CUI Identification & Handling Guide — What Counts as CUI and How to Protect It
## Most contractors aren't certain what CUI actually is. That's a compliance problem before you even start.Controlled Unclassified Information is at the center of every CMMC requirement — but if you can't accurately identify CUI in your environment, your entire compliance program is built on a shaky foundation. This guide covers identification, marking, and handling so your team knows exactly what needs protecting and how.---### What's inside:CUI Defined in Plain EnglishWhat CUI is, what it isn't, and the difference between CUI and classified information.Common CUI Categories in the DIBThe seven most common CUI types defense contractors encounter: Controlled Technical Information (CTI), ITAR/EAR, Privacy/PII, Legal, Financial, Intelligence, and Nuclear/Critical Infrastructure.The 4-Question CUI Identification TestA decision framework your team can apply to any document, email, or file to determine if it qualifies as CUI.CUI Marking RequirementsExactly how to mark CUI documents, emails, files, folders, slide decks, and printed materials — with format examples for each.CUI Handling Rules by ActivityEight common workplace situations with specific handling rules:Emailing CUI · Cloud storage · Remote work · Printing · Verbal discussions · Media transfer · Disposal · Sharing with subcontractors---### Who this is for:Any DIB contractor employee who creates, receives, stores, or transmits information under a DoD contract — especially anyone in engineering, program management, contracts, or IT.
Get it → saguarocompliance.gumroad.com