What Are CUI and CDI? (And Why Should You Care?)

Dec 20, 2017 | Cyber Security, IT News

With the year-end deadline rapidly approaching for meeting updated federal cybersecurity standards, it’s important to know what’s involved.

What we’re talking about is safeguarding Controlled Unclassified Information (CUI). This type of information regularly moves through or resides on the internal networks or information systems of most federal contractors. Simply put, the government wants to strengthen security to keep that information secure.

What Exactly Is CUI?

What Are CUI and CDI? (And Why Should You Care?)To fully safeguard this information, you need to understand what qualifies as CUI. In short, this is sensitive government information that needs protecting, but isn’t actually classified.

The National Archives and Records Administration provides a lengthy definition of what constitutes CUI. The government terminology boils down to this: CUI is a broad category of information the government creates or possesses — or that an entity creates or possesses on behalf of the government, which includes federal contractors — that needs to be safeguarded.

The National Archives oversees efforts to establish consistent practices and procedures for safeguarding, disseminating, controlling and marking CUI across executive branch departments and agencies. It’s an effort to implement a single standard for handling the sensitive information, rather than the patchwork of programs that previously existed at hundreds of different federal jurisdictions.

“The CUI Program establishes one government-wide system for unclassified information requiring safeguarding and disseminating controls,” said Archivist of the United States David S. Ferriero.

What About CDI?

You also may come across the term CDI. That’s because the Department of Defense (DoD) has its own coordinating rules for cybersecurity, and it uses the term Covered Defense Information (CDI).

DoD uses the term CDI almost interchangeably with CUI. In its final rule on the matter, DoD confirmed this. They stated the definitions they use are intended to be consistent with those of the National Archives’ definition of what constitutes CUI.

If you’re confused about what all these definitions mean, we can help you find answers about how your business could be impacted. Our support staff will help you understand whether the information you work with meets these federal definitions.

What Are CUI and CDI? (And Why Should You Care?)Why Should You Be Worried About This?

If you handle this type of government information, you need to comply with the regulations outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

The deadline for implementing these updated cybersecurity systems is Dec. 31, so there’s no time to waste. We understand the importance of network security and data protection, and we’ll help you protect the federal information you need for your business’ critical operations.

Contact us with your questions, so we can help you maintain the government contacts your business needs to succeed.

Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Let V2 Systems take care of your IT while you take care of business.

More From V2 Systems

Why Security Awareness Training Fails and How to Fix It

Security awareness training often fails because it is too generic, too infrequent, or too disconnected from how employees actually work. This blog explains why annual training alone is not enough and how small businesses and government contractors can build a more practical, ongoing approach to cybersecurity awareness.

Cybersecurity Fatigue Is Real: How to Keep Employees Engaged Without Burnout

Employees play a critical role in cybersecurity, but constant warnings, training reminders, password prompts, and security alerts can lead to fatigue. This blog explains how small businesses and government contractors can keep employees engaged with cybersecurity without overwhelming them.

How Government Contractors Can Stay Secure During Disruptions and Staffing Gaps

Disruptions are unavoidable, but security gaps do not have to be. For government contractors, staffing shortages, PTO, turnover, shutdowns, and contract transitions can create real cybersecurity and compliance risk. This blog explains how GovCons can maintain security, protect sensitive data, and keep operations moving when key people are unavailable.

Backups Alone Are Not Enough: What True Recovery Looks Like in 2026

Backups are a critical part of business resilience, but they are not the same as recovery. In 2026, small businesses and government contractors need validated backups, tested recovery procedures, clear response plans, and secure restoration processes to keep operations moving when ransomware, outages, or system failures occur.

Downtime Is a Cybersecurity Problem, Not Just an IT Problem

Downtime can affect payroll, customer service, compliance, productivity, revenue, and reputation. For small businesses and government contractors, outages are no longer just technical issues. This blog explains why downtime should be treated as a cybersecurity and business resilience problem, and how organizations can better prepare for disruptions.

Free
Small Business Cybersecurity Checklist

cybersecurity checklist graphic