TL/DR summary:

If you are a DoD contractor and are concerned about identifying unmarked or improperly marked CUI in your environment, be on the lookout for information containing, or which you are instructed to mark with, DoD distribution statements. If the information contains distribution statements B-F, DoDI 5230.24 makes that information Controlled Technical Information, a form of CUI.

This article walks through the obligations for designating and marking CTI, and how to easily identify CTI in contractor systems. For more information about the CUI program and CUI, please see the National Archives and Records Administration (“NARA”) CUI website, as well as the books CUI Fundamentals and CUI Informed.

CUI Background

The United States government creates and handles a LOT of information. That information spansa wide sensitivity spectrum.

At the most sensitive end of this spectrum lies “classified” information. Classified information is information that has an impact on national security. This includes troop movements, the names of informants or operatives, and other highly sensitive information. Classified information is “classified” according to three broad categories: confidential, secret, and top secret information. Each of these categories is increasingly “sensitive” and has tighter controls on the dissemination of the corresponding information.

At the other end of that spectrum is public information. This is information which can be freely shared with anyone. This includes, for example, information on public-facing government websites.

FCI vs CUI

The government also creates, or asks others to create on its behalf, a host of other information that falls in between classified and public information. This unclassified but nonpublic information also has its own degrees of sensitivity, including “uncontrolled unclassified information” (which, for government contractors, is also referred to as “Federal Contract Information” or FCI), and Controlled Unclassified Information, or CUI. There are even two sensitivity levels for CUI, CUI Basic and CUI Specified.

In short, information is CUI Basic when a law, regulation, or government-wide policy (“LRGWP”) requires or permits federal agencies to impose safeguarding controls on that information, or if those agencies can limit the dissemination of that information. Information becomes CUI Specified if the corresponding LRGWP includes specifics as to how the information is to be safeguarded or specifies the dissemination controls that must be applied. If the information is not CUI Basic or CUI Specified, then it is “uncontrolled, unclassified information.”

The CUI Program

The CUI program was created in 2008 in response to the September 11, 2001 terrorist attacks against the United States. Although the CUI program was created nearly a decade and a half ago, the better part of the first decade was spent crafting 32 CFR 2002, the government-wide regulation that defines the CUI program.

It has taken federal agencies quite some time to develop their own, agency-specific implementations of the CUI program. The United States Department of Defense (“DoD”) is a leader in these efforts, publishing one of the first agency-specific CUI programs. In fact, ensuring that CUI is properly protected in DoD contractors’ systems is one of the main motivations for DoD’s Cybersecurity Maturity Model Certification (“CMMC”) program.

Government Contractors and CUI

As DoD contractors are becoming increasingly aware of the CMMC and CUI programs, they are starting to ask: “do we have CUI in our environment?” To properly answer that question, we need to start by understanding whose responsibility it is to designate information as CUI, and when information should be marked as CUI.

Designating and Marking CUI

As discussed above, to be CUI, the information must be information the government creates or possesses, and there must be a LRGWP that says the information can or must be safeguarded or that its dissemination must be controlled. According to the National Archives and Records Administration (“NARA”) CUI Registry, the definitive source for LRGWPs, over 400 LRGWPs can be the basis for designating information CUI. That’s a daunting list, especially for government contractors who may not have the requisite legal training or background to properly interpret the LRGWPs.

Thankfully, at least for government contractors, the CUI program makes “designating” information as CUI (i.e., deciding whether a LRGWP applies to that information) the government’s responsibility. Designation, along with proper marking of CUI designated information, is supposed to occur before an agency employee “disseminates” (i.e., shares) that information to anyone, including other agency personnel or contractors.

Contractors and CUI

Similarly, the agency is supposed to perform the designation analysis whenever the government asks a contractor to create information. The government must also tell contractors how to properly mark the information they create.

This means that, if DoD is asking a contractor to create CUI, DoD must tell the contractor:

  • that the information has been designated as CUI,
  • how to identify the CUI when it is created; and,
  • how to mark that information when it is created, including the appropriate “designation indicator”.

That usually occurs as part of the contract with the government, such as in a Security Classification Guide (“SCG”) or a contract attachment or addendum.

Legacy Information

Furthermore, DoD is required to reexamine information that contains “legacy” markings, like For Official Use Only (“FOUO”) or Sensitive but Unclassified (“SBU”) to determine whether the information should be designated as CUI. Both 32 CFR 2002, which defines the CUI program, and DoD’s own implementation of the CUI program (which you can find described in DoDI 5200.48) make it clear that information with legacy markings does NOT automatically become CUI; an authorized individual at DoD (or whichever agency “owns” the information; NOT a government contractor) must make that determination.

Identifying CUI in Contractor Systems

All that being said, as you can imagine, with over 4 million civilian and military members, it is taking DoD some time to train everyone on CUI and the CUI program. This has led to some DoD personnel to not properly identify information that should be marked as CUI before it is disseminated to contractors. Other DoD personnel are still confused about the relationships between legacy information and CUI.

This, in turn, is making contractors, including prime contractors and their subcontractors, nervous because they want to do the right thing. They want to properly handle CUI in their environment, but the contractors don’t know how to properly identify unmarked CUI that might be in their environment.

Thankfully, DoD’s CUI program makes this at least a little easier. Of the 400+ CUI-creating LRGWPs, most DoD contractors are only likely to handle a few. And the majority will only ever handle or create one specific type of CUI: Controlled Technical Information (“CTI”). CTI is technical information with military or space applications created or possessed by or on behalf of DoD.

DoD Instruction (“DoDI”) 5230.24, which defines how DoD personnel are to identify and mark CTI, program managers of DoD technical programs (i.e., programs creating and handling CTI) are required to identify CTI and mark it, or cause it to be marked, with distribution statements. Under DoDI 5230.24, if information is marked with distribution statements B-F, that information is CUI. Although DoDI 5230.24 was recently updated, these core marking requirements were in the prior version as well.

Look for Distribution Statements B-F

This means that contractors who are looking to identify potentially unmarked CUI in their environments, including information with legacy markings like SBU and FOUO, should look for distribution statements B-F. If the information contains those distribution statements, or if the contract with DoD requires/required the contractor to add those distribution statements to information created by the contractor, then that information is CUI. The contractor should handle it as though it is CTI (including protecting it as required in DFARS 252.204-7012), even though it is not conspicuously marked as CUI.

Cautionary Note

However, we’ll end with a word of caution: while the contractor should assume the information is CTI (and, by extension, CUI) and should protect it accordingly, the contractor should NOT mark the information as CUI until DoD provides the appropriate marking information, including the designation indicator. The contractor should ask the contracting officer, sponsor, COTR, or other authorized DoD personnel associated with that information, or the contract under which it was created, for the appropriate marking and designation indicators.