CUI, or Controlled Unclassified Information, is a data designation used by the Department of Defense to refer to non-classified information that is nevertheless sensitive and requires adherence to certain security practices when handling it.
To repeat, CUI is not classified information (and does not require as stringent security protocols). It is also not corporate intellectual property (unless that IP was created for the military). CUI is government-created or government-owned information.
The importance of CUI for defense contractors from a security perspective is that if you are working on a contract that requires handling CUI, the Department of Defense has become much more focused on protecting CUI in the DIB (Defense Industrial Base) over the last several years.
In new CMMC (Cybersecurity Maturity Model Certification) standards, handling of CUI will require at least a CMMC Level 3 certification.
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. There are over 1 million contracts in the NISP alone with DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting for the protection of DoD CUI” and over 3 million with CUI in the cleared industrial base overall.