TL;DR: CMMC’s active enforcement milestone has moved Controlled Unclassified Information responsibility from policy discussion to operational accountability, with contractors now expected to protect, mark, flow down, and report CUI under DFARS 252.204-7012, NIST SP 800-171, and CMMC Level 2 requirements, according to Exostar. The governance problem is no longer whether CUI exists, but whether identity, access, marking, and reporting controls are provable across the full lifecycle.
NHIMG editorial — based on content published by Exostar: CUI compliance and responsibility for protecting Controlled Unclassified Information
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: What breaks when CUI marking is not preserved across shared documents and partner workflows?
A: When CUI markings are lost, downstream users may handle the information under the wrong assumptions, which creates both compliance and disclosure risk.
Q: Why do primes and subcontractors need explicit accountability for CUI handling?
A: Because responsibility does not disappear when the data is transferred.
Q: What do security teams get wrong about CUI compliance assessments?
A: They often treat CUI compliance as a paperwork exercise instead of a control-evidence problem.
Practitioner guidance
- Map CUI ownership by lifecycle stage Assign a named owner for designation, marking, safeguarding, sharing, and decontrol so every transfer has a accountable control point, not just a policy reference.
- Enforce derivative marking checks Verify that copied, exported, and transformed documents retain CUI markings in headers, footers, metadata, and email subject lines where applicable.
- Tie subcontractor access to contract scope Review every partner and managed-service identity that can read CUI, then remove access when the contract, task, or delivery window ends.
What's in the full article
Exostar's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on distinguishing CUI Basic from CUI Specified in defence contracting workflows.
- Practical marking examples for physical documents, electronic files, and derivative content.
- A walkthrough of Exostar's CMMC Ready Suite components for documentation, collaboration, and policy management.
- How the article recommends aligning CUI handling with DFARS, NIST SP 800-171, and CMMC Level 2 expectations.
👉 Read Exostar's guidance on CUI responsibility and CMMC compliance →
CUI compliance and lifecycle accountability: what teams need now?
Explore further
CUI compliance is an identity governance problem as much as a records problem. The article correctly frames shared responsibility across agencies, primes, and subcontractors, but the operational reality is that access control determines whether those responsibilities are enforceable. When CUI moves through collaboration platforms, federated access, and contractor ecosystems, governance must track which identities can see it, share it, and offboard from it. Practitioners should treat CUI handling as identity-bound evidence, not just documentation.
A question worth separating out:
Q: Which frameworks require organisations to protect CUI in practice?
A: In defence contracting, the practical baseline comes from DFARS 252.204-7012, NIST SP 800-171, CMMC Level 2, and the CUI requirements implemented through DoD policy. Together they demand safeguarding, marking, reporting, and evidence that those controls are operating consistently across the lifecycle.
👉 Read our full editorial: CUI responsibility under CMMC now demands clearer lifecycle control