Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Research

Protected Information in Practice

Federal contracts protect more than CUI. Identifying the category of information you hold is the step that drives nearly every downstream cybersecurity obligation.

On this page
  1. More Than CUI
  2. Why Categorization Drives Everything
  3. Common Pitfalls
  4. Briefs in This Program
  5. A Note on the Standard
  6. Where to Go Next
  7. Source Notes

More Than CUI

Controlled Unclassified Information gets most of the attention, but it is only one of several categories of information that federal contracts protect — and the legal obligations differ by category. Getting the category right is the single most consequential step in scoping your cybersecurity duties, because the category determines which safeguards, markings, flow-downs, and reporting rules apply.

Categories a government contractor may hold include:

  • Federal Contract Information (FCI) — non-public information provided or generated under a contract; triggers the FAR 52.204-21 baseline.
  • Controlled Unclassified Information (CUI) — information the government requires to be safeguarded under law, regulation, or government-wide policy, organized by the NARA CUI Registry (32 CFR Part 2002) and protected on nonfederal systems under NIST SP 800-171.
  • Covered Defense Information / Controlled Technical Information — the DoD-specific categories tied to DFARS 252.204-7012.
  • Export-controlled technical data — subject to the ITAR and EAR in addition to contract cybersecurity terms.
  • Source selection information, and PII/PHI — each with its own handling and disclosure rules.

Why Categorization Drives Everything

A useful way to think about protected information is as a lifecycle: identify → mark → handle → share and flow down → store → report → retain or destroy. A failure at any stage — mislabeling, over-restricting, or letting a subcontractor see what it should not — can create contract-performance, eligibility, or enforcement consequences. This is fundamentally an information-discipline problem: protection is correct categorization and controlled dissemination, not locking everything down or marking everything "CUI."

Common Pitfalls

  • Over-marking. Treating ordinary business information as CUI creates handling burdens and can break legitimate performance and collaboration.
  • Under-identifying. Failing to recognize CUI or export-controlled data means the required safeguards never get applied.
  • Flow-down gaps. Obligations that should pass to subcontractors are often missed, leaving primes exposed.

Briefs in This Program

A Note on the Standard

For DoD contractors, NIST SP 800-171 is the CUI safeguarding standard. Revision 3 was finalized in 2024 and DoD published organization-defined parameters in 2025, but Revision 2 remains the operative standard under DFARS 252.204-7012 until DoD formally adopts Revision 3. Track this if you are building toward an assessment.

Where to Go Next

Source Notes

Primary and official sources behind this page include FAR 52.204-21; 32 CFR Part 2002 and the NARA CUI Registry; NIST SP 800-171; DFARS 252.204-7012; and the ITAR/EAR for export-controlled technical data. Regulatory status is summarized as of the review date below and can change. This page is educational analysis, not legal advice.

Was this page helpful?