Classified vs. Unclassified Data: Understanding the Government Data Hierarchy & Where CMMC Fits
Emily Bonnie
Senior Content Marketing Manager
One of the most common points of confusion we hear from defense contractors preparing for CMMC is surprisingly basic: What kind of data are we actually required to protect?
Many organizations assume security rules only apply to classified information. Then CMMC enforcement enters the picture, and suddenly they are being told to secure systems that handle “unclassified” data. That feels contradictory until you understand how the government actually categorizes and protects information.
The reality is that classified versus unclassified is only the first cut. A large amount of unclassified government information still requires strict safeguards, and that is exactly the gap CMMC was designed to address.
This article breaks down the hierarchy of government data in plain language so you can understand what sits where, what applies to most defense contractors, and how CMMC fits into the picture.
The big picture: How government data is categorized
To make sense of CMMC requirements, it helps to start with the simplest possible model of how the government categorizes information. At a high level, government information falls into three broad categories.
First is classified information. This is information formally designated by the government as requiring the highest level of protection for national security reasons.
Second is unclassified information that still requires protection. This is the category most defense contractors operate in, and it is where Controlled Unclassified Information lives.
Third is unclassified information with no special handling requirements. This information may still be sensitive from a business perspective, but it does not trigger federal safeguarding requirements.
CMMC exists to address the second category.
| Category | Level | Description | Examples | Protection Requirements |
|---|---|---|---|---|
| CLASSIFIED | Top Secret (TS) | Disclosure could cause exceptionally grave damage to national security | Nuclear weapons designs, intelligence sources/methods, war plans, SAP programs | SCIFs required, TS clearance, strict need-to-know, special access programs (SAPs) |
| Secret (S) | Disclosure could cause serious damage to national security | Military operational plans, weapons system vulnerabilities, diplomatic cables | Secret clearance, secure facilities, encrypted transmission, SIPRNet access | |
| Confidential (C) | Disclosure could cause damage to national security | Troop movements, certain technical manuals, some foreign government info | Confidential clearance, locked storage, controlled access, SIPRNet | |
| CONTROLLED UNCLASSIFIED INFORMATION (CUI) |
CUI | Sensitive but unclassified info that requires safeguarding per law, regulation, or government policy | Export-controlled data (ITAR/EAR), proprietary contractor data, PII, technical data, FOUO-type info | CMMC Level 2, NIST 800-171 (110 controls), encryption, access controls, audit logging, CUI markings |
| UNCLASSIFIED | FCI (Federal Contract Info) | Non-public info provided by or generated for government under contract | Contract terms, non-technical project info, basic deliverables, schedules | CMMC Level 1, FAR 52.204-21 (15 safeguarding requirements), basic cyber hygiene |
| Public | No restrictions on disclosure | Press releases, published reports, public-facing websites, FOIA releases | None required |
Classified information: What it is and why most contractors do not handle it
Classified information is information that the U.S. government has formally determined requires protection against unauthorized disclosure for national security reasons. It is labeled as Confidential, Secret, or Top Secret depending on the level of potential damage disclosure could cause.
Access to classified information requires security clearances, accredited facilities, and highly controlled environments. Organizations that handle classified data operate under entirely different rules, contracts, and oversight structures than most commercial defense contractors.
If your organization handles classified information, you already know it. Classified data does not quietly appear in your environment by accident — it is deliberately introduced into accredited systems and facilities.
For most defense contractors subject to CMMC, classified information is not the issue. The real complexity starts below this line.
Unclassified does not mean unprotected
Once information is deemed unclassified, many organizations assume it does not require special safeguards. This is where misunderstandings begin.
The government generates and shares vast amounts of information that does not meet the bar for classification but would still cause harm if exposed, stolen, or mishandled. That harm might include risks to military operations, supply chain security, export controls, or critical technologies.
To address this gap, the government created a separate category for unclassified information that still requires protection.
Controlled Unclassified Information (CUI): The center of the hierarchy
Controlled Unclassified Information, or CUI, is unclassified information that requires safeguarding or dissemination controls under federal law, regulation, or policy.
CUI is not a single type of data. It is an umbrella category that includes many different kinds of sensitive government information. What ties them together is that they are unclassified but still important enough to require protection.
Examples of why CUI exists include preventing adversaries from gaining insight into military capabilities, protecting sensitive technical data, and limiting the spread of information that could be misused if broadly shared.
For defense contractors, this matters because CUI routinely flows down through contracts. You may receive CUI directly from the government, or you may generate it yourself while performing contract work.
This is the data CMMC is designed to protect.
Recomended reading
What You Need to Know About Controlled Unclassified Information (CUI): Categories, Controls, and Compliance
How classification determines where data is allowed to live
One reason information classification feels so abstract is that it does not just determine who can see data. It determines where that data is allowed to exist at all.
Highly classified information is handled in purpose-built environments designed specifically for national security data. These environments are physically and logically isolated from the public internet and from commercial IT systems. Access is controlled not only by a person’s clearance, but also by the security of the facility, hardware, and network being used.
In practice, this means classified information moves through dedicated networks that exist solely to handle that classification level. These networks may look similar to the internet in how data is routed and transmitted, but they are completely separate in infrastructure, access controls, and oversight.
This separation is intentional. Classified data is protected primarily through isolation. If a system is not accredited for classified use, that data is not allowed to touch it. Unclassified sensitive data is protected through security controls instead.
You may hear references to networks like JWICS or SIPRNet when discussing classified information. These are government-operated networks designed for specific classification levels and accessed only from approved secure facilities. Most defense contractors will never connect to them directly, and they are not part of CMMC scope.
Unclassified information, including CUI, does not move through classified networks. Instead, it typically lives in commercial environments such as cloud platforms, contractor-managed systems, email, collaboration tools, and engineering applications.
This does not mean the data is unimportant. It means the government has chosen a different protection model.
Rather than isolating CUI onto separate, classified-only networks, the Department of Defense requires contractors to apply consistent security controls to the systems where CUI actually lives. Encryption, access control, logging, configuration management, and incident response are used to reduce risk in environments that were not originally designed for sensitive government data.
CMMC does not attempt to turn contractor systems into classified networks. Instead, it defines a baseline level of security that must be enforced wherever CUI is handled in commercial environments.
Common types of unclassified but protected information contractors encounter
Defense contractors often encounter several different labels for unclassified information that requires safeguards. While the terminology can vary, the underlying expectation is consistent.
Controlled Technical Information is one common example. This includes technical data and software with military or space applications that is subject to access or dissemination controls. Engineering drawings, specifications, and source code frequently fall into this category.
Export-controlled information is another. Data governed by ITAR or EAR may not be classified, but it is still tightly regulated due to national security and foreign policy concerns. Improper access or disclosure can carry serious penalties.
Covered Defense Information, or CDI, is the term used in DFARS 252.204-7012 to describe certain types of unclassified information that require protection. In practice, CDI often overlaps heavily with CUI and is safeguarded using the same controls.
While these labels matter for legal and contractual reasons, CMMC does not require you to become an expert in every acronym. What matters is whether the information you handle requires protection and whether your systems enforce appropriate safeguards.
Where CMMC fits into this classification hierarchy
CMMC does not create new categories of sensitive information. Instead, it formalizes how defense contractors must protect CUI.
At Level 2, CMMC requires organizations to implement the security requirements defined in NIST SP 800-171. These controls address areas like access control, audit logging, configuration management, incident response, and system integrity.
In simple terms, CMMC exists to ensure that contractors are consistently protecting unclassified information that still matters to the Department of Defense.
CMMC is not about classified systems, and it is not about securing every piece of data your company touches. It is about protecting CUI wherever it lives, whether that is in cloud systems, endpoints, shared drives, or enclaves.
Unclassified information with no special handling requirements
At the bottom of the hierarchy is unclassified information that does not require special federal safeguards.
This might include publicly available information, marketing materials, general business communications, or internal data that is not tied to government contracts or sensitive technical work.
This distinction is important because over-scoping can create unnecessary cost and complexity. Not every system needs to meet CMMC requirements, and not every document is CUI.
Assessors expect organizations to understand what data they handle and why certain systems are in scope. Treating everything as sensitive can be just as problematic as underestimating your obligations.
Why understanding classified vs. unclassified data hierarchy matters for CMMC assessments
Misunderstanding the data hierarchy often leads to one of two problems.
Some organizations underestimate their obligations and fail to protect systems that handle CUI. This leads to gaps during assessment and delays certification.
Others overcorrect and attempt to apply CMMC controls to their entire environment. This increases cost, operational friction, and assessment scope without providing additional security value.
Clear data categorization helps organizations define accurate scope, design appropriate enclaves when needed, and demonstrate to assessors that they understand their environment. In some cases, organizations use CUI enclaves to limit scope by isolating systems that handle CUI from the rest of the business environment. Enclaves are not required, but they can be an effective way to reduce compliance cost and complexity when only a portion of the organization handles sensitive data.
Assessors are not just looking for controls. They are looking for intent, awareness, and consistency.
Recommended reading
What Is a CUI Enclave? How Enclaves Can Simplify NIST 800-171 and CMMC 2.0 Compliance
The takeaway for defense contractors
You do not need to become an expert in classification law or memorize every government acronym. What you do need is a clear understanding of the hierarchy of information you handle.
When you can confidently answer what data you handle, where it lives, and why it requires safeguards, CMMC becomes much easier to navigate. Instead of feeling like a mystery, it becomes a framework for enforcing protections that already make sense.
Once you understand the hierarchy of classified, controlled, and unclassified information, the next challenge is determining where that information actually lives in your environment. That is what scoping is all about. It is the process of identifying which systems, users, and workflows touch CUI so you can apply the right controls in the right places.
Our guide to CMMC scoping walks through how to identify which systems are in scope and avoid common mistakes that derail assessments.
Recommended reading
An Expert’s Guide to CMMC Scoping & Asset Categorization for Level 2 Assessments
FAQs
Do defense contractors handle classified information?
Most defense contractors do not handle classified information. Classified data is only accessed within accredited facilities and systems and requires cleared personnel. If your organization handles classified information, you already know it because it is deliberately introduced into secure environments.
For the vast majority of contractors subject to CMMC, classified data is not in scope.
What is the difference between classified information and CUI?
Classified information is formally designated as Confidential, Secret, or Top Secret and is protected through isolation in secure networks and facilities.
Controlled Unclassified Information (CUI) is not classified, but it still requires protection under federal law or regulation. CUI is typically handled in commercial IT systems and protected through security controls rather than physical isolation.
If CUI is unclassified, why does it need to be protected?
Unclassified does not mean unrestricted. CUI includes information that could cause harm if exposed, such as sensitive technical data, export-controlled information, or proprietary contract information.
CMMC exists to ensure this type of unclassified but sensitive information is protected consistently when it lives in commercial systems.
Do contractors need to use classified networks like SIPRNet or JWICS for CMMC?
No. Classified networks like SIPRNet and JWICS are used only for classified information and are accessed from secure government or contractor facilities.
CMMC applies to unclassified environments where CUI is handled, such as cloud platforms, endpoints, and internal business systems. Contractors are not expected to operate classified networks to meet CMMC requirements.
How do I know if my organization handles CUI?
CUI is often identified in contracts, flowdown requirements, data markings, or by the nature of the work being performed. In some cases, organizations generate CUI themselves while executing a contract.
If you are unsure whether you handle CUI, reviewing contract language and data workflows is an important first step.
Do all systems in my environment need to meet CMMC requirements?
Systems that store, process, or transmit CUI, or that directly support those systems, are in scope for CMMC.
Emily Bonnie
Senior Content Marketing Manager
Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.