CUI handling for Houston industrial suppliers.

What CUI is

Controlled Unclassified Information is information that isn’t classified but still requires safeguarding. For industrial suppliers, it typically arrives as drawings, specifications, technical reports, or inspection data from prime contractors or direct DoD customers. The actual definition and markings come from 32 CFR Part 2002 and the National Archives CUI Registry.

For most Houston industrial shops, CUI shows up in one of four places:

• ✓Technical drawings and specifications (CAD files, PDFs) received from a prime
• ✓Inspection reports, NDT results, material certs tied to a DoD program
• ✓Supplier-to-supplier communication referencing the above
• ✓ITAR-controlled export data (which is separately regulated but overlaps)

Marking and identification

• ✓Documents received from a prime should arrive marked with a banner at the top: "CUI" followed by category markings (e.g., CUI//SP-PROPIN)
• ✓Your team needs to maintain those markings when forwarding, printing, or saving
• ✓If you're uncertain whether a document is CUI, treat it as CUI until the sender confirms otherwise
• ✓Train the people who receive it (shop foremen, project managers, estimators) to recognize the marking

Storage

• ✓Store CUI only in systems covered by your CMMC / NIST 800-171 boundary
• ✓Encrypt at rest using FIPS-validated cryptography
• ✓Access limited to people with a genuine need-to-know, not all project staff by default
• ✓Do NOT store CUI in consumer cloud storage (personal Dropbox, consumer OneDrive, Gmail attachments)
• ✓Paper copies: locked storage with access log

Transmission

• ✓Email: end-to-end encryption required — not just TLS-in-transit. Microsoft Purview Message Encryption, Zix / OpenText, or equivalent
• ✓File sharing: CMMC-compliant cloud (GCC High, AWS GovCloud, or purpose-built DoD-facing services) or encrypted-link transfer
• ✓Never send CUI through SMS, personal email, or consumer messaging apps
• ✓Recipients verified as cleared to receive before send
• ✓Audit log of what was sent, to whom, and when

Processing on workstations

• ✓Workstations accessing CUI must meet NIST 800-171 controls — not every shop floor PC qualifies
• ✓USB drives prohibited for CUI transfer unless specifically approved, encrypted, and audited
• ✓Print with care — paper copies have the same protection requirements and a decommissioning lifecycle (shredding + log)
• ✓No CUI on personal / BYOD devices

Shop-floor realities

• ✓Enclave the CUI-handling environment (dedicated workstations, dedicated network segment, dedicated M365 / storage tenant) — this is the single biggest cost saver
• ✓Train the shop supervisors and project managers — they're the ones handling the marked documents day to day
• ✓Physical security on the CUI enclave: locked area, access control, camera coverage
• ✓A mobile device management policy that keeps personal phones out of the CUI zone during work

When a CUI spill happens

• ✓A "spill" is CUI landing somewhere it shouldn't — personal email, unsecured share, printer on the wrong floor
• ✓Incident-response plan must cover spills explicitly: containment, investigation, notification to the originating prime, documentation
• ✓Don't delete the evidence before investigating — you'll need to know what happened and report accurately
• ✓Spills trigger a notification obligation under DFARS 252.204-7012 if the incident affects CUI tied to a DoD contract

Disposal

• ✓Paper: cross-cut shredding, documented chain of custody for decommissioned drives
• ✓Digital: cryptographic erasure or physical destruction for end-of-life drives — logged
• ✓Retention periods: per contract flow-down; typically retain as long as the contract relationship exists + any specified period