Skip to main content

Federal Contracting Glossary

CUI & Cybersecurity (CMMC)

The federal requirements for safeguarding Controlled Unclassified Information, including DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC).

Definition

Controlled Unclassified Information (CUI) is information the government requires to be safeguarded or disseminated under specific controls, even though it is not classified. Contractors that handle CUI on their own systems must protect it — most prominently under DFARS clause 252.204-7012, which requires implementing the NIST SP 800-171 security controls and reporting cyber incidents.

The Cybersecurity Maturity Model Certification (CMMC) program builds on these requirements by verifying that defense contractors actually meet the applicable NIST 800-171 (and, at higher levels, additional) controls, through self-assessment or third-party certification depending on the level. For a growing share of DoD solicitations, the right CMMC level is becoming a condition of award — making cybersecurity compliance a gating issue, not an afterthought.

How this affects your proposal

If a solicitation involves CUI, confirm you meet DFARS 252.204-7012 and the required CMMC level before you propose — a current SPRS score and an honest assessment of your NIST 800-171 implementation are increasingly prerequisites to award.

Common questions about cui & cybersecurity (cmmc)

What is CUI?

Controlled Unclassified Information — unclassified information the government still requires contractors to safeguard under defined handling and security controls, such as those in NIST SP 800-171.

Do all contractors need CMMC?

No. CMMC applies to Department of Defense contractors that handle federal contract information or CUI, at a level matched to the sensitivity of the information. The required level is stated in the applicable DoD solicitation.

Related terms

NAICS Code & Size Standard

The industry classification code assigned to a solicitation and its associated SBA size…

SAM.gov

The U.S. federal government's official system for contract opportunities and entity reg…

GAO Bid Protest

A challenge to a solicitation or award filed with the Government Accountability Office,…

Writing a proposal that involves cui & cybersecurity (cmmc)?

GovCon is the AI proposal-writing tool built specifically for federal offerors. Free plan, no card required.

Start free →

See all federal contracting terms in the GovCon glossary, or read our long-form federal contracting guides.