When you’re just starting out in federal contracting, it’s easy to focus on the obvious hurdles: SAM registration, past performance, and finding bid opportunities. But one of the less visible and potentially contract-killing obstacles is something many new contractors overlook: how to handle sensitive government information.
Controlled Unclassified Information (CUI) isn’t classified, but it’s still considered sensitive by federal agencies. And if your contract involves it, even indirectly, you’re expected to meet strict security standards from day one. For small businesses, especially, ignoring CUI compliance can mean losing contracts, getting flagged during award evaluations, or being shut out of future work altogether.
So what exactly is CUI, and how do you handle it the right way without building a massive IT team? Here’s what it means, what the rules say, and the steps your business should take now to stay eligible and competitive.
CUI is information the federal government wants to protect but doesn’t label as classified. That includes a wide range of contract-related data, like:
Technical specs and engineering data
VA medical records
Procurement schedules
Legal or financial details
Research tied to government funding
You won’t always get a big red warning label when you’re dealing with CUI. Sometimes it’s buried in attachments or email chains. If the agency considers the data protected, you’re responsible for securing it, no matter how you received it.
A lot of first-time contractors assume cybersecurity is only a concern for major defense firms. But that’s not the case anymore. Even if you’re bidding as a subcontractor, managing a single document with CUI makes you subject to federal protection rules. Here’s why you need to care:
Compliance is often baked into the contract. If your bid includes handling CUI and you’re not compliant, you’re disqualified.
You’re on the hook for your systems. Cloud drives, employee laptops, and email tools all need to meet government expectations.
Primes are asking questions. Even before it’s required, large contractors want to know their subs are ready for CUI obligations.
Like filing your taxes. You can do it yourself, but mistakes cost you time and money.
The main rulebook for CUI protection is NIST Special Publication 800-171. It includes 110 security controls you’re expected to implement. These come from Revision 2, which is still the active version required under DFARS 252.204-7012. Revision 3 was published in May 2024, but it hasn’t been adopted contractually yet.
Key control areas include:
Access control: Who can access your systems and files?
Audit and accountability: Can you track who’s seen or changed CUI?
System and communications protection: Is your data encrypted and monitored?
Incident response: Do you have a plan if something goes wrong?
Most small businesses don’t have all of this built in, but that doesn’t mean you’re disqualified. The government wants to see that you have a plan, known as a System Security Plan (SSP), and that you’re actively improving your systems.
CMMC, or Cybersecurity Maturity Model Certification, is how the Department of Defense checks whether contractors are actually implementing NIST 800-171.
Here’s what you need to know:
CMMC Level 2 applies to most DoD contracts involving CUI
Third-party assessments from certified C3PAOs will be required for most contractors at this level
Rollout starts in fiscal year 2025 and expands through 2028
Subcontractors are included, even if the prime handles most of the work
This is already influencing contract decisions. Many primes are requiring subs to show readiness now to stay on teaming lists.
And compliance isn’t cheap. C3PAO assessments for Level 2 typically cost between $50,000 and $80,000 depending on your setup. That’s why many businesses are starting early, before a contract forces them to.
You don’t need a dedicated security team to stay compliant, but you do need to take real action. Here’s where to start:
Check your contracts and solicitations. Look for DFARS 252.204-7012. That’s your CUI signal. Don’t confuse it with FAR 52.204-21, which applies to FCI, not CUI.
Perform a NIST 800-171 assessment. Then submit your score to SPRS, the Supplier Performance Risk System. This is required for many defense contracts.
Build a System Security Plan. This document shows how you’re securing data, where your gaps are, and how you plan to fix them.
Work toward implementation. You don’t need to be perfect, but you do need to be progressing and able to show your steps.
Get help if needed. You can work with advisors or managed IT providers to meet the requirements without overbuilding.
Craig Williams launched a financial consulting firm focused on the VA. Within three weeks of SAM registration, he landed his first contract. However, to stay eligible for future VA work, his SDVOSB firm needed to meet CUI handling requirements, including secure user access controls and audit logs.
With USFCR’s help, Craig implemented the right policies, built a System Security Plan, and submitted his score to SPRS. That foundation helped him win seven VA contracts in under a yearUSFCR Case Study Summar….
If I don’t handle CUI today, do I still need to prepare?
Yes. CUI requirements often show up suddenly in new contracts or teaming agreements. Preparing now makes you more competitive and protects you from being caught off guard.
Can I just say I’m working on it?
Not anymore. Agencies want to see documentation, including your SSP, SPRS score, and evidence of progress.
Is this just a defense issue?
No. The VA, DHS, GSA, and other civilian agencies also issue contracts involving CUI. It’s becoming standard across many sectors.
How do I submit my SPRS score?
You’ll need to complete a self-assessment using NIST 800-171 and submit the score through the Procurement Integrated Enterprise Environment (PIEE) into the Supplier Performance Risk System.
If you’re new to federal contracting or unsure whether your current systems meet CUI requirements, now’s the time to act. USFCR can help you evaluate your setup, build a System Security Plan, and get your SPRS score submitted.
CUI compliance is quickly becoming a deal-breaker for many awards. Getting ahead of it now gives you an edge.
Top Articles
Writing a Winning Capabilities Statement in 2025