The US Department of Defense recently published a decision tree for determining when information is Controlled Unclassified Information (“CUI”). A copy of that decision tree appears below.
While that decision tree is useful for DoD representatives as they analyze information to determine whether it is CUI, we do not feel that the decision tree will be useful to most contractors. For example, it presumes that the person evaluating the CUI is already familiar with all of the laws, regulations, and government-wide policies that impact the government’s regulations. For most government contractors we’ve met, and even many lawyers specializing in government contracting, that simply isn’t a realistic starting-point. We have modified DoD’s decision tree to be more contractor-friendly.
We also regularly hear from small contractors that their prime/mid-tier contractors are asking for information that the prime should not be requesting. This includes copies of their System Security Plans (“SSPs”), Plans of Action and Milestones (“POA&Ms”), their NIST SP 800-171 self-assessment results (as opposed to their self-assessment scores), and much more. Those prime contractors are asking for this information even from subcontractors who are not handling CUI. As a reminder DFARS clause 252.204-7012, and by extension clauses 252.204-7019 and 252.204-7020, only apply to organizations handling (i.e., creating, receiving, storing, processing, transmitting, etc.) CUI. We have included below a decision tree for determining when certain DFARS clauses, including -7012, -7019, -7020, and -7021 will apply.
A graphical copy of the decision tree appears below, and it can be downloaded in PDF form via the link below as well.