110 and a later −170 was central to the government’s case. LOGZONE is one of a line of cyber False Claims Act settlements under the DOJ Civil Cyber-Fraud Initiative (launched October 2021), alongside larger resolutions like Raytheon/Nightwing ($8.4M, May 2025) and Georgia Tech Research Corporation ($875K, September 2025).

The practical lesson: don’t post a score based on planned controls, a consultant’s target state, or an SSP that describes technology you haven’t turned on yet. Your score, scope, SSP, and evidence should describe the same environment on the same date.

Before you submit or affirm anything, work from facts, not guesses.

Our CUI & CMMC readiness checklist walks your environment against the safeguarding families so your SSP and your SPRS score describe the same reality. Do not enter CUI or contract numbers into any form.

Open the Readiness Checklist →

How must federal contractors mark, share, print, mail, and destroy CUI?

Authorized holders must take reasonable precautions against unauthorized disclosure: use controlled environments, apply the required markings, share only for a lawful government purpose, and follow the applicable dissemination controls. 32 CFR Part 2002 permits ordinary business handling — copying, scanning, printing, and mailing for a lawful government purpose — but requires secure equipment handling and destruction that renders the information unreadable, indecipherable, and unrecoverable. (Source: 32 CFR Part 2002; NARA CUI Registry.)

CUI handling requirements by activity under 32 CFR Part 2002
ActivityBaseline expectation under Part 2002 / the RegistryWhere it commonly goes wrong
Controlled environmentPrevent unauthorized access or observation — workspaces, screens, conversations, visitors, home offices where authorizedOpen floor plans, shared printers, screens visible to non-authorized staff
MarkingApply banner markings, category/subcategory indicators, and any limited-dissemination controls per the CUI Registry and agency guidanceUnmarked contractor-generated deliverables; inconsistent legacy markings carried forward
SharingDisseminate only for a lawful government purpose, to authorized recipients, consistent with the underlying authority and any dissemination controlsTreating CUI like it’s freely shareable, or over-restricting it under a classified-style “need to know” model it doesn’t use
Printing / copying / scanningHandle multifunction devices securely — spool files, stored images, scan-to-email, and leased-device returnCopiers returned at lease-end with CUI still on the drive
Shipping / mailingPermitted via USPS or commercial delivery, with tracking recommended and appropriate package markingsAssuming CUI can never be mailed, or shipping without proper markings
Records retention & destructionRetain per records schedules; destroy so the information is unreadable and unrecoverableDestroying the paper copy while leaving CUI in backups, logs, and replicated storage
DecontrolRemove controls only when authorizedTreating internal convenience as authority to decontrol

Two operational reminders that save real money: sanitize or account for multifunction printers and leased devices beforethey leave your control, and remember that destroying a document doesn’t destroy the copies in your backups, email, and file-sync history.


What CUI training is required for federal contractors?

There is no single universal “annual CUI training” rule for contractors. Your training obligation is set by your contract, the applicable NIST requirements, and — on DoD work — your CMMC level. 32 CFR Part 2002 imposes a training cadence on federal agency personnel, not a blanket schedule for every contractor; contractors inherit training duties through the agreement and the security requirements it incorporates. (Sources: 32 CFR Part 2002; NIST SP 800-171.)

Be careful here, because a lot of guidance overstates this. The rule’s periodic training requirement is aimed at agency CUI programs and personnel. What binds a contractor is the combination of: the agency’s CUI requirements as incorporated into the contract; the awareness-and-training security requirements inside NIST SP 800-171 (the “Awareness and Training” family), where that standard applies to your systems; and, on DoD contracts, the security-awareness expectations embedded in your CMMC level. So the accurate answer to “what training do we owe?” is: read the contract and the applicable NIST baseline, then build role-based training that covers CUI identification, marking, handling, incident reporting, and the specific safeguards your people operate.


What CUI incident must you report, where, and how fast?

Incident duties are contract-specific, and the clocks differ by agency. Under DFARS 252.204-7012, a covered cyber incident affecting a covered contractor information system, covered defense information, or operationally critical support must be reported to DoD within 72 hours of discovery via DIBNet, with system images and monitoring data preserved for at least 90 days. GSA’s CUI process sets a one-hour suspected-incident reporting window. Civilian-agency processes vary — don’t assume DoD’s rules apply everywhere. (Sources: DFARS 252.204-7012; GSA CIO-IT Security-21-112 Rev 1.)

CUI incident reporting clocks by contract path
Contract pathReporting clockWhere you report
DoD, DFARS 252.204-701272 hours of discovery; preserve images/monitoring data ≥90 daysDoD via DIBNet (dibnet.dod.mil)
GSA, Jan 2026 CUI process1 hour for a suspected incident, once identified by the contractor’s top-level security teamGSA information system security officer/manager, the contracting officer’s representative, and the GSA incident response team
Proposed FAR rule (not yet binding)Would be 72 hoursDIBNet for DoD contracts; CISA for non-DoD — if finalized
Other civilian agencyWhatever the agreement specifiesPer the contract and agency instructions

For DoD subcontractors: you report to DoD where the clause requires it, then pass the DoD-assigned incident report number up the chain to your prime. Your prime should not be instructing you to email sensitive incident details through ordinary channels, and the reporting chain does not replace the direct report the clause requires.

⚠ Do not report an incident to us, and do not enter incident facts, affected systems, vulnerabilities, CUI, credentials, or contract numbers into any form or tool on this site. Follow the reporting route in your contract and your incident-response plan.

What CUI requirements flow down to subcontractors?

CUI obligations don’t flow down just because the prime holds a high-level contract — they flow through the subcontract and the information required to perform it. Under DFARS 252.204-7012, the prime must include the clause in qualifying subcontracts and determine whether the information keeps its identity as covered defense information; CMMC status and affirmation duties flow through DFARS 252.204-7021 when that clause and the information requirement apply. (Source: DFARS 252.204-7012.)

If you’re a prime, you’re making four decisions for each subcontractor: what information must they receive or create; does that information retain its identity as CUI or CDI; which clause must flow down; and what CMMC level or status, if any, fits that information and subcontract. Flowing down a higher requirement than the work justifies isn’t caution — it can price out capable suppliers for no compliance benefit.

If you’re a subcontractor, a vague prime letter that says “be CMMC Level 2 by [date]” is not enough to act on. Send back five questions: which prime-contract clause is being flowed down; which CUI categories are expected; are you receiving CUI, creating it, or both; what status or evidence is required before subcontract award; and what incident and higher-tier notification process applies. Get it in writing before you scope technology. Our flow-down request template turns those into a clean note you can send today.

Questions to resolve based on information type reaching your subcontractor
The information reaching your subThe question to resolve
FCI onlyDoes FAR 52.204-21 or CMMC Level 1 apply?
CUI/CDI under DFARS 252.204-7012Is 7012 included without alteration, as the clause requires?
A CMMC clause is includedWhich level is written in — and does your system already hold that status?
No CUI actually reaches your subHas the prime over-flowed a requirement, or does some other obligation justify it?
An ambiguous prime letterRequest the clause, category, status, and deadline in writing

How do CMMC and the July 2026 suspension change things for DoD contractors?

CMMC verifies a contractor’s compliance with the safeguards it already owes; it does not independently decide whether information is CUI. As of July 16, 2026, CMMC Phase 2 (third-party assessment) is suspended, Phase 1 Level 1 and Level 2 self-assessments remain in force, and DFARS 252.204-7012 safeguarding duties are unchanged. The obligation to protect CUI did not pause — one mechanism for verifying it did. (Sources: Department of War CMMC materials, July 2026; 32 CFR Part 170; DFARS 252.204-7021.)

What the suspension changed.

On July 13, 2026, the Department announced the immediate suspension of CMMC Phase 2— the transition to required third-party (C3PAO) assessments scheduled for November 10, 2026 — along with pending Phase 3 and Phase 4 milestones. The action launched a 60-day review by a CMMC Reform Task Force, with industry responses due August 14, 2026. During the suspension, contracting officers may include only CMMC Level 1 (Self) or Level 2 (Self) requirements. November 10, 2026 is no longer a Phase 2 milestone date — do not present it as one.

What the suspension did not change.

Phase 1 self-assessment requirements remain. DFARS 252.204-7012 is fully unaffected.You still must implement and truthfully assess the applicable NIST baseline (Revision 2 for DoD). Contract-specific incident reporting stands. And — as LOGZONE demonstrates — False Claims Act exposure is unchanged, because a self-assessment result, a SPRS entry, and an annual affirmation are government-facing representations.

CMMC level status and current assessment path after July 2026 suspension
StatusProtectsCurrent assessment
Level 1 (Self)FCIAnnual self-assessment and affirmation
Level 2 (Self)CUI, on the applicable contract pathSelf-assessment (three-year cycle) and annual affirmation
Level 2 (C3PAO)Phase 2 transition suspendedDo not present as an expanding November 2026 default
Level 3 (DIBCAC)Contracts supporting DoD’s most critical programs and technologiesAdds 24 selected NIST SP 800-172 (Feb 2021) requirements to the Level 2 baseline; milestones currently suspended

One more thing your contract review must catch: under the Feb 1, 2026 acquisition overhaul, the basic-safeguarding clause appears at FAR 52.240-93 and the government-assessment clause appears at DFARS 252.240-7997in new covered DoD solicitations. The codified FAR/DFARS and legacy instruments still contain FAR 52.204-21 and DFARS 252.204-7019/-7020, so during the transition you may see legacy numbers, deviation numbers, or both — read the exact clauses in your exact instrument. DFARS 252.204-7012 and the CMMC clause DFARS 252.204-7021 are unchanged. For the deeper mechanics, see our guides to 32 CFR Part 170 and self-assessment vs. C3PAO.


When can a federal contractor use a POA&M for CUI requirements?

Whether you can defer a requirement with a Plan of Action and Milestones (POA&M) depends entirely on the program and instrument. Under CMMC, Level 1 allows no POA&Ms — you must meet all 15 requirements. CMMC Level 2 and Level 3 allow a limited conditional status: you must meet a minimum score, certain requirements can’t be on a POA&M at all, and the plan must close within 180 days. DFARS/NIST self-assessment documentation and civilian-agency processes handle open items on their own terms. (Source: 32 CFR Part 170, §§ 170.21 and 170.24; CMMC Federal Register rule.)


What kind of help do you actually need — and when?

The right provider category depends on the problem you haven’t solved yet. Contract interpretation is a job for qualified federal-contracts counsel; CUI data-flow mapping, scoping, and readiness call for an RP/RPO or an experienced readiness team; ongoing operations call for an MSSP or vCISO; evidence and workflow problems call for a GRC platform; and a C3PAO belongs only in a formal assessment path that your current contract actually requires. Readiness and formal assessment must stay separate — the firm that prepares you cannot also be your Level 2 assessor within a defined window. (Sources: Cyber AB Code of Professional Conduct; 32 CFR § 170.8.)

We call this The CMMC Path Framework— the logic that maps your required level, FCI-vs-CUI handling, assessment type, environment, and timeline to a provider category, not a name. It is not a score, a ranking, or compliance advice. (This is a DCR editorial framework built on the cited sources — not a government rule.)Here’s the short version:

Provider category decision table by unresolved problem type
Your unresolved problemCategory to evaluate firstDon’t start with
Ambiguous contract applicability or legal exposureQualified federal-contracts counselA software sales demo
CUI data-flow mapping, system scoping, SSP/POA&M development, readinessAn RPO or source-checked readiness providerA formal assessor, before scope and readiness are done
Ongoing security operationsA CMMC-focused MSP/MSSP or vCISOA one-time documentation writer
Evidence collection and control workflowA GRC platform (a supporting layer, not the whole solution)Buying a platform before you own the underlying controls
A narrow CUI population or workflowA CUI enclave / secure-collaboration architectureA whole-company migration with no scope analysis
A formal assessment your current contract requiresAn authorized C3PAOA provider that also wants to do your remediation and then assess it

The independence rule you need to know before you sign anything. A C3PAO cannot assess an organization it consulted for, advised, or helped implement within the previous three years— a bright line written into the regulation and the Cyber AB Code of Professional Conduct (32 CFR § 170.8(b)(17)(ii)(G); Cyber AB CoPC). During an assessment, the C3PAO and its team also cannot give you advice, remediation help, or recommendations. Translation: keep your readiness help and your assessor as separate organizations, and document that separation — because a conflict discovered later can put your certification, and the contracts riding on it, at risk.

The honest limitation to keep in mind: a provider cannot cure an unclear contract by selling you infrastructure. Until you know your clause, information type, system relationship, assessment path, and deadline, even a technically excellent proposal may be solving the wrong problem. Resolve the contract questions first; then the category is usually obvious.

Ready to get matched?

Use Find My CMMC Pathto get matched with source-checked provider options for your scope — your level, environment, and timeline. It routes to a category, discloses any compensation relationship at the point of recommendation, and never asks for CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Matching may result in compensation for a qualified introduction. Compensation does not control the category recommendation or our regulatory analysis.


What should a federal contractor do in the next 30 days?

Don’t begin with a cloud migration or a certification quote. Begin by collecting the governing documents, identifying the CUI and its data flows, resolving the NIST version and assessment path in writing, defining your system boundary, and comparing your actual evidence against the requirements that bind your contract.

This is the DCR 30-Day CUI Action Sequence — an editorial framework built on the sources above, not a government rule.

Days 1–3 — Stop guessing.

Inventory relevant contracts, solicitations, amendments, subcontracts, and attachments. Search them for “CUI,” “CDI,” “FCI,” “NIST SP 800-171,” “DFARS,” “SPRS,” “CMMC,” “incident reporting,” “FedRAMP,” and agency CUI references. Assign an executive owner and a working owner. Pause avoidable movement of potentially sensitive data into new tools. Do not upload contract documents into public AI tools or lead forms.

Days 4–7 — Identify the information.

List the government-furnished and contractor-created information types. Map each to a proposed Registry category and authority. Separate CUI from FCI, classified, proprietary, and export-controlled data. Request written clarification for anything unmarked or ambiguous. Note whether each category is Basic or Specified.

Days 8–14 — Map the boundary.

People, locations, systems, endpoints, cloud services, email, backups, printers, security tools, administrators, external service providers, and subcontractors — every place CUI lives or passes through.

Days 15–21 — Test reality against the requirement.

Confirm your NIST revision. Build or update the SSP. Identify which POA&M items are permitted and which aren’t. Collect current evidence. Test identity, access, logging, incident response, vulnerability, backup, and media processes. Verify cloud authorization or equivalency. Run an incident-reporting tabletop against your actual clock.

Days 22–30 — Make the next decision.

Get written contract clarification. Finalize the system boundary. Correct any unsupported self-assessment or SPRS score before you rely on it. Decide which provider category you need. Request scoped quotes only after scope and deliverables are defined.

Do not do this:


What we verified, and how we made this

We built this guide by comparing the current CUI Program rule, NARA’s framework, NIST’s publication status, the applicable Acquisition.gov clauses and deviations, the Department’s July 2026 CMMC suspension materials, GSA’s current process guide, and the June 2026 proposed FAR rewrite. We separated binding requirements from proposed ones, distinguished regulatory facts from our editorial judgment, and dated the page.

Here’s exactly what we checked on July 16, 2026:

Who wrote it: The Defense Compliance Report Editorial Team. Why it exists: federal contractors are being asked to make expensive technology, staffing, and subcontract decisions from requirements that differ by agency, clause, system type, and instrument date. This page exists to make those distinctions visible before you buy or represent anything. The page carries a visible verification date, and we re-verify it on a defined cadence, updating the date when substantive facts change. For our sourcing approach, see our About page.

This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney— the contract clause and CUI handling set your level, not a checklist.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. No CUI, no contract numbers, no sensitive details.

→ Find My CMMC Path

Do not submit CUI, drawings, contract numbers, system diagrams, vulnerabilities, incident details, or sensitive contract information. Matching may result in compensation for a qualified introduction; compensation does not control our regulatory analysis or category recommendations.


Regulatory status, clause text, NIST publication status, GSA guidance, the CMMC suspension, and the proposed FAR rule were verified on . Because phases and rules change, we re-verify this page on a defined cadence and update the date above when substantive facts change.


Frequently asked questions about CUI requirements for federal contractors

Do all federal contractors handle CUI?
No. A company may handle only public information, FCI, CUI, classified information, or several categories at once. Your contract, your work, the information involved, and the agency’s designation determine what applies. Don’t assume — check the clause and the markings (32 CFR Part 2002).
Does unmarked information still count as CUI?
Potentially. An absent marking is not permission to ignore government-linked information that may qualify — and it’s also not license to label your own routine files as CUI. Use the agency’s clarification and challenge process, and document the outcome (32 CFR Part 2002).
Is CUI classified information?
No. CUI is unclassified information that requires authorized safeguarding or dissemination controls. Classified information is protected under separate authorities and a separate security program (Executive Order 13556).
What’s the difference between CUI and FCI?
FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract; it’s covered by FAR 52.204-21’s 15 basic safeguards. CUI requires an additional valid legal basis and a Registry category and generally invokes NIST SP 800-171. FAR 52.204-21’s 15 safeguards are also the CMMC Level 1 requirements when a contract separately requires CMMC Level 1. See our FCI vs. CUI guide for the full breakdown. For civilian-specific rules — GSA, DHS, NASA, Rev. 3 vs. Rev. 2 — see our CUI compliance for civilian contractors guide.
Is all CUI subject to NIST SP 800-171?
Not automatically. Agencies use NIST SP 800-171 for CUI on qualifying nonfederal systems, but system type, a CUI Specified authority, or the agreement can change the path, and federal systems (or systems operated on behalf of an agency) may follow NIST SP 800-53 (32 CFR § 2002.14).
Does NIST SP 800-171 Revision 2 or Revision 3 apply to me?
Your instrument controls. NIST’s current publication is Revision 3, but current CMMC enforcement uses Revision 2 via DoD Class Deviation 2024-O0013, GSA’s January 2026 process requires Revision 3 where incorporated, and other agencies may specify either. Check the solicitation or written contracting officer direction.
Did the July 2026 CMMC suspension pause DFARS 252.204-7012?
No. The suspension paused CMMC Phase 2 third-party assessments. DFARS 252.204-7012 safeguarding duties and CMMC Phase 1 self-assessments remain in force (Department of War CMMC materials, July 2026).
Does every DoD contractor with CUI need CMMC Level 2?
The level written into your contract controls, and during the current suspension that means Level 1 (Self) or Level 2 (Self). Read the level the contracting officer inserted rather than inferring it from the information type (DFARS 252.204-7021).
Does every CUI contractor need a C3PAO assessment?
No. Current CMMC Phase 1 includes Level 2 (Self), and Phase 2 third-party assessments are suspended as of July 13, 2026. GSA’s separate CUI process does require independent third-party assessment, so it depends on which agency’s contract you hold.
Is GCC High required for CUI?
Not universally. When you use an external cloud for covered defense information under DFARS 252.204-7012, that service must meet FedRAMP Moderate–equivalent security and the clause’s related obligations — a capability test, not a specific product mandate. Evaluate the exact cloud service, its authorization or equivalency, export-control needs, and user population (Acquisition.gov).
Is encryption enough for CUI?
No. Encryption is one control among many, including access management, configuration, logging, incident response, media protection, vendor evidence, physical protections, and accurate documentation (NIST SP 800-171).
Can CUI be printed, copied, or mailed?
Yes, when it’s for a lawful government purpose and handled under the applicable controls. 32 CFR Part 2002 addresses reproduction, shipping, mailing, equipment handling, and destruction that renders the information unreadable and unrecoverable.
Can a federal contractor use a POA&M to defer CUI requirements?
It depends on the program. CMMC Level 1 allows no POA&Ms. CMMC Levels 2 and 3 allow a limited conditional status — a minimum score, no prohibited requirements deferred, and a 180-day closeout (32 CFR § 170.21). Civilian-agency processes handle open items on their own terms.
Does DFARS 252.204-7012 flow down to subcontractors?
Yes, to qualifying subcontracts involving covered defense information or operationally critical support, subject to the clause’s exceptions and exact text. The prime determines whether the information retains its identity as covered defense information (DFARS 252.204-7012).
Who can confirm my actual CUI requirement?
Your contracting officer or prime clarifies contractual requirements; qualified federal-contracts counsel advises on legal and contractual exposure; and an RP/RPO supports CMMC scoping and readiness. This publication and its tools do not make a binding determination.