Understanding CUI Compliance for Defense Contractors
CUI (Controlled Unclassified Information) compliance for defense contractors remains one of the most misunderstood and underestimated challenges in the defense industrial base (DIB). Most organizations know they need to protect CUI, but far fewer understand what qualifies as CUI, how it flows through a supply chain, or where to begin implementing NIST 800-171.
In this episode of the IntelliGRC podcast, we sit down with Ryan Bonner of DEFCERT to tackle these questions head-on. Ryan is one of the most respected voices in the CMMC and CUI space, and his approach to CUI compliance for defense contractors is rooted in years of hands-on experience that predates the CMMC program itself.
Whether you are a defense contractor figuring out where to start, an Original Equipment Manufacturer (OEM) managing supplier relationships, or an MSP supporting clients through certification, this conversation delivers practical guidance you can put to work immediately.
The Proprietary Paradox: Why Data Ownership Changes Everything
One of the most important concepts Ryan introduces is what DEFCERT calls the “proprietary paradox.” In short, the same file or document may or may not qualify as CUI depending on who owns it.
This distinction matters because it directly affects how organizations handle supply chain flow-downs. In 2020, the Information Security Oversight Office (ISOO) clarified that proprietary data you create and own is not CUI, even if it remains subject to other laws and regulations. As a result, OEMs who design and manufacture their own products may be able to share proprietary technical data with suppliers without triggering CUI requirements downstream.
For defense contractors navigating CUI compliance, this concept alone can reshape how you think about scoping your CMMC implementation and protecting your supply chain.
Why Selling Commercial Off-The-Shelf (COTS) Products Does Not Make You CUI-Free
Many contractors assume that because their end product is commercial off-the-shelf, CUI does not apply to them. However, Ryan explains why that assumption is dangerous.
Even if you sell something as common as a refrigerator to the Department of Defense, you still need to interact with a technical data package to quote, specify, and deliver that item. That technical data package may contain CUI. Therefore, the commercial nature of your product does not exempt you from handling controlled information during the fulfillment process.
This is a critical point for any defense contractor assessing their CUI compliance posture. Ryan recommends that every organization maintain at least one environment capable of receiving customer documents and managing the risk that those documents contain CUI.
Why Redaction Is a Failed Strategy
Some organizations attempt to strip CUI from customer documents before sharing information with suppliers. Ryan calls this approach a “failed enterprise.”
The likelihood of perfectly removing all controlled information from a document every single time as a repeatable business process is near zero. Instead, Ryan recommends a different approach. First, isolate inbound customer documents in as few storage locations as possible. Then, identify the specific CUI category on the document. Finally, evaluate whether the information you actually need from that document is regulated under the laws tied to that CUI category.
By building what Ryan calls a “data allow list,” organizations can extract unregulated information with confidence. Over time, this creates a strategic foundation that preserves supply chains without over-regulating them.
Where to Start Implementing NIST 800-171
If you have unanswered questions about CUI but still need to move forward, Ryan’s guidance is clear. Start with your initial point of receipt for customer documents and information.
That environment, wherever you first receive documents from a customer, will never be a wasted investment. Regardless of how your CUI picture evolves, you will always need to protect that entry point. This advice applies to defense contractors at every tier of the supply chain and is especially relevant for organizations still working through their CUI compliance strategy.
Handling Unmarked but Sensitive Documents
What should you do when you receive documents with distribution statements and export control warnings but no CUI markings? According to Ryan, these documents are your “canary in the coal mine.”
He recommends using them as an opportunity to build an NIST 800-171 compliant environment now, before CUI markings inevitably arrive. On a long enough timeline, customers are far more likely to overmark than undermark. So rather than waiting for perfect clarity, defense contractors should begin applying protections to documents that are already regulated by the laws referenced in the CUI registry.
This proactive approach positions you for success when formal CUI markings do appear, rather than scrambling to catch up.
Consolidation Is Coming to the Defense Industrial Base
Ryan draws a direct parallel between what is happening in the defense industrial base today and what happened in healthcare after HIPAA enforcement reached small medical practices.
When significant regulation arrives in an industry that is not natively strong in that area, the result is almost always consolidation. Many small defense contractors face a capital-intensive compliance requirement on top of an already capital-intensive business model. Organizations that cannot absorb the cost may see revenue drop sharply — sometimes without even understanding why the customer stopped calling.
For defense contractors focused on CUI compliance and long-term viability, the takeaway is urgent: start now, even if your CUI picture is not fully resolved. The organizations that invest early will survive and thrive. Those that wait risk being quietly removed from vendor lists.
The Hot Hand Fallacy and CMMC Waivers
Will some contracts receive waivers from CMMC requirements? Probably. However, Ryan uses the basketball concept of the “hot hand fallacy” to explain why planning around being the exception is a dangerous bet.
Just because one contract received special treatment does not mean the next one will. These are disconnected events. Meanwhile, most small businesses do not have more than 30 days of payroll in reserve. Missing an entire contract cycle because you assumed you would not need certification is a risk most organizations simply cannot afford.
On a long enough timeline, CMMC certification is not a competitive edge — it is table stakes. It is the entry fee for doing business in the defense industrial base.
Phase Two Bottlenecks: Significant Changes and Reassessments
Looking ahead, Ryan identifies reassessments triggered by significant changes as one of the biggest bottlenecks the industry needs to address. Currently, a significant change could require a full reassessment of all requirements, even if only a portion of the environment was affected.
Ryan proposes ideas like evidence escrow and targeted reassessments to reduce disruption. He also points to FedRAMP’s recent shift from significant change requests to significant change notifications as a model worth exploring. Whatever the solution, the industry needs a mechanism that allows defense contractors to manage change without grinding operations to a halt.
Why Open Knowledge Sharing Matters
Ryan closes with a message for consultants, practitioners, and thought leaders in the CMMC space: share more than you think you should, with no strings attached.
When the industry gatekeeps information, it becomes easy for unqualified providers to blend in. However, when experts share openly and in detail, they widen the gap between those who can genuinely help and those who cannot. Defense contractors benefit directly from this transparency because it helps them identify who actually knows what they are doing.
About Ryan Bonner and DEFCERT
Ryan Bonner is the founder of DEFCERT, a compliance consulting firm that focuses almost exclusively on CMMC. DEFCERT specializes in CUI determinations, helping organizations identify when something may or may not qualify as CUI, with the goal of controlling scope, reducing cost, and preserving supply chains.
Connect with Ryan: info@defcert.com
Watch the Full Episode
Do not miss this deep dive into CUI compliance for defense contractors. Watch the full episode on this link.