The Challenge of DoD CUI Identification
Members of the US Department of Defense (DoD) Industrial Base (DIB)–the prime- and sub-contractors, suppliers, and vendors that comprise the DoD supply chain–are being tasked with safeguarding certain types of sensitive information we process as part of doing business with the DoD. This sensitive information is called Controlled Unclassified Information (CUI), and this blog provides guidance on DoD CUI Identification.
Many of us have a clause in our contracts–DFARS 252.204-7012–to protect certain DoD-related CUI (what DFARS 7012 calls “controlled defense information”). But what exactly constitutes DoD CUI is certainly not clear to many us. The vast majority of questions we receive are related to DoD CUI Identification, e.g. “how do I know what is CUI?”, or “what information am I supposed to protect?”
This conundrum is exacerbated by the fact that the DoD has not been doing its part–as it is required to by DoDI 5200.48–to correctly identify and mark CUI for us. Even worse, DoD and other officials have made statements in the past such as “just treat all information as CUI”, or “protect all CUI the same”. But these statements are misleading for a couple of reasons:
- not all contract information is CUI, only specific and limited types of information as indexed by the National Archive and Records Administration (NARA), and
- this is very important–DFARS 7012 only mandates safeguards specifically for DoD CUI aka “controlled defense information”. If we can identify the specific elements that are DoD CUI, we can narrow the scope of our protections and realize significant resource savings in the implementation, operation, and maintenance of our contractor cybersecurity programs.
To appropriately scope our cybersecurity programs to comply with DFARS 7012 compliance and prepare for the looming Cybersecurity Maturity Model Certification (CMMC), we must know exactly what information we must protect.
Unfortunately, many of us are left on our own to identify DoD CUI in our environments. CUI discovery and identification is a serious challenge that we aim to simplify with this blog post. We describe a decision-based identification process, and provide a downloadable identification guide as a handy reference.
How to Identify DoD CUI
The image below shows a decision-based approach to DoD CUI Identification. Below the image we’ll describe the decision tree in more detail. You can also download the image (as a PDF with clickable links) to use as a desktop reference guide or hang as a poster.
Information about COTS products is exempt.
Information related to purely Commercial Off The Shelf (COTS) items is excluded from the safeguarding requirements prescribed by DFARS 7012. (For more information on why COTS is exempt, please see our explanation.) If your organization’s products are truly COTS, you’re off the hook and can stop here 🙂
If the contractual information your organization processes isn’t 100% related to COTS products, continue through the DoD CUI identification exercise below.
First decision: Do you have requirements to handle and protect CUI in a contract?
The first step in identifying DoD CUI in your organization is to determine if you have the DFARS 252.204-7012 clause in a Request For Information, Request For Proposal, DoD Contract, Subcontract, vendor representations and certifications (reps & certs), purchase order, etc. If that specific clause isn’t there, you’ll also want to look for other related requirements to implement NIST SP 800-171, and/or to protect CUI.
If you don’t have any of these requirements, your organization does not handle CUI, and cannot be tasked with handling CUI in the future. So the information your organization stores, processes, and transmits is not CUI. You’re off the hook and can stop here 🙂
If you do find the DFARS 7012 clause or other related language, move onto the next identification step.
Next decision: do you process ITAR or other export-controlled information?
Although ITAR and other export-controlled information is considered its own index of CUI, in many cases it is also associated with DoD activities, programs, and contracts. DoD-related export-controlled information is considered DoD CUI, so if your information is export-controlled, congratulations, your organization is probably handling CUI (“probably”; see below), and you must safeguard it in accordance with the DFARS 7012 clause.
Even if your organization doesn’t process, store, or transmit export-controlled information, you still have some identification steps to take. Move onto the next identification step.
Next decision: Do you receive information as part of the contract?
If you receive CUI from a DoD Prime contractor or directly from the DoD, they must mark the documents with “CUI” in the header and footer, and also with a DoD Distribution Statement B,C,D,E, or F. They are mandated to do so, and so if you don’t see those markings, the information is not CUI. If you do see the markings, congratulations, your organization is probably handling CUI (“probably”; see below), and you must safeguard it in accordance with the DFARS 7012 clause.
If you don’t receive information as part of the contract, move onto the next identification step.
Next decision: Do you generate information as part of the contract?
If you generate information as part of fulfilling your contract, see if your organization has received a Security Classification Guide (SCG) from the Prime contractor or the DoD. The DoD creates an SCG for various activities, programs, or types of information system, and will provide the SCG to all entities that may generate information related to the activity. The SCG is simply a document that spells out specific criteria for determining what is DoD CUI.
If you have an SCG, check if the information your organization generates matches CUI criteria specified by the SCG. If it does, congratulations, your organization is probably handling CUI (“probably”; see below), and you must safeguard it in accordance with the DFARS 7012 clause.
Most likely, your organization has not received an SCG. The vast majority of us in the DIB have not. If your organization does not have an SCG, or if the information generated does not match the criteria specified by the SCG, you’re not quite done with the identification process. Move onto the next step.
Final decision: Does the generated information match CUI examples provided by NARA?
If you’ve gotten this far in the identification process, chances are you’re frustrated. The Prime or DoD has probably failed to provide you with enough explicit guidance on DoD CUI Identification for your environment. This is no surprise (see the SCG section above), but it actually doesn’t get you off the hook for identification process. You see, Section 3.4(a) of the DoDI 5200.48 says:
The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category.
And whether you know it or not, DFARS 7012 in a contract has designated your organization as an “authorized holder.” (See definition [d] here.) So you’re required to do some digging of your own to identify CUI you may generate.
There is good news and bad news: good news is that the official CUI categories do help narrow down the identification process; the bad news is that there is still a lot of ambiguity.
Your job is to check out the NARA CUI categories of DoD CUI, and see if the information you generate matches any of the examples in each category. Those categories are:
- Controlled Technical Information
- Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Unclassified Controlled Nuclear Information – Defense
Controlled Technical Information (CTI) has several concrete examples, such as “software source code”–so if you develop software for a contract that has the DFARS 7012 clause in it, that source code is probably CUI. (“probably”; see below). But there are several other examples of CTI that are more nebulous, such as “associated lists”. It may require some additional interpretation. We can help with that.
Luckily the other three categories are a little more specific with their examples. For instance, Critical Infrastructure Security Information provides “information regarding the securing and safeguarding of explosives” as an example.
Either way, if the information your organization generates does not match any example from any of these four categories of DoD-related CUI, you’re off the hook.
If the information you generate does match an example of one of the four categories of DoD-related CUI, congratulations, your organization is probably handling CUI (“probably”; see below), and you must safeguard it in accordance with the DFARS 7012 clause.
Ok, why are we "probably" handling CUI, and what do we do now?
So you think your DoD CUI Identification exercise has turned up CUI in your environment. Before you go re-architecting your network to implement the DFARS-7012-required safeguards, we strongly recommend you start a dialogue with your Prime contractor and/or the DoD Program Management Office to confirm your identification. This will also allow the DoD to create or adjust the appropriate SCG to reflect the CUI associated with the activity/contract.
Once the Prime/DoD has confirmed that information is CUI, your organization will be required to safeguard and handle CUI in accordance with your established organizational policies and procedures. (Don’t have any established policies and procedures? Give us a shout, we can help with that.) You’ll also be required to mark the CUI-laden documents in accordance with the DoD CUI Marking Instructions. We covered general CUI marking previously, but the DoD has a unique approach to CUI marking, so we’ll revisit that topic in a blog soon.
Until then, good hunting!
–Adam
