• blogangle-right
  • How to Write a CUI Policy That Meets Federal Requirements [+ Template]

How to Write a CUI Policy That Meets Federal Requirements [+ Template]

  • August 05, 2025
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

The average organization now faces more than 800 social engineering attacks each year. That’s more than two attacks every single day. And with 99% of all successful cyberattacks involving some form of social engineering, it’s essential for organizations to understand the most pervasive attack methods.

What is social engineering exactly, and why does it pose such a significant threat to organizations today? In this article, we’ll discuss 13 of the most common types of social engineering attacks, explain how they work, provide real-life examples, and share best practices for preventing them.

Understanding Controlled Unclassified Information (CUI)

CUI refers to sensitive information the U.S. government has not classified but still requires safeguarding or dissemination controls. Examples include export control data, critical infrastructure details, and personally identifiable information (PII) shared under government contract.

The rules for handling CUI are built on several key sources, including:

  • Executive Order 13556, which established the CUI Program
  • 32 CFR Part 2002, the regulation that implements that Executive Order and defines uniform requirements for handling, marking, safeguarding, and decontrolling CUI across federal agencies and contractors
  • DoD Instruction (DoDI) 5200.48, which outlines DoD-specific policies for handling and safeguarding CUI. This instruction supplements the broader government-wide rules defined in 32 CFR Part 2002
  • The CUI Registry, managed by the National Archives and Records Administration (NARA), which lists all CUI subcategories and their specific handling instructions
  • NIST SP 800-171, a framework developed by the National Institute of Standards and Technology with security requirements for protecting CUI in non-federal information systems
  • The DFARS 252.204-7012 clause, which requires defense contractors to implement NIST 800-171 to protect CUI in covered defense systems
  • The DoD CIO Level 2 and Level 3 Scoping and Assessment Guides, which provide detailed guidance on how to scope CUI environments and evaluate control implementation for organizations preparing for CMMC assessments. 

Together, these sources form the foundation of how CUI must be managed, both within the United States government and by the contractors who support federal agencies.

The CUI Registry and categories of CUI

The CUI Registry is a centralized catalog maintained by NARA that lists all categories and subcategories of CUI. It helps agencies and contractors determine what types of information qualify as CUI and what specific handling requirements apply.

CUI is broken into two types:

  • CUI Basic: This is the default level. It must be protected according to NIST 800-171, but has no additional safeguarding requirements beyond those.
  • CUI Specified: This type has added requirements based on laws, regulations, or government-wide policies. For example, export-controlled information under ITAR has stricter dissemination controls than basic CUI.

Your CUI policy needs to address how your organization identifies these distinctions and ensures each type is handled appropriately.

Recommended reading

What You Need to Know About Controlled Unclassified Information (CUI): Categories, Controls, and Compliance

What is a CUI policy and when do you need one?

A CUI policy is a formal document that outlines how your organization complies with federal requirements for handling CUI. It defines internal responsibilities, processes, and technical safeguards for protecting CUI throughout its lifecycle, from creation or receipt through storage, transmission, and eventual disposal.

You need a CUI policy if:

  • You directly contract with the Department of Defense (DoD) or other federal agencies
  • You handle federal government data marked as CUI
  • You’re pursuing CMMC Level 2 certification or subject to NIST SP 800-171
  • You’ve accepted contractual clauses like DFARS 252.204-7012

Without a documented CUI policy, it’s nearly impossible to demonstrate compliance during a security assessment.

What to include in your CUI policy + template

A strong CUI policy should clearly define how your organization protects CUI and ensure that everyone who handles it knows exactly what to do, especially in any cases of incidents involving unauthorized access to CUI and/or spillage.

Your policy should align with key federal and agency-specific requirements. For all organizations, the foundational rules for handling, marking, and decontrolling CUI are outlined in 32 CFR Part 2002. If you're working with the Department of Defense, you'll also need to incorporate the additional requirements found in DoD Instruction (DoDI) 5200.48, which applies to all DoD personnel and contractors. Both documents should be referenced alongside NIST SP 800-171 and any contract-specific clauses like DFARS 252.204-7012.

With these reference documents in mind, here’s how to build a policy that’s complete, compliant, and actionable.

1. Purpose and scope

Start by explaining why this policy exists (to meet CUI requirements) and who or what it applies to. This section should clearly define the systems, business units, contractors, and personnel covered. 

For example, “This policy establishes the procedures and controls for identifying, handling, and safeguarding Controlled Unclassified Information (CUI) as required under DFARS 252.204-7012 and NIST Special Publication 800-171. It applies to all employees, contractors, and business units who interact with CUI within [Organization Name].”

Consult with your compliance lead, CIO/CISO, and contract management team to understand which parts of the business process or store CUI and under what contracts. Organizations working with the Department of Defense should also reference DoDI 5200.48 when defining the scope of their CUI policy to ensure all DoD-specific handling and marking requirements are incorporated.

2. Roles and responsibilities

Define who is responsible for what when it comes to safeguarding CUI. At a minimum, assign ownership for:

  • Policy development and maintenance
  • Enforcement and oversight
  • Training and user support
  • Access provisioning and deprovisioning
  • Incident response for CUI-related breaches

For example, “The Information Security Manager is responsible for reviewing and updating this policy annually. System Administrators are responsible for implementing access controls on CUI systems.”

When drafting this section, work with your HR, cybersecurity operations, and IT teams to map roles to responsibilities. This ensures accountability and prevents important tasks from falling through the cracks.

3. Identification and classification of CUI

Describe how your organization identifies CUI in data, documents, emails, and systems. Distinguish between CUI Basic and CUI Specified, and reference the CUI Registry as your authoritative guide.

For example, “All contract deliverables received from [Agency] will be reviewed against the CUI Registry. Any export-controlled technical drawings will be classified as CUI Specified and marked accordingly.”

Coordinate with your contracting office, legal team, or program managers to determine what types of CUI you handle and under which contracts. Make sure those classifications are documented and mapped to internal systems.

4. CUI marking requirements

Outline how CUI must be labeled or marked in both digital and physical formats. This includes email markings, document headers/footers, and system banners.

Use examples and visuals if possible. Refer directly to the CUI Registry and NARA marking guides. Be sure to explain marking procedures for both standalone and mixed content (e.g., CUI + FOUO).

In addition to referencing the CUI Registry and NARA marking guidance, DoD contractors should consult DoDI 5200.48, which includes specific instructions for applying CUI markings within DoD environments, including portion marking, banner formats, and dissemination caveats like NOFORN or REL TO.

For example, “All documents containing CUI must include the banner: CONTROLLED // CUI at the top of each page. Emails containing CUI must include ‘CUI’ in the subject line and body header.”

5. Access controls and authentication

Define how access to CUI is granted, monitored, and revoked. Include role-based access controls (RBAC), MFA, session timeouts, and identity verification procedures.

For example, “Access to CUI systems is restricted to personnel assigned to the [Contract Name] project. Access is reviewed quarterly by the system owner and requires multi-factor authentication.”

Work with your IT and identity management teams to detail how access is configured in each relevant system. Clearly define who approves access and how it’s logged or reviewed.

6. Storage and transmission

List technical requirements and approved methods for storing or transmitting CUI, including encryption standards, backup storage procedures, and file sharing platforms.

For example, “CUI must be stored on encrypted drives using AES-256 encryption and transmitted only via secure file transfer platforms authorized by the Information Security team.”

Work with your IT infrastructure or cloud security team to document how CUI is protected in transit (TLS, VPNs) and at rest (FIPS 140-2 validated encryption).

7. Dissemination controls

Describe any dissemination limitations or policies (e.g., “NOFORN” restrictions). Specify whether subcontractors or foreign nationals are allowed to access certain types of CUI.

For example, “CUI designated with a NOFORN dissemination control may not be shared with foreign persons or companies. All third-party sharing must be approved in writing by the Contracting Officer.”

Coordinate with legal and contract management to identify dissemination restrictions tied to specific contracts or CUI categories.

8. Incident response

Explain what happens if CUI is mishandled, lost, or exposed. Outline the steps for detecting, reporting, containing, and remediating incidents involving CUI.

For example, “Any suspected CUI breach must be reported to the Information Security Officer within one hour. If the incident meets DFARS 7012 criteria, the DoD Cyber Crime Center (DC3) must be notified within 72 hours.”

Collaborate with your incident response team or security operations center (SOC) to define responsibilities, reporting timelines, and escalation procedures.

9. CUI training and awareness

Define who needs to be trained, what topics must be covered, and how often training should occur. Include onboarding procedures and recurring refresher training.

For example, “All employees with access to CUI must complete annual CUI awareness training that includes identification, handling, and reporting procedures. Training completion is tracked in the company LMS.”

Coordinate with HR and your compliance lead to document required courses and tracking mechanisms, such as LMS system or training logs.

10. Decontrolling and disposal

Describe how CUI is decontrolled (no longer subject to CUI protections) and how it must be destroyed when no longer needed.

For example, “CUI must be destroyed using NIST 800-88-compliant media sanitization methods. Paper records must be shredded. Decontrolled CUI must be documented and removed from inventory.”

Get input from records management and IT to define proper sanitization methods and reference any legal retention requirements.

11. Special requirements for CUI Specified

If you handle CUI Specified, your CUI policy will need to clearly describe the extra steps you’ve taken beyond the baseline protections outlined in NIST SP 800-171 to comply with the specific laws or regulations that apply.

Start by reviewing the CUI Registry to identify whether any of the CUI categories you work with are marked “Specified.” Then, reference the law or regulation listed as the “authority” for that category. These will tell you if there are additional marking rules, access restrictions, or control procedures you need to follow.

For each applicable law or regulation, your CUI policy should explain what type of information the rule applies to, such as controlled technical information or nuclear facility security details.

It should then describe any additional safeguards that are required, such as stricter dissemination restrictions, mandatory portion markings, or enhanced destruction procedures. Be sure to identify which systems, data flows, or business processes are affected by these special requirements.

Finally, clearly assign responsibility for ensuring compliance with those requirements, whether it falls to a designated data custodian, system owner, compliance officer, or contract manager.

Note: If you support the DoD, DoDI 5200.48 also defines how CUI Specified related to national defense, such as Controlled Technical Information (CTI) or Unclassified Controlled Nuclear Information (UCNI), must be handled. Your policy should incorporate these additional DoD-specific requirements where applicable.

For example, your CUI policy might state, “If Controlled Unclassified Information is categorized as CUI Specified, additional safeguarding and dissemination controls will apply based on the authority listed in the CUI Registry. For example, Unclassified Controlled Nuclear Information (UCNI) will be marked in accordance with Department of Energy guidance and handled according to Atomic Energy Act requirements. Only U.S. persons with a need to know will be granted access.”

CUI Policy Template

This customizable CUI Policy template includes drafting instructions, example copy, and a list of relevant NIST 800-171 controls to reference for each section. Download it to create a complete, assessment-ready CUI policy tailored to your organization. 

Putting your CUI policy into practice

Writing your CUI policy is a major step, but it’s only part of the process. To make it truly effective, you need to put that policy into action across your organization.

That means making sure it’s formally approved, shared with the right stakeholders and authorized CUI personnel, incorporated into day-to-day operations, and revisited regularly to stay aligned with evolving requirements.

In this section, we’ll walk through what to do after your policy is drafted to ensure it’s not just a document on paper, but a living part of your CUI program.

Review and approval

Share the policy with internal stakeholders (typically your compliance lead, legal counsel, and executive sponsor)for review and approval. Larger organizations may require sign-off from a governance board or CISO.

Distribute to relevant personnel

Make sure all employees and contractors who handle CUI receive a copy of the policy and confirm they’ve read and understood it. Consider requiring formal acknowledgment, such as a signed statement or LMS confirmation.

Incorporate into employee onboarding

Integrate your CUI policy into new hire onboarding for any roles that may come into contact with CUI. Training should cover what CUI is, how to recognize and properly mark it, how to store and transmit it securely, and what to do in the event of a suspected breach or mishandling. Personnel should also be familiar with your organization’s specific procedures for applying banner markings, using secure collaboration tools, and reporting any CUI-related incidents.

Review and update at least annually

Set a recurring calendar reminder to review and revise the policy at least once a year, or whenever a relevant regulation, contract, or system change occurs. Document all revisions with a version control section within the CUI policy.

Implement regular CUI training

Include CUI training as part of your annual compliance training cycle, and document completion in training logs. For easy reference, link your CUI policy and supporting documentation within your internal compliance portal or training materials.

From CUI policy to full federal compliance

Writing a CUI policy is a foundational step toward federal compliance, but it’s only one step in the journey. Whether you’re preparing to bid on defense contracts, supporting a law enforcement partner, or handling sensitive data in a government cloud environment, your organization will need to meet a broader set of requirements that go beyond just safeguarding CUI.

While Secureframe does not store CUI nor is meant to currently, our platform can help you take the next steps by automating much of the manual work required for compliance with federal frameworks like NIST 800-53, NIST 800-171, CMMC 2.0, FedRAMP, CJIS, GovRAMP, and more. By combining expertise, automation, and comprehensive support, we’ve helped companies achieve compliance with federal frameworks up to 70% faster.

  • Automated monitoring and evidence collection: Secureframe integrates with your existing tech stack, including AWS GovCloud, Microsoft GCC High, Azure Government, and Entra ID, to automatically collect evidence and continuously monitor your tech stack for nonconformities.
  • Simplified document management: Generate your SSP and POA&M to simplify control documentation and remediation tracking. You can also access a library of policy and procedure templates created by federal assessors.
  • Trusted partner network: Our Partner Network includes trusted 3PAOs and C3PAOs that can support CMMC, FISMA, FedRAMP, and other federal assessments.
  • Federal compliance expertise: Secureframe’s dedicated, world-class support team of former FISMA, FedRAMP, and CMMC assessors and consultants guide you through federal readiness and keep the platform up-to-date on the latest changes to federal compliance requirements.
  • In-platform training: Deliver in-platform, proprietary employee training that meets federal requirements including insider threat, information spillage, anti-counterfeit training, and role-based training such as secure coding.

Learn more about why Secureframe is the leader in federal compliance by scheduling a demo with a compliance expert.

CMMC Compliance Kit

This free CMMC kit will help simplify your readiness work with templates and checklists from our team of in-house federal compliance experts.

FAQs

What is a CUI policy?

A CUI policy is a formal document that outlines how your organization identifies, handles, stores, shares, and protects Controlled Unclassified Information (CUI). It defines the internal procedures and responsibilities needed to comply with federal requirements like NIST SP 800-171 and DFARS 252.204-7012.

Which instruction sets the policy for CUI?

The government-wide CUI Program is governed by 32 CFR Part 2002, which implements Executive Order 13556 and outlines how CUI must be marked, safeguarded, and decontrolled.

For Department of Defense contractors and personnel, the key DoD-specific instruction is DoDI 5200.48. It supplements the CUI Program with additional requirements specific to handling CUI in the DoD environment, including marking guidance, dissemination restrictions, and responsibilities for defense contractors.

What are examples of CUI?

Examples of CUI include:

  • Export-controlled technical data
  • Law enforcement sensitive records
  • Critical infrastructure information
  • Sensitive financial or tax records
  • Unclassified nuclear facility details
  • Health records governed by federal law (in a federal context)

You can find the full list of CUI categories in the CUI Registry.

How to determine if something is CUI?

To determine if information qualifies as CUI, check whether it falls under a category listed in the CUI Registry and is subject to safeguarding or dissemination controls under federal law, regulation, or government-wide policy. You should also review contract language and consult your agency or contracting officer when in doubt.

What are the rules for storing CUI?

CUI must be stored using security controls defined in NIST SP 800-171, including access restrictions, encryption (e.g., FIPS-validated), and physical safeguards. Storage rules vary depending on the type of CUI and whether it's in digital or physical form. For CUI Specified, additional requirements may apply based on the governing law or agency guidance.

How to Write a CUI Policy That Meets Federal Requirements [+ Template]