Controlled Unclassified Information: What DoD Contractors MUST Know About CUI – Part 1


According to the Department of Defense, Controlled Unclassified Information (also referred to as CUI) is any unclassified information or other data that meets the standards for both security and distribution controls that is applicable to statute and government-wide policies under Executive Order 13556. Previously, this type of information was commonly referred to as Sensitive But Unclassified material, otherwise known as SBU.

What is Controlled Unclassified Information?

The type of data that falls under the umbrella of CUI includes, but is not limited to:

  • Anything labeled "For Official Use Only."

  • Anything still labeled "Sensitive But Unclassified."

  • Anything referred to as "Limited Official Use."

  • All Department of Defense Unclassified Controlled Nuclear Information.

  • Any and all information contained in Department of Defense technical documents and related materials.

  • Anything defined as "Sensitive Information" by the Computer Security Act of 1987.

Controlled Unclassified Information and Security

Thankfully, the Department of Defense has laid out a clear set of cybersecurity recommendations that all government contractors must adhere to in order to properly protect both Sensitive But Unclassified and Controlled Unclassified Information at all times. Called DFARS NIST 800-171, all contractors that interact with CUI in any way had to meet these minimum security standards by December 31, 2017 or they ran the risk of losing their contracts.


These minimum requirements are broken down into fourteen core areas, including but not limited to ones like:

  • Access Control Media

  • Awareness and Training

  • Identification and Authentication

  • Incident Response

  • Risk Assessment

  • Security Assessment

  • System and Communications Protection

  • And More

One of the most important of these topics is undoubtedly system and communications protection - particularly in this age of ubiquitous smartphones and other mobile devices. Many people make the mistake of assuming that "secure communications" simply refers to "secure email." This is only one small part of a much larger story.

Because the mobile phones that we commonly rely on every day also leverage powerful messaging and voice calling technologies, those avenues need to be protected as well. Failure to do so can ultimately lead to the accidental (or even intentional) leakage of CUI, which will ultimately lead to the loss of government contracts altogether.

The RokaCom Approach to CUI

Make no mistake: if your organization does business with the Department of Defense and your employees are using their mobile phones to discuss Controlled Unclassified Information, you need to go above and beyond the call of duty in terms of guaranteeing the absolute highest level of secure mobile communications at all times. This, in essence, is what RokaCom was designed to help you do.

RokaCom is a secure, enterprise-grade communication solution that allows users to ONLY speak to people in their address book in a highly controlled and protected way. With end-to-end encryption for both text-based messaging and voice calling, it's by far one of the most efficient ways for organizations to secure their communications channels in compliance with DFARS NIST 800-171 and other regulations. It was built to be the best solution available for government contractors to not only secure communications within their organization, but also external communications with their vendors as well.

The RokaCom Benefits

If you'd like to find out more information about the major benefits that RokaCom brings to the table, please visit our official website. You're also encouraged to view Part 2 in this two part series of Controlled Unclassified Information, where we'll dive even further into the topic to bring you all of the essential elements that you need to be aware of.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn