What is Controlled Unclassified Information or CUI?

Simply stated, controlled unclassified information (CUI) is information held by the federal government which is sensitive but unclassified.

Federal contractors routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies.  In 2010, an executive order and subsequent regulations were put into place to safeguard this information with new controlled unclassified information (CUI) requirements. If you like reading federal executive orders, click the link to read more.

What are the CUI Compliance Requirements?

CUI Compliance is essentially being able to pass an audit when measured against NIST 800-171. It encompasses the protection of sensitive federal information that resides on nonfederal systems and organizations. Failure to comply with these security protocols can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.

CUI – Protect it or Lose the Business

While organizations still need to protect CUI, the system and process to do so is now called CMMC Cybersecurity Maturity Model Certification.

Defense Cybersecurity Assistance Program

If you are a Maryland Defense Contractor with a physical location in Maryland and provide 10% or more DoD related business OR a contract/procurement request for compliance, you may qualify for the program.

CUI Compliance is no longer a suggestion

CUI has become more than a suggestion for federal contractors.  Compliance is mandated for all federal contractors, as well as non-profits and subcontractors that receive federal funding.  These mandatory Corporate and Organizational requirements are CUI, DFARS or NIST SP 8000-171, Revision 1.

The CUI requirements apply to all components of the federal and non-federal information systems and organizations that possess, store, or transmit CUI. If your organization provides protection or security for these areas, the requirement also applies.

At Duffy Compliance Services, we are deep into the compliance world.  We see this increasing as large prime contractors and their subcontractors are forced to show compliance as their contracts can be removed or eliminated unless compliance is demonstrated.  As an emphasis on cybersecurity increases, we are encountering a larger number of small business subcontractors asking what they can do to ensure compliance.

Are your IT Staff Compliance Experts?

Chances are, they are not. Get them the support they need to be sure your data is safe.

CUI Compliance testing – The process

Compliance starts with a Gap Analysis – where you are now with your current policies, platform, infrastructure, operations, and training.

We build a plan of actions with milestones (POA&M) to help you fill in the discovered gaps.

  • We test the implementations of the remediation.
  • We train for security awareness
  • We identify and confirm security roles and responsibilities.


The deliverables are the policies, procedures, tests, and tracking system of the compliance status all bundled in a “compliance package” that an auditor can use to confirm the organization is in compliance with the security controls required by the government to secure CUI data.

Why Choose Duffy Compliance?

We live this stuff! We bring decades of experience in current NIST security controls and understand system security risk and architecture. We have enterprise-level experience that we can tailor to your organization’s platform to build a best of breed solution set unique to your requirements. We have all the background necessary to get CUI compliance requirements met without re-inventing your entire network system.

The reason you need Duffy Compliance Services is to give you the peace of mind to know that your data is safe and secure.  Most of the time, we are called in after a security breach or event.  Don’t be the person that closes the barn door after the cows have left the building!

We can help as a Fractional Compliance Officer, CUI compliance, CMMC, Cyber Security Awareness Training, Supplier Performance Risk System (SPRS) Consulting, and more. We have several decades of cybersecurity and compliance experience in Maryland, the Greater Washington DC area, and beyond.