CUI stands for Controlled Unclassified Information, which is any type of data that requires safeguarding consistent with applicable laws, regulations, and government-wide policies.
NIST 800-171 outlines security controls and details how organizations should safeguard CUI. These controls cover things like access control, incident response, and risk assessment. DFARS clause 252.204-7012 mandates that DoD contractors who handle CUI must implement the security controls outlined in NIST 800-171. This ensures a standardized approach to protecting sensitive information throughout the defense supply chain.
See also: DFARS Compliance Checklist