What is CUI, FCI, ITAR, JCP, CDI, and CTI?
Information is at the center of every federal contract. Managing the flow of information generated by and related to contract performance should be a priority for each awardee. Contractors should review all information to determine if it is publicly releasable or if it is governed by one of the other information programs. Non-public information should be clearly identified and marked to ensure proper handling, usage, storage, transmission, and destruction. Most importantly, contractors need to be aware of what is necessary to be compliant with each specific type of information.
Contractors should review contract flow-down clause requirements to ensure that information conveyed to suppliers and/or subcontractors is handled in accordance with program requirements. Additionally, companies should confirm whether the information can be shared electronically and, if it can, what is required to do so. Another key step is determining a recipient’s eligibility to receive the specific type (category) of information.
There are many types of information but CUI or Controlled Unclassified Information is a term related to a category of information that has vaulted to the forefront of awareness of DOD contractors. CUI as a term can probably be heard in any communication related to doing business with DOD. It has also heightened the general awareness of the need for effective cybersecurity. However, while this category may currently be the most prominent, there are several other types (categories) of information in addition to CUI such as FCI, ITAR, JCP, CDI, and CTI that require one or more of the following –
- Contract flow down requirements
- Control/compliance plans
- Data Custodian
- Eligibility to access requirements
- Formal registration
- Initial and annual training
- Use of specified encryption standards for transmission
- Validation of subcontractor/supplier regulatory compliance
For additional information or assistance on these topics, please contact Marc Violante on WPI’s staff at MarcV@wispro.org or at 414-270-3600.
- Government-created or -owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure.
- An overarching term representing many difference categories, each authorized by one or more law, regulation, or Government-wide policy.
- Information requiring specific security measures indexed under one system across the Federal Government.
DOD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DOD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DOD representative. DODI 5200.48 5.3 c
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
FAR: 52.204-21 Definitions
The International Traffic in Arms Regulations (“ITAR,” 22 CFR 120-130) implements the AECA. The Arms Export Control Act requires that all manufacturers, exporters, temporary importers, and brokers of defense articles (including technical data) as defined on the United States Munitions List (ITAR part 121) and furnishers of defense services are required to register with the Directorate of Defense Trade Controls (DDTC) as described in ITAR part 122 (part 129 for brokers). It is primarily a means to provide the U.S. Government with necessary information on who is involved in certain ITAR controlled activities and does not confer any export or temporary import rights or privileges. Registration is generally a precondition for the issuance of any license or other approval and use of certain exemptions.
Per ITAR §122.1, any person who engages in the United States in the business of either manufacturing or exporting or temporarily importing defense articles or furnishing defense services is required to register with DDTC. Manufacturers who do not engage in exporting must nevertheless register.
Please review and thoroughly understand all definitions, especially the definition of Exporting as it applies to ITAR.
Additionally, review and understand entries on the United States Munitions List (ITAR part 121).
For additional information see: https://www.pmddtc.state.gov
The JCP was established in 1985 to allow United States (U.S.)/Canadian contractors to apply for access to Department of Defense/Department of National Defence (DOD/DND) unclassified export controlled technical data/critical technology on an equally favorable basis in accordance with DODI 5320.25 “Withholding of Unclassified Technical Data and Technology from Public Disclosure”, and Canadian Technical Data Control Regulations.
Access to designated information requires formal registration via DD Form – 2345, completion of mandatory training, designation of a Data Custodian and additional steps required for computer access to designated information.
For forms and additional information see: https://www.dla.mil/HQ/LogisticsOperations/Services/JCP/
Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DOD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
See: DFARS 252.204-7012 Definitions
Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DOD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
See: DFARS 252.204-7012 Definitions