By Dr. Jeff Baldwin & George Perezdiaz
As defense contractors move CUI out of IT assets and digital systems to reduce technical control investments, one critical question remains:
What about CUI that exists in physical form?
Compliance with NIST SP 800-171, “Protecting CUI in Nonfederal Systems and Organizations,” is not optional. Whether CUI is digital or hardcopy, the responsibility to protect it remains, and will likely be enforced through CMMC Level 2 assessments.
This blog recaps key takeaways from our CMMC Day 2025 presentation, where we tackled the often-overlooked but essential topic of safeguarding hardcopy CUI.
Security Requirements Apply to All Information Systems
CMMC security requirements are designed to protect Information Systems, and that includes non-digital media. Hardcopy CUI, paper documents, and other tangible assets fall under this definition and must be protected accordingly. Safeguarding CUI doesn’t end at the printer. Paper records fall under the same protection requirements as digital ones.
Central Questions We Must Ask
- If every future DoD contract includes the DFARS 252.204-7021 clause, will that effectively require every member of the Defense Industrial Base to have an authorized Information System in place?
- Should a Covered Contractor Information System (CCIS) that only handles non-digital CUI or FCI be eligible for CMMC certification?
Key Definitions
To fully understand the scope of obligations, we must align on terminology:
- Information System: A set of information resources (people, tech, processes) for managing data.
- Information Resources: Includes personnel, equipment, IT, and funds used to manage information.
- Information: Any representation of knowledge—textual, numeric, graphic, or physical.
- Assets: Include both tangible (e.g., printed CUI) and intangible (e.g., personnel, data) items of value.
These definitions, drawn from DFARS 7012, NIST Glossary, and 32 CFR Part 170, make it clear: paper is not exempt from being considered part of the information system.
The Operating Environment: More Than Your Network
Security obligations don’t stop at your enclave or network perimeter. If your facility includes paper-based CUI, it’s still part of your system and must align with CMMC Level 2 requirements.
1. Environment of Operation
Definition:
The Environment of Operation refers to the physical and organizational context in which CUI is processed, stored, or transmitted. For hardcopy CUI, this includes offices, secure rooms, storage areas, and any location where authorized personnel interact with CUI.
Key Considerations:
- Non-digital does not mean non-assessable.
- Printing, storing, annotating, or transferring CUI physically still constitutes handling within an Information System.
- Printers, shredders, filing cabinets, and safes must be considered part of your system boundary.
- These environments must align with NIST 800-171 security requirements, including Physical Protection (PE), Access Control (AC), Media Protection (MP), and Risk Assessment (RA).
Implication:
Even if you’ve eliminated CUI from your networks, your operational environment is still in scope for CMMC Level 2 if it involves hardcopy CUI.
2. Operating Environment
Definition:
The Operating Environment includes the technical, physical, and procedural conditions in which systems—digital or physical—are deployed.
Key Elements:
- Facilities where CUI is accessed, processed, or discussed
- People with physical or logical access to CUI
- Physical security mechanisms like badge access, surveillance, or lockable containers
Insight: Work-from-home environments were specifically highlighted as unauthorized for hardcopy CUI unless they are configured with strict physical controls. Locations that lack adequate access control, monitoring, or security enforcement cannot be deemed compliant.
Implication: Organizations must tightly define and control where CUI is handled.
3. Controlled Environment
Definition:
A Controlled Environment refers to a secure, access-restricted space where CUI is physically protected.
Requirements Include:
- Access limited to individuals with demonstrated need-to-know
- Physical safeguards such as locks, badging systems, or escorted entry
- Use of Controlled Access Areas (CAAs), secured file rooms, or CUI-designated storage units
Key Takeaway: Securing a cabinet isn’t enough if the room itself is unsecured. The entire environment—room, access controls, and supporting processes—must be evaluated holistically.
Scoping: Applying the Right Lens
A proper scoping process for CMMC certification must include all assets involved in the handling of CUI:
- Tangible Assets: Paper files, printers, cabinets, shredders
- People: Authorized personnel accessing or protecting CUI
- Facilities: Physical locations and secure zones
- Technologies: Surveillance systems, badge readers, access controls
Even if your digital systems are out of scope, physical media and the environments in which they’re used remain firmly in-scope.
Applicable Security Controls
Some controls are obvious—others are easy to overlook—but all applicable controls, whether technical or not, must be addressed.
Obvious Controls:
- PE.L2 (Physical Protection) – Doors, locks, visitor logs
- AC.L2 (Access Control) – Defined access to physical assets
Frequently Overlooked:
- AT.L2 (Awareness & Training) – Ensuring staff know how to properly handle, label, and destroy paper CUI
- PS.L2 (Personnel Security) – Screening and managing individuals with access
- MP.L2 (Media Protection) – Policies for storage and disposal of paper materials
- CA.L2 (Security Assessment) – Ongoing evaluation of the controls in place
- RA.L2 (Risk Assessment) – Identifying and mitigating risks to hardcopy CUI
Final Thoughts
CMMC isn’t just about digital maturity; it’s about protecting the confidentiality of CUI in all forms, including paper. As C3PAOs begin enforcing assessments in 2025 and beyond, defense contractors must recognize that hardcopy CUI carries the same obligations as digital CUI.
Want help scoping or securing your physical environment? Book a demo with Cuick Trac—we’re here to simplify the entire process.
