Explore Our Latest Resources Tevora Resource Center

Dark teal and black gradient

Blog

CMMC

Understanding Your CUI Inventory: The First Step Toward CMMC 2.0 Readiness 

January 6, 2026

By Wayne Perry

With the Cybersecurity Maturity Model Certification (CMMC) 2.0 Acquisition Final Rule now in effect, understanding how to protect Controlled Unclassified Information (CUI) has never been more critical for organizations across the Defense Industrial Base (DIB). CUI sits at the center of compliance for defense contractors—yet many organizations still struggle to identify where it exists and how it’s handled. So, what exactly is CUI, and why does it matter for companies doing business with the Department of Defense (DoD)? 

Defining CUI 

CUI refers to sensitive information that is not classified as secret or top secret but still requires protection from unauthorized disclosure under federal law, regulation, or government-wide policy. 

Examples of CUI include: 

  • Engineering drawings or technical data related to defense contracts 
  • Export-controlled information under ITAR or EAR 
  • Personally identifiable information (PII) related to DoD personnel 
  • Operational details about defense systems or facilities 

In short, CUI bridges the gap between public information and classified data; it’s sensitive, but not secret. 

Identifying CUI in Your Environment 

Do You Know Your CUI Inventory? 
Determining whether you handle Controlled Unclassified Information (CUI) isn’t always straightforward. While the DoD) or contracting agency is responsible for marking documents containing CUI, in practice, contractors often generate, process, or store unmarked CUI within their environments. 

It’s important to distinguish between Federal Contract Information (FCI) and CUI

  • FCI refers to information provided by or generated for the government under contract that is not intended for public release. Protecting FCI is the focus of CMMC Level 1
  • CUI, by contrast, is sensitive information requiring safeguarding or dissemination controls under laws, regulations, or government-wide policy. Handling CUI brings an organization under CMMC Level 2 requirements, aligning with NIST SP 800-171. 

Not all CUI is the same. The National Archives and Records Administration (NARA) maintains a CUI Registry that lists dozens of CUI categories, ranging from export control and critical infrastructure to privacy, legal, and proprietary business information. 

Because of this diversity, the first step toward CMMC readiness is conducting a CUI data discovery and classification exercise. This involves identifying where CUI is stored, processed, and transmitted across your environment, your CUI inventory. Maintaining a current inventory not only supports compliance but also ensures consistent protection of sensitive data across your systems and supply chain. 

Preparing for CMMC: The Role of a Readiness or Gap Assessment 

Once you’ve identified the presence of CUI in your systems, the next step is understanding how ready your organization is for a CMMC 2.0 assessment. A CMMC readiness or gap assessment evaluates your current cybersecurity posture against the NIST SP 800-171 requirements for CMMC Level 2, providing a clear path toward certification. 

As part of this process, Tevora helps organizations identify, categorize, and properly label CUI across their environment, ensuring sensitive data is accurately classified and consistently protected. This foundational step not only supports compliance but also strengthens overall data governance and risk management practices. 

A readiness assessment provides: 

  • A detailed control-by-control analysis to see how your policies and technical safeguards align with CMMC expectations. 
  • Identification of gaps-missing, incomplete, or non-implemented controls that could block certification. 
  • A prioritized remediation roadmap that guides what to fix first, balancing compliance urgency with operational feasibility. 

This process not only clarifies your current state but also reduces the risk of surprises during the formal CMMC assessment. By proactively identifying where your controls—and your CUI protections—fall short, your organization can close security gaps, strengthen its defenses, and move toward CMMC 2.0 compliance with confidence 

Stay Up to Date: CMMC 2.0 Key Dates and Milestones 

  • Nov 10, 2025: DFARS CMMC Acquisition Final Rule takes effect — Phase 1 begins. CMMC requirements start appearing in DoD solicitations and awards. Level 1 and eligible Level 2 contractors may complete self-assessments. 
  • Nov 10, 2026: Phase 2 begins. Third-party (C3PAO) Level 2 assessments become required for applicable contracts handling Controlled Unclassified Information (CUI). 
  • Nov 10, 2027: Phase 3 begins. Level 2 third-party certification becomes mandatory for all applicable contracts, and Level 3 DoD-led (DIBCAC) assessments are introduced for critical national security programs 

We Can Help 

Tevora is an accredited Cybersecurity Inspector for conducting NIST 800-171 services and Registered Practitioner Organization (Learn more here). We can help you plan for and attain CMMC certification through our expert CMMC consulting

If you have questions about CMMC 2.0 or would like help preparing your organization to comply with the new CMMC framework, just give us a call at (833) 292-1609 or email us at [email protected]

Tevora Resources 

 Learn More at https://www.tevora.com/what-we-do/compliance/cmmc/ . Want the latest CMMC content? Direct link to our CMMC specific resources. 

Back to Resource Center

Explore More In-Depth CMMC Resources

View Our Resources