Over the course of the past two years, the University of Virginia has worked to create a computer system and network that would be compliant with the NIST 800-171 standards for Controlled Unclassified Information (CUI). From a starting point of a high-level committee, through an inventory of current systems and networks and a process of establishing both what was required for compliance and how we met that control, we strove to meet compliance without creating a new, separate, compute system for researchers. This spring, with the help of an outside consultant, we completed our first Systems Security Plan (SSP) and Plan of Action and Milestones (POAM) for a DOD grant for our so-called Ivy-CUI compliant system. This talk will review the highlights of march to CUI compliance and look at some topics on the CUI horizon.