CUI Compliance


“CUI” replaces and standardizes previously used government labels such as Sensitive But Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc. The specific definition can be found at the National Archives and Records Administration (NARA) CUI is information the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the U.S. Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.


Executive Order 13556 “Controlled Unclassified Information” established the CUI program, which is a system that standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view. In short – this is the US Government-wide approach to creating a uniform program on handling sensitive government information. The protection of CUI while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. — NIST Special Publication 800-171


In 2015 and 2016, the US Government implemented significant policy changes that impact DoD Government contractors with how they protect their own internal networks and compete for DoD contracts. The US Government response resulted in a change to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The National Institute of Standards and Technology (NIST), Special Publication 800-171  (NIST SP800-171) was published in June 2015 and has been made a rule for the DFARS in May 2016.  Defense Federal Acquisition Supplement (DFARS) mandates CUI (NIST SP800-171) security and reporting compliance for ALL federal contractors (Primes and Subcontractors.)

Zofia Consulting assists all companies, large and small, in-house IT or cloud-based, in achieving compliance.


DFARS mandates compliance, and the requirements are to be included in government contracts carrying the full force and effect of law.

Non-Compliance can form negative basis for bid protests and government reconsideration for awards

Failure to comply with the regulation as stated in the contract may result in debarment, suspension, and ineligibility for future government contracts.


Zofia Consulting has trained and certified CISSP, CPP and NIST experts on staff to assist organizations with translating NIST SP800-171. Our compliance professionals can assist with system categorization, understanding security controls, identifying and employing mitigation strategies, implementing any new systems, training your team and ensuring you have the correct artifacts to demonstrate compliance to government contracts officers.  As former U.S. Government auditors and certifying authorities, Zofia Consulting works closely with your team to see you successfully through the compliance process.

Our process is pretty straight forward and begins with an overall compliance assessment.  The Zofia Team will work with you to evaluate current policies and procedures of your organization against the NIST SP800-171 control standards. This assessment will identify control families that are met, partially met, and not met by current practices. The process toward full compliance includes:

  • Determine overall capabilities against the NIST SP800-171

  • Assess gaps in achieving compliance

  • Document a Plan of Action and Milestones (POAM)

  • Develop and Implement mitigation strategies

  • Test system with remediation(s) in place

  • Fully employ remediated system and document performance

  • Enhance training and awareness to keep staff informed of requirements

  • Document all in a Systems Security Plan

  • Ensure artifacts/evidence of compliance are available and documented for each control

  • Ensure compliance with reporting guidance for reporting incidents

  • Ensure reporting capabilities are compliant with the DFARS.

We understand many smaller organizations do not need a full-suite of services for CUI compliance and rather just need support in a few areas. Other companies might have worked to achieve compliance on their own, but need an advisor to “just make sure.” Most of our clients need help crafting the artifacts of compliance. Zofia will work with you to determine your level of service need  – from simple coaching, leveraging our “Virtual CISO” program, all the way up to full up implementation support. We tailor service specific to the need to our clients keep costs under control.

Our experts will also work with you to understand the cost burden to your organization to achieve compliance and help identify ways to offset costs through solid market assessments, analysis of alternative strategies, and identifying allowable compliance costs for your contracts officers.

If you need assistance with understanding the CUI mandate, assessing your status, or with reaching compliance – please contact us for an initial consultation. We are here to help you and have the team standing by to get you compliant quickly.



  • Information Security Management System (ISMS)

  • ISO 27000 SERIES, NIST SP800-53 FISMA, NIST SP800-171 CUI Compliance

  • Cybersecurity Framework (RMF or other)

  • Business Continuity Management System (BCMS)

  • Federal Continuity Directives (FCD) 1 & 2

  • Incident Reporting and Response

  • CUI Strategy Development and Implementation