Your CUI Is in 6 Places Right Now. Here's Why That's a Problem.

Ask yourself this: if a DCSA assessor walked in tomorrow and said "show me where your CUI lives," what would you say?

If your honest answer involves more than one breath — or includes phrases like "well, it depends" or "let me check with the contracts team" — you have a problem.

Not a catastrophic one. Not one that means you're negligent or careless. But a real, practical problem that's costing you time, creating audit risk, and making your operations harder than they need to be.

Here's where your CUI actually is right now.

The Six Places

1. Outlook

Your email is probably your biggest CUI repository, and it's completely unsearchable at scale. Contract modifications, technical data packages, proprietary specs from your prime, DFARs-covered drawings — all of it landing in inboxes across your team. Some people file it. Some don't. Some people left the company two years ago and their mailbox got archived somewhere.

When a CO sends you a sensitive document over email, that's CUI the moment it hits your server. You know that. But do you know where all of it is?

2. SharePoint

You set up SharePoint with good intentions. There's a folder structure somewhere — by contract, maybe, or by year. But folder structures degrade. People create their own subfolders. Documents get saved in two places "just in case." The CUI that was filed correctly in 2023 is in a completely different location than the CUI filed in 2025 because someone reorganized the drive.

SharePoint has permissions. It has version control. It's theoretically the right place for this. In practice, it's a maze.

3. Shared Network Drives

The file server that's been running since 2017. The one IT "migrated" most of the data from, except they didn't migrate the Q2 2021 folder because nobody knew what was in it. The one where people still save files because SharePoint is slower. The one where CUI exists alongside HR files, old proposals, and a folder called "MISC - OLD" that nobody has opened in three years.

4. Costpoint Exports

Every time your controller runs a report, exports project data, or pulls labor actuals, that spreadsheet goes somewhere. Sometimes it goes to a shared drive. Sometimes it goes to a personal desktop. Sometimes it gets emailed to a PM who saves it to their laptop.

Costpoint data isn't always CUI — but sometimes it is. And once it's exported, you've lost track of it.

5. Personal Laptops

You know this is happening. Someone worked from home on a deliverable, saved it to their local desktop instead of SharePoint because the VPN was slow, and forgot to upload it. Or they emailed it to themselves. Or they're using their personal laptop for work travel because their work laptop has a cracked screen and IT hasn't fixed it.

This is the one that keeps assessors up at night. And it's the one that's hardest to control.

6. The USB Drive in the Drawer

Maybe it's not a USB drive. Maybe it's an old hard drive from a decommissioned laptop. Maybe it's a burned CD from 2019 (yes, still). The point is: somewhere in your organization, there is a physical storage device with CUI on it that is not in your inventory, not encrypted, and not accounted for.

If you say this doesn't apply to you, I'd ask you to check with your longest-tenured employee.

Why This Matters Beyond the Audit

NIST 800-171 Control 3.1.3 requires you to control the flow of CUI in accordance with approved authorizations. That's not just about locking down who can access it — it's about knowing where it goes.

When an assessor asks you to demonstrate compliance with 3.1.3, the right answer is a documented data flow. "We receive CUI via email and SharePoint, it's stored in these specific locations with these specific access controls, and it's disposed of using this process." That's a passing answer.

"It's kind of everywhere, but we have encryption enabled on most machines" is not.

Beyond the assessment, though, there's a more immediate problem: you can't find your own data.

The Real Cost: Time

Here's a scenario that happens in defense shops every week.

A contracting officer emails your PM asking for the material certifications from the Q3 test run on Contract 1234. Your PM doesn't have them — she wasn't on the project in Q3. She emails the previous PM. He's not sure which revision was the final one but thinks it's in SharePoint. She checks SharePoint. Finds three files with similar names and different dates. Emails them all to the CO, who comes back and says none of those are the right revision.

Forty-five minutes later, your contracts administrator finds the right file in an email thread from August. It was never uploaded to SharePoint.

That's a real cost. That's time your PM spent not doing PM work. That's a contracting officer who now has a less favorable impression of your shop's organization. That's a miss.

And it's entirely avoidable.

The Problem Isn't Technology. It's Organization.

Here's what I want to be clear about: you don't need another system.

You don't need to rip out SharePoint and buy a new document management platform. You don't need to rebuild your folder structure from scratch. You don't need to hire a records manager.

What you need is something that connects the systems you already have — that indexes your Outlook, your SharePoint, your file server, your Costpoint exports — and lets you find anything with a simple question.

"Where are the material certs for Contract 1234 Q3?"

Ten seconds. Not forty-five minutes.

That's what an AI assistant does when it's built for this use case. Not a general-purpose chatbot — something that's been set up to know your organization, your contracts, your data sources, and your CUI handling procedures.

What You Should Be Able to Say

When that assessor walks in and asks where your CUI lives, you should be able to say: "Our CUI is indexed and searchable across these five systems. I can show you exactly what's in each one."

When a CO asks for a document from eight months ago, your team should find it in under a minute.

When you're doing your annual review of your SSP, you should be able to verify your data flows without spending a week interviewing your staff.

This is achievable. It doesn't require a massive IT investment. It requires something that does the organizational work your team doesn't have time to do.

Tentacle Ops ingests and indexes your data from all sources — Outlook, SharePoint, shared drives, Costpoint exports. You ask it a question in plain English. It finds the answer across everything. One question, one answer.

GovCloud deployed. CMMC-aware. $1,000/month, fully managed.

You shouldn't have to check four systems to find one document.

Tentacle Ops is a managed AI assistant for small defense contractors. GovCloud deployed, CMMC-ready, $1,000-1,500/month. Learn more at tentacleops.ai.