Controlled Unclassified Information
What is CUI?
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
Why is it important?
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters.
How is CUI management changing?
In May 2018, the Under Secretary of Defense for Intelligence and Security designated DCSA as the administrator of the DoD CUI Program for contractually established CUI requirements for contractors in classified contracts.
DCSA’s objective is to create scalable department-wide prioritization and assignment schemas, common assessment standards, reciprocity across services and contracts, a common CUI data repository, and trainings.
What is the current status of DCSA CUI Oversight Mission?
- DCSA is in the process of establishing a team to manage CUI responsibilities.
- The Critical Technology Protection (CTP) Enterprise Security Operations (ESO) Office is the lead office with respect to the DCSA CUI Oversight Mission and Industry
- At this time DCSA is not conducting any oversight of CUI associated with classified contracts/cleared contractors.
- DCSA will continue to keep both Government and Industry informed on any implementation of CUI oversight responsibilities before implementation occurs.
Are there any established CUI Timelines?
There are no timelines to provide at this time. DCSA is currently in the process of evaluating our responsibilities outlined in DoDI 5200.48, "Controlled Unclassified Information."
What current policy documents address CUI oversight?
Which training is required for industry?
- Training is required when requested by the Government Contracting Activity for contracts with CUI requirements.
- Per CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program (September 14, 2016), at a minimum, training must:
- Convey individual responsibilities related to protecting CUI;
- Identify the categories or subcategories routinely handled by agency personnel and any special handling requirements (i.e., for CUI Specified);
- Describe the CUI Registry, its purpose, structure, and location (i.e., http://www.archives.gov/cui/);
- Describe the differences between CUI Basic and CUI Specified;
- Identify the offices or organizations with oversight responsibility for the CUI Program;
- Address CUI marking requirements, as described by agency policy;
- Address the required physical safeguards and methods for protecting CUI, as described by agency policy;
- Address the destruction requirements and methods, as described by agency policy;
- Address the incident reporting procedures, as described by agency policy;
- Address the methods and practices for properly sharing or disseminating CUI within the agency and with external entities inside and outside the Executive branch; and
- Address the methods and practices for properly decontrolling CUI, as described by agency policy.
- Industry organizations may develop their own CUI training, so long as the training includes these eleven requirements.
Are there CUI courses created for Industry?
- Yes, the Center for Development of Security Excellence (CDSE) has developed an eLearning course titled “DoD Controlled Unclassified Information (CUI) Training For Contractors (IF141.06.FY21.CTR).
- The course fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements.
- CDSE also has a CUI Toolkit available at https://www.cdse.edu/toolkits/cui/current.html. The Toolkit includes training, policy documents, resources, and an FAQ video.
What can Industry do now?
- Review existing contracts and engage with Government customers to determine which, if any, CUI requirements are applicable to current contracts.
- Review CUI resources and training available on the CDSE website.
- Review the DoD CUI Registry at https://www.dodcui.mil to become familiar with CUI organizational index groupings and CUI categories.
What is the Cyber Maturity Model Certification?
- In November 2020, the DoD Rule implementing the requirements for the Cyber Maturity Model Certification or CMMC, which is third party certification of non-Federal Information Systems and addresses implementation of DFARS 7012 and NIST 800-171, went into effect. The CMMC effort is being managed by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)).
- The A&S website has additional information and is located at: https://www.acq.osd.mil/cmmc/index.html.
- Any questions on CMMC should be directed to OUSD (A&S) who has contact information on their website.
This page will be routinely updated with news and information related to DCSA’s CUI oversight responsibilities.