Analysts often need to decide what level of system and network configuration is required for CUI on a case by case basis.
Controlled Unclassified Information, commonly referred to as CUI, sits at the centre of one of the most significant cybersecurity compliance requirements affecting organisations that work with the United States federal government.
As the volume of sensitive but unclassified federal data handled by private contractors, research institutions, and state agencies has grown, so too has the regulatory framework governing how that data must be protected.
Understanding what level of system and network configuration is required for CUI is essential for any organisation seeking to maintain federal contracts or avoid serious compliance penalties.
What Is CUI?
CUI is information that the federal government creates or possesses, or that an entity creates or possesses on the government’s behalf, that requires safeguarding in accordance with applicable law, regulation, or government-wide policy.
CUI is not classified, but it is sensitive.
Examples include personally identifiable information, federal tax returns, law enforcement records, export-controlled technical data, and procurement-sensitive documentation.
The CUI programme was formally established by Executive Order 13556 in 2010, which directed the National Archives and Records Administration to oversee a unified framework for managing sensitive unclassified information across the executive branch.
The Governing Standard: NIST SP 800-171
The primary standard governing the protection of CUI in non-federal systems is the National Institute of Standards and Technology Special Publication 800-171, formally titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
This publication defines 110 security requirements across 14 control families, and it forms the basis of the Cybersecurity Maturity Model Certification programme that the Department of Defense uses to evaluate contractor compliance.
The 14 control families address areas including access control, incident response, configuration management, system and communications protection, and risk assessment.
Required System and Network Configuration for CUI
For organisations handling CUI, system and network configuration requirements are extensive, specific, and non-negotiable.
The configuration standards required fall predominantly under two of NIST SP 800-171’s control families: Configuration Management and System and Communications Protection.
Baseline Configuration
Organisations must establish, document, and maintain baseline configurations of their information technology systems.
A baseline configuration is essentially a documented starting point for the system’s security settings, against which all future changes are measured.
This baseline must include network topology information, software installed, hardware in use, and all configuration settings relevant to security.
Any deviation from the baseline must go through a formal change management process.
Systems must be configured to provide only essential capabilities, a principle known as least functionality.
This means disabling or uninstalling all unnecessary services, software components, ports, protocols, and system functions that are not required for operational purposes.
Network Configuration and Protection
CUI systems must implement subnetworks, commonly called subnets, for publicly accessible system components to create separation between the internal network handling sensitive data and any externally facing components.
This architectural requirement is intended to limit the pathways through which an adversary could move from a public-facing system into the internal environment.
Organisations must monitor and control communications at the external boundary of the system and at key internal boundaries using boundary protection devices such as firewalls, intrusion detection systems, and proxies.
Remote access sessions must be managed and controlled, with multi-factor authentication required for access to systems containing CUI.
Encryption of CUI in transit must use FIPS 140-2 or FIPS 140-3 validated cryptographic modules, which are standards maintained by NIST to ensure the effectiveness of cryptographic implementations.
The CMMC Context
| Requirement Area | Applicable NIST Control | CMMC Level |
|---|---|---|
| Baseline system configuration | CM.2 | Level 2 |
| Least functionality enforcement | CM.7 | Level 2 |
| Boundary protection | SC.7 | Level 2 |
| Multi-factor authentication | IA.3 | Level 2 |
| Encryption of CUI in transit | SC.8 | Level 2 |
| Security configuration settings | CM.6 | Level 2 |
| Monitoring and audit logging | AU.2 | Level 2 |
| Incident response capability | IR.1 | Level 2 |
Under the Cybersecurity Maturity Model Certification framework, organisations handling CUI are generally required to achieve CMMC Level 2 compliance.
Level 2 encompasses all 110 security requirements from NIST SP 800-171 and requires a third-party assessment for contracts involving sensitive defence information.
Key Figures and Programme Overview
| Element | Detail |
|---|---|
| Governing Executive Order | EO 13556 (2010) |
| Primary technical standard | NIST SP 800-171 |
| Number of security requirements | 110 |
| Number of control families | 14 |
| Required CMMC level for CUI | Level 2 (most defence contractors) |
| Assessment type | Third-party certification (C3PAO) |
| Encryption requirement | FIPS 140-2 or 140-3 validated modules |
| MFA requirement | Yes, mandatory for CUI system access |
Practical Implications for Organisations
Compliance with CUI configuration requirements is not a one-time project.
It demands ongoing configuration management, regular security assessments, staff training, and a documented system security plan that describes how each of the 110 requirements is met.
Organisations that fail to meet these standards risk losing federal contracts, facing civil penalties, or in cases of wilful misrepresentation, prosecution under the False Claims Act.
The Department of Defense has made clear that self-attestation of compliance, which was previously acceptable for many contractors, is no longer sufficient for contracts involving CUI.
The requirements for system and network configuration under CUI are demanding by design, because the information they are meant to protect is sensitive by definition.
Organisations that treat compliance as a strategic priority rather than an administrative burden are better positioned to maintain federal business and to protect themselves and their government clients from data exposure events that can carry severe operational and reputational consequences.
