How to Identify CUI for CMMC Level 2

Most federal contractors fail CMMC Level 2 assessments not because they lack security controls — but because they never correctly identified their Controlled Unclassified Information (CUI) in the first place.

If your CUI scope is wrong, everything built on top of it is wrong. Your System Security Plan (SSP), your system boundary, your control implementations — all of it depends on correctly answering one foundational question: what is actually CUI in your environment?

This guide walks you through exactly how to answer that question using a legally defensible, assessor-ready framework.

The most common mistake: Marking everything as CUI "to be safe." Over-scoping inflates your assessment boundary, dramatically increases your compliance costs, and creates documentation chaos. Under-scoping is worse — an assessor will find unprotected CUI and it will derail your entire certification.

What Is CUI — The Legal Definition

CUI is information the federal government creates or possesses that requires safeguarding under law, regulation, or government-wide policy. The legal foundation is 32 CFR Part 2002 and the NARA CUI Registry, which defines every category of information that qualifies as CUI.

CUI is not just "sensitive" information. It is not whatever feels confidential. It is a specific legal designation tied to specific regulatory authorities. If you cannot point to the authority that makes a piece of information CUI, it probably isn't CUI.

Common CUI categories defense contractors encounter include:

CTI (Controlled Technical Information) — technical data with military or space application
ITAR (Export Controlled) — defense articles and services under the Arms Export Control Act
Proprietary Business Information — contractor bid and proposal information
Privacy (PII) — personally identifiable information under federal privacy laws
Law Enforcement Sensitive — information generated in law enforcement activities

The COPR Framework — Four Questions That Determine CUI

The COPR framework provides a repeatable, four-part determination test for every piece of information in your environment. All four conditions must be satisfied before information qualifies as CUI. If any condition fails, the information is not CUI.

Created

Was this data created by or for a federal agency? Or generated under a federal contract requiring CUI handling?

Owned

Does a federal agency have ownership or custodial interest in this information? Who controls the original?

Possessed

Are you currently holding this information on behalf of the government? Is it in your systems or custody?

Regulated

Is this information regulated by a specific authority listed in the NARA CUI Registry? Can you cite the law or regulation?

When an assessor asks "why did you include this in scope?" or "why did you exclude that?" — COPR gives you a documented, four-part answer grounded in 32 CFR Part 2002. That is the difference between a finding and a clear assessment.

Step-by-Step: How to Scope CUI in Your Environment

Step 1 — Start With Your Contracts

Pull every active DoD contract and subcontract. Look for DFARS clause 252.204-7012. If it is in your contract, you are required to protect CUI. The contract itself will often identify the categories of CUI you are handling — look for data types mentioned in the Statement of Work, CDRLs, and DD-254.

Step 2 — Inventory Your Data Flows

Map where information enters your environment, where it is stored, how it is processed, and where it exits. CUI can live in email, shared drives, engineering tools, ERP systems, collaboration platforms, and physical documents. Do not assume you know where everything is — conduct the inventory.

Step 3 — Apply the COPR Test to Each Data Type

For each category of information you handle, apply all four COPR questions. Document your determination. If information fails any COPR condition, remove it from scope. If it passes all four, identify the specific NARA CUI category it falls under and document the regulatory authority.

Step 4 — Define Your System Boundary

Your CUI boundary includes every system, user, location, and third party that touches CUI. This is your authorization boundary for CMMC purposes. Systems that never touch CUI are out of scope — but you must document why. Out-of-scope decisions require the same rigor as in-scope decisions.

Step 5 — Document Everything Assessor-Ready

Your CUI scoping documentation must survive external review. That means written determinations for every CUI category, system boundary diagrams, data flow documentation, and a CUI inventory tied to specific NARA Registry categories. Verbal explanations and institutional memory are not evidence.

Assessor reality check: C3PAO assessors are required to verify that your CUI scope is accurate. They will ask for documentation supporting every boundary decision. "We just marked everything" and "we weren't sure so we excluded it" are both assessment findings.

Common CUI Scoping Mistakes

Mistake 1: Scoping by feel instead of by regulation. "This seems sensitive" is not a CUI determination. CUI is defined by law. Use the NARA CUI Registry to verify every category.

Mistake 2: Inherited scope from a previous contractor. If you took over a contract, you inherited the obligation — not necessarily the correct scope. Conduct your own COPR analysis.

Mistake 3: Forgetting subcontractor flow-down. If you share CUI with a subcontractor, they are in scope. DFARS 252.204-7012 requires flow-down to all subcontractors handling CUI. Undocumented flow-down is an immediate finding.

Mistake 4: Not documenting out-of-scope decisions. Assessors will ask why certain systems are excluded. You need written documentation for exclusions, not just inclusions.

Mistake 5: Confusing CUI with classified information. CUI is not classified. It does not require a security clearance to handle. But it does require specific safeguarding and documentation under CMMC Level 2.

What Assessors Look For

During a CMMC Level 2 assessment, your CUI scoping documentation will be examined before a single NIST 800-171 control is evaluated. Assessors verify that:

You can identify which CUI categories you handle and cite the regulatory authority
Your system boundary accurately reflects where CUI exists
Your SSP CUI section is complete and defensible
Subcontractor flow-down obligations are documented
Out-of-scope decisions are justified in writing

An incorrect CUI boundary at the start of an assessment creates cascading problems. Controls you implemented may be evaluated against the wrong scope. Systems you excluded may be pulled back in. The assessment clock is running while you reconstruct documentation you should have had before walking in.

The Right Tool for CUI Scoping

CUI scoping is not a one-time task. It requires a structured methodology that produces assessor-ready documentation, handles every NARA Registry category systematically, and creates a defensible record of every determination you made.

The CUI Scoping & Identification Toolkit was built specifically for this problem. It includes the complete COPR decision framework, all 110 NIST SP 800-171 controls mapped to CUI categories, system boundary scoping worksheets, subcontractor flow-down templates, and a completed SSP CUI section example you can use as a reference.

Everything a federal contractor needs to correctly identify, scope, and document CUI — without a $300/hour consultant.