How to Identify and Protect CUI: A Guide for NC Manufacturing Contractors

Controlled Unclassified Information (CUI) in manufacturing includes technical drawings, specifications, test data, procurement information, and other sensitive but unclassified data that requires safeguarding under federal regulation. For North Carolina defense contractors, correctly identifying CUI is the essential first step toward NIST 800-171 compliance and CMMC certification, as you cannot protect what you have not identified.

Key takeaway: According to DoD Instruction 5200.48 and the DoD CUI Program, Controlled Unclassified Information must be identified, marked, and protected in accordance with 32 CFR Part 2002. The originator of information is responsible for determining at the time of creation whether it falls into a CUI category, making proper identification a daily responsibility for manufacturing personnel.

With North Carolina hosting significant defense industry activity and DoD investment of $5.6 billion annually, manufacturers throughout the Piedmont Triad, Charlotte, and Research Triangle who handle government contract data must understand their CUI obligations. Failure to properly identify and protect CUI can result in contract loss, False Claims Act liability, and CMMC certification denial.

Need help identifying and protecting CUI? Preferred Data Corporation provides comprehensive CUI assessment and protection services for North Carolina defense contractors. Call (336) 886-3282 or schedule your assessment.

Understanding CUI in Manufacturing

What Qualifies as CUI

CUI is any unclassified information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. The CUI Registry maintained by the National Archives provides the official list of CUI categories and subcategories.

For manufacturing contractors, the most common CUI categories include:

Controlled Technical Information (CTI): Technical data or computer software with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination per DFARS 252.204-7012.

Export Controlled Information: Technical data subject to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).

Proprietary Business Information: Cost and pricing data, source selection information, and procurement-sensitive details provided under contract.

Critical Infrastructure Information: Details about manufacturing processes, facility layouts, or capabilities that could aid adversaries.

CUI in Daily Manufacturing Operations

For a North Carolina manufacturer working on defense contracts, CUI commonly appears in:

• Engineering drawings and CAD files with defense specifications
• Material specifications and test reports
• Manufacturing process documents and work instructions
• Quality inspection records and certificates of conformance
• Purchase orders referencing controlled specifications
• Shipping and handling instructions for defense items
• Communication (email, chat) discussing technical details
• Photographs of defense-related components or processes
• Meeting notes from program reviews
• Vendor correspondence about controlled items

CUI Identification Process

Step 1: Review Contract Requirements

Your contract documents specify what information requires protection:

• [ ] Review DFARS clauses (252.204-7012, 252.204-7019, 252.204-7020)
• [ ] Identify CUI specification in the Statement of Work
• [ ] Check DD Form 254 (if applicable) for classification guidance
• [ ] Review any CUI attachment lists provided by the prime contractor
• [ ] Identify flow-down requirements to subcontractors

Step 2: Map Information Flows

Document where CUI enters, resides, and leaves your organization:

• [ ] Inbound: How does CUI arrive? (Email, portal, physical delivery)
• [ ] Processing: Where is CUI stored and processed? (File servers, ERP, CAD systems)
• [ ] Personnel: Who accesses CUI? (Engineers, quality, production, shipping)
• [ ] Outbound: How does CUI leave? (Email, uploads, physical shipment)
• [ ] Archive: Where is completed project CUI stored?

Step 3: Categorize Information Types

For each information type in your environment, determine:

1. Is this information related to a government contract?
2. Does the contract include DFARS 252.204-7012 or similar clauses?
3. Does the information contain technical data, specifications, or test results?
4. Would disclosure of this information harm national security interests?
5. Is the information marked by the government or prime contractor?

Preferred Data Insight: For North Carolina manufacturers in the Piedmont Triad, we find that CUI typically represents 15-40% of total organizational data. The key is accurately scoping your CUI environment rather than either over-identifying (expensive to protect everything) or under-identifying (compliance risk).

CUI Marking Requirements

Document Marking Standards

According to the DoD CUI Marking Job Aid and DCSA marking guidance, documents containing CUI must include:

Banner Marking: Place "CUI" or "CONTROLLED" at the top and bottom of each page.

CUI Designation Indicator Block: Place at the bottom of the first page or cover page:

CUI
Controlled By: [DoD Component]
CUI Category: [e.g., CTI, EXPT]
Distribution/Dissemination Control: [Distribution Statement]
POC: [Point of Contact]

Portion Marking (Recommended): Mark individual paragraphs or sections containing CUI with "(CUI)" at the beginning of the portion. While optional, portion marking is strongly recommended to help recipients identify exactly which content requires protection.

Electronic File Marking

Digital files require:

• CUI designation in document headers/footers
• CUI in filename or metadata where practical
• CUI marking in email subject lines when transmitting CUI
• CUI labels in document management systems
• CUI watermarks on sensitive drawings (where practical)

Email Marking

When transmitting CUI via email:

• Subject line must include "CUI" designation
• Body must include CUI banner marking
• Attachments must be individually marked
• Encryption must be enabled (TLS 1.2+ minimum)
• Recipients must be authorized to receive CUI

CUI Handling Procedures

Storage Requirements

CUI must be stored in environments meeting NIST 800-171 controls:

Physical storage:

• Locked containers or rooms with controlled access
• Clean desk policies for CUI documents
• Visitor escort procedures in CUI areas
• Shredding (cross-cut) for CUI disposal

Digital storage:

• Encrypted storage (FIPS 140-2 validated)
• Access controls limiting CUI to authorized personnel
• Audit logging of all CUI access
• Backup procedures with encrypted off-site copies

Transmission Requirements

CUI must be protected during transmission:

Electronic transmission:

• Email: Encrypted (TLS 1.2+, or S/MIME for sensitive CUI)
• File transfer: SFTP, HTTPS, or encrypted VPN
• Cloud storage: FedRAMP Moderate (minimum) or equivalent
• Fax: Confirm recipient is present (not recommended)

Physical transmission:

• Opaque sealed packaging
• Tracking with delivery confirmation
• Recipient authorized to receive CUI
• No CUI marking visible on outer packaging

Destruction Requirements

When CUI is no longer needed:

• Paper: Cross-cut shredding (1mm x 5mm maximum particle size)
• Electronic media: NIST 800-88 sanitization (clear, purge, or destroy)
• Hard drives: Physical destruction or certified wiping
• USB drives: Physical destruction recommended
• Cloud data: Provider-certified deletion with verification

Common CUI Mistakes in Manufacturing

Mistake 1: Failing to Identify CUI in Informal Communications

Engineers discussing technical specifications via unsecured email, text messages, or personal devices creates CUI spills. All discussions of controlled technical information must occur through protected channels.

Fix: Train all technical staff to recognize when conversations involve CUI and route those discussions through approved, encrypted communication channels.

Mistake 2: Storing CUI on Personal Devices

Employees saving CUI files to personal laptops, USB drives, or cloud accounts (personal Dropbox, Google Drive) violates handling requirements and creates uncontrolled copies.

Fix: Implement DLP (Data Loss Prevention) controls and clear policies prohibiting CUI on unapproved devices. Provide approved mobile access through managed devices.

Mistake 3: Not Marking Internally Generated CUI

Many manufacturers mark CUI they receive from the government or prime contractor but fail to mark CUI they generate themselves (test reports, manufacturing process documents, quality records derived from controlled specs).

Fix: Train employees that any information derived from or related to CUI-marked source material is also CUI and requires appropriate marking.

Mistake 4: Over-Identifying CUI (Scope Creep)

Some organizations mark everything as CUI "just to be safe," which increases compliance costs dramatically and desensitizes employees to CUI handling requirements.

Fix: Apply CUI markings only to information that actually meets CUI category definitions. General business information, publicly available technical data, and non-contract materials are not CUI.

Mistake 5: Ignoring CUI in Legacy Systems

Historical project data stored in older systems (legacy file servers, outdated ERP modules, archived email) often contains CUI that is not properly protected or marked.

Fix: Conduct data archaeology to identify CUI in legacy systems. Either migrate to protected environments, apply appropriate controls, or dispose of data that is no longer needed per retention requirements.

Building a CUI Protection Program

Phase 1: Discovery (Months 1-2)

• [ ] Inventory all contracts with DFARS CUI requirements
• [ ] Map CUI data flows throughout the organization
• [ ] Identify all systems that store, process, or transmit CUI
• [ ] Catalog personnel with CUI access
• [ ] Document current marking and handling practices

Phase 2: Scope Definition (Month 2-3)

• [ ] Define CUI system boundary for NIST 800-171
• [ ] Identify systems that can be excluded from scope
• [ ] Document shared systems requiring segmentation
• [ ] Establish CUI enclave architecture (if applicable)
• [ ] Create data flow diagrams for assessment documentation

Phase 3: Controls Implementation (Months 3-12)

• [ ] Implement access controls for CUI systems
• [ ] Deploy encryption for CUI storage and transmission
• [ ] Configure audit logging for CUI access
• [ ] Establish marking procedures and templates
• [ ] Train all CUI-handling personnel
• [ ] Implement physical protection controls

Phase 4: Ongoing Management

• [ ] Annual CUI handling training for all personnel
• [ ] Quarterly access reviews for CUI systems
• [ ] Regular marking compliance audits
• [ ] Incident response procedures for CUI spills
• [ ] Contract review for new CUI requirements

How Preferred Data Protects CUI for NC Manufacturers

With 37 years serving North Carolina businesses and a BBB A+ rating, Preferred Data Corporation helps defense contractors throughout High Point, Greensboro, Winston-Salem, Charlotte, Raleigh, Durham, and the Piedmont Triad identify, mark, and protect CUI to NIST 800-171 standards.

Our CUI protection services include:

• CUI identification and data flow mapping
• System boundary definition for NIST 800-171 compliance
• Cybersecurity controls implementation for CUI environments
• Cloud solutions with FedRAMP-equivalent protection
• Managed IT services maintaining ongoing CUI protection
• Employee training on CUI identification and handling
• Marking templates and procedure documentation
• CMMC assessment preparation and support

Protect your CUI and maintain contract eligibility. Call (336) 886-3282 or schedule your CUI assessment.

Frequently Asked Questions

How do I know if my manufacturing company handles CUI?

If your company holds a DoD contract or subcontract with DFARS clause 252.204-7012, you almost certainly handle CUI. Review your contracts for references to Controlled Technical Information, controlled specifications, or export-controlled data. If you manufacture parts to military specifications, create test data for defense items, or receive engineering drawings from defense primes, that information is likely CUI.

Who is responsible for marking CUI in a manufacturing environment?

The originator of information is responsible for determining if it qualifies as CUI and applying appropriate markings at the time of creation. For information received from the government or prime contractor, that entity should provide markings. For information you generate (test reports, process documents), your employees must apply markings based on whether the content derives from or relates to CUI source material.

Can CUI be stored in commercial cloud services like Microsoft 365?

Standard commercial cloud services do not meet CUI protection requirements. Microsoft 365 GCC (Government Community Cloud) or GCC High environments provide the appropriate security controls for CUI storage and processing. Other options include FedRAMP Moderate authorized cloud services. Standard business-tier cloud services lack the necessary access controls, encryption standards, and audit capabilities.

What happens if CUI is accidentally disclosed to unauthorized persons?

CUI spills require immediate response: notify your security officer, document the incident, assess the scope of exposure, and report to the contracting officer if required by your contract. Implement corrective actions to prevent recurrence. Repeated or negligent CUI spills can affect your CMMC certification and contract eligibility.

How much does a CUI protection program cost for a small NC manufacturer?

Initial CUI program development for a small manufacturer (25-100 employees) typically costs $30,000-$80,000, including system upgrades, policy development, and training. Ongoing annual costs for managed security, monitoring, and compliance maintenance typically range from $2,000-$5,000 per month. These costs are significantly less than the revenue at risk from losing defense contract eligibility.