Broadly speaking, the U.S. Government defines Controlled Unclassified Information (CUI) as any information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.
But how does this broad definition apply to Department of Defense (DoD) Contractors? More specifically, what is CUI with regards to the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171? This short article will answer these questions for DoD Contractors.
CUI That Concerns DoD Contractors
As described in the CUI registry, CUI that pertains specifically to the DoD is known as Covered Defense Information. Covered Defense Information includes:
- Controlled Technical Information and;
- Contractor Attributional/Proprietary Information
Controlled Technical Information
According to section 252.204-7012 of DFARS Documentation, Controlled Technical Information means technical information with military or space application.
Examples of technical information include: research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
Contractor Attributional/Proprietary Information
The second type of Covered Defense Information is Contractor Attributional/Proprietary Information. According to 252.204-7012, this information identifies the contractor, whether directly or indirectly, by the grouping of information that can be traced back to the contractor (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
DFARS Policy 204.7302 states that Covered Defense Information is to be protected and monitored on the DoD Contractor’s information system(s), as well as the Department of Defense’s systems. Contractors are also required to rapidly report cyber incidents (actual or potentially compromised information) within 72 hours to the Department of Defense here.
More Guidance on CUI and How to Protect It
If you are a DoD Contractor and have any questions about CUI and how to protect it, feel free to give us a call at: (866) 583-6946. Our DFARS Compliance specialists are happy to assist you in navigating the challenges of DFARS, and help you implement the security controls detailed in NIST SP 800-171.