Controlled Unclassified Information (CUI): A Primer
Managing, protecting, and using Controlled Unclassified Information (CUI) continues to present both new and current DoD contractors with a myriad of challenges. DFARS 252.204-7012 states that contractors need to provide “adequate security” and comply with NIST 800-171 r2 requirements. The end results are stated but there is no recipe or step by step process provided.
In late 2020, DoD published two DFARS rules (252.204-7019 and 252.204-7020) that require all contractors and all subcontractors/suppliers complete the DoD Basic Assessment and upload specific results to the SPRS portal. In the near future, companies interested in doing business with DoD will be required to prepare for and pass a CMMC assessment to be eligible for DoD awards and subcontracts.
Cybersecurity is a focus of these initiatives and requirements. In many ways, CUI has become synonymous with cybersecurity. Nevertheless but of equal importance is other non-cyber related security requirements which must be understood and undertaken by those handling CUI to protect this sensitive information.
While CUI is to an extent a key focus, businesses should be aware that in addition to CUI the federal government also generates and expects contractors to safeguard Federal Contract Information (FCI). For more information on FCI see wispro.org/fci.
The following information about additional proper handling and securing requirements for CUI comes from the Department of Defense DoDI 5200.48: Controlled Unclassified Information, which can be found by clicking here.
Specific requirements for DoD contractors can be found at the bottom of this page. DoD requirements represent best practices, so following these guidelines will help ensure you are meeting general CUI requirements.
Is all CUI is defense related?
No. CUI exists across the federal government. The National Archives and Records Administration has been designated as the Executive Agent to implement Executive Order 13556 of November 4, 2010 and oversee agency actions to ensure compliance with this order. The Implementing Directive 22 CFR 2002 and the complete list of CUI categories that apply to the federal government are located at https://www.archives.gov/cui.
Overall, there are two broad subcategories of CUI. They are CUI Basic and CUI Specified.
CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.
CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.
DoD information identified as Controlled Technical Information (CTI) is governed by 48 CFR 252.204-7012 ( AKA DFARS). The controls required are Specified, and it is to have a Banner Marking of CUI//SP-CTI.
Specific requirements for DoD contractors can be found at the bottom of this primer.
What is CUI?
Controlled Unclassified Information (CUI) is “information associated with a law, regulation, or government-wide policy and identified as needing safeguarding. Safeguarding CUI requires access control, handling, marking, dissemination, and other protective measures.” These and other protective measures apply beyond cybersecurity since information in any form – printed, audio, film or other medium must also be protected. Please click here to see the DoD CUI Registry for applicable categories. (DoDI 5200.48 3.6)
Who designates information as CUI?
Designation of material as CUI occurs when an authorized holder, consistent with 32 CFR Part 2002 and the CUI Registry, determines that a specific item of information falls into a CUI category or subcategory. The authorized holder who designates the CUI must make recipients aware of the information’s CUI status in accordance with 32 CFR Part 2002.
At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document.
Does CUI include information lawfully and publicly available without restrictions?
No. This kind of information is not considered CUI. (DoDI 5200.8 3.7.a)
Can information be designated as CUI to protect its release under FOIA requests or other similar programs?
No. See DoDI 5200.48 1.2 c.
Who can access to CUI?
Unlike classified information, an individual or organization generally does not need to demonstrate a need-to-know to access CUI unless required by law, regulation, or government-wide policy. However, an individual or organization must have a lawful governmental purpose for such access. DoDI 5200.48 states:
- “No Individual may have access to CUI information unless it is determined he or she has an authorized, lawful, government purpose.”
- “The person with authorized possession, knowledge, or control of CUI will determine whether an individual has an authorized, lawful government purpose to access designated CUI.”
- “CUI information may be disseminated within the DoD Components and between DoD Component officials and DoD contractors, consultants, and grantees to conduct official business for the DoD, provided dissemination is consistent with controls imposed by a
distribution statement or limited dissemination controls.”(LDC) (DoDI 5200.48 3.1.d )
How will a recipient know that a document/email contains CUI?
At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document. (DoDI 5200.48 3.4.a.) – additional information see paragraph 3.4 Marking Requirements DoD 5200.48 and CUI Marking guide at www.archives.gov/cui)
What sorts of handling requirements for CUI are necessary?
Non-DoD information systems processing, storing, or transmitting CUI will provide adequate security, and the appropriate requirements must be incorporated into all contacts, grants, and other legal agreements with non-DoD entities in accordance with DoDI 8582.01. The NIST SP 800-171 governs and protects CUI on non-Federal IS when applied by contract. (DoDI 5200.48 3.10.c)
DoDI 5200.48 additionally states that the following measures must be implemented. Note that these security requirements emphasize that non-cyber related precautions are among the actions that must be taken to secure CUI:
- “During working hours, steps will be taken to minimize the risk of access by unauthorized personnel, such as not reading, discussing, or leaving CUI information unattended where unauthorized personnel are present. After working hours, CUI information will be stored in unlocked containers, desks, or cabinets if the government or government-contract building provides security for continuous monitoring of access. If building security is not provided, the information will be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly secured areas. The concept of a controlled environment means there is sufficient internal security measures in place to prevent or detect unauthorized access to CUI. For DoD, an open storage environment meets these requirements.” (DoDI 5200.48 4.1.e)
What requirements govern the dissemination of CUI?
Regarding dissemination, DoDI 5200.48 states that “CUI access should be encouraged and permitted to the extent the access or dissemination:
- Complies with the law, regulation, or government-wide policy identifying the information;
- furthers a lawful government purpose;
- is not restricted by an authorized LDC established by the CUI EA;
- is not otherwise prohibited by any other law, regulation, or government-wide policy.” (DoDI 5200.48 4.2.a)
Additionally, DoDI 5200.48 states that “export-controlled CUI transfers to foreign persons must be in accordance with the Arms Export Control Act, International Traffic in Arms Regulations, Export Control Reform Act, Export Administration Regulations, and DoDI 2040.02. In accordance with DoDDs 5230.11 and 5230.20, a positive foreign disclosure decision must be made before CUI is released to a foreign entity.” (DoDI 5200.48 3.4.d.3.a.)
Prior to being decontrolled or released to the public, CUI documents and materials will be formally reviewed in accordance with DoDI 5230.09. (DoDI 5200.48 4.4.a)
If I need to destroy CUI, are there requirements I need to meet?
Yes: “Guidance for destroying CUI documents and materials is provided in this issuance, the CUI Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in accordance with Paragraphs 4.5.a. and 4.5.b. before approved disposition authorities are applied, including destruction. Media containing CUI must include decontrolling indicators. See: CUI Notice 2019-02: Destroying Controlled Unclassified Information (CUI) in Paper Form (archives.gov) and specifically paragraph 6 under the heading – Single-step paper destruction standard also review paragraph 7 for a list of currently authorized shredders.” (DoDI 5200.48 4.5)
What are the CUI requirements for DoD specific contractors?
This paragraph highlights requirements for DoD contractors according to Section 5.3, DoD 5200.48.
- Whenever DoD provides information to contractors, it must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance.
- Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate.
- DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative.
- DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09.
- All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section 1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance. (DoDI 5200.48 5.3)
What is the are the training requirements regarding CUI for DoD Contractors?
Per DoDI 5200.48, “In accordance with this issuance, every individual at every level, including DoD civilian and military personnel as well as contractors providing support to the DoD pursuant to contractual requirements, will comply with the requirements in Paragraph 3.6.f of this issuance for initial and annual refresher CUI training.” (DoDI 5200.48 3.6.b.)
The “Initial and Annual Refresher Training” training can be accessed at https://securityhub.usalearning.gov/index.html.
In addition to the above training, WPI has compiled a list of other trainings related to CUI and cybersecurity issues. Click here for access.
List of resources and references:
- DoDI 5200.48 – https://dodcui.mil
- DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting – https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.204-7012
- FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems – https://www.acquisition.gov/far/part-52#FAR_52_204_21
- National Archives – CUI – https://www.archives.gov/cui
- International Traffic in Arms Regulations (ITAR) – https://www.pmddtc.state.gov/ddtc_public
- Joint Certification Program (JCP) – https://www.dla.mil/HQ/LogisticsOperations/Services/JCP/
- DOD Directive 5230.25 Withholding of Unclassified Technical Data from Public Disclosure
- DOD Instruction 5230.24 Distribution Statements on Technical Documents
For additional information on this topic, please contact Marc Violante at firstname.lastname@example.org or 414-270-3600.
Last updated August 2021