New DoD CUI Registry

In March 2020, DoD Instruction 5200.48 established a separate DoD CUI Registry, designed to mirror the National CUI Registry but provide “…additional information on the relationships to the DoD by aligning each Index and Category to DoD issuances.”  How can contractors use this CUI registry? A good starting point is to explore the following sections: Electronic Funds Transfer (EFT), Contract Use, the Procurement/Acquisition category, and the Proprietary Business Information category. These are types of information that nearly every DoD contractor is likely to process.

You will notice that the CUI Registry labels CUI as either ‘Basic’ or ‘Specified’, depending on whether the safeguarding requirements are the same as other types of CUI, or if there is specific, unique guidance. In both cases, the CUI Registry includes a link to the law, regulation, or policy that the security or dissemination controls are derived from. The CUI registry also provides clear guidance on how to correctly mark the CUI.

It was once very difficult to determine what could be considered CUI, but the DoD’s CUI Registry provides a way to understand the various types of sensitive information that your company might process. Armed with that knowledge, you can then begin the hard work of applying the cybersecurity safeguards (namely those listed in NIST SP 800-171 and CMMC ) needed to protect this data from unauthorized disclosure. A sense of urgency is critical: the Defense Federal Acquisition Regulation Supplement (DFARS) that governs all business agreements between the DoD and private sector is being strengthened with new contractor cybersecurity requirements which will eventually be mandatory across the board. If you’re still not sure where to begin, consider our cybersecurity compliance virtual workshops.