The United States Department of Defense recently published a memo that updates their Controlled Unclassified Information (“CUI”) program, as reflected in DODI 5200.48, to be more consistent with certain aspects of 32 CFR 2002. As you may recall, 32 CFR 2002 is the authorizing legislation that created the CUI program and applies to the entire Executive Branch, so removing some of the inconsistencies is a great step toward the agency-agnostic approach envisioned for the CUI program!

More specifically, the memo removes from DODI 5200.48 the requirement that all CUI be reviewed by appropriate DoD personnel before it can be released by a federal agency to a foreign entity. DoDI 5200.48 now (properly) only requires review when the CUI is subject to export controls or a limited dissemination control like NOFORN.

The memo has created a bit of a stir in the government contractor space. Some are interpreting it as applying to government contractors, but that is not the case unless the memo or DODI 5200.48 are incorporated into the contract. Instead, the memo applies to the release of CUI by DoD, as an agency of the federal government, to a foreign entity (which has a specific definition in 32 CFR 2002.04(y)).

The unfortunate side-effect of the memo is that it seems to have created much more confusion about how and when CUI can be disclosed to non-US persons. We have therefore prepared flowchart to help people with the analysis of when CUI can be disclosed by a government contractor to someone else, including foreign entities and individuals. A high resolution PDF version is available for download.

Several people collaborated on the creation of the flowchart, and their feedback has been invaluable. Thank you!

Leave a Reply