Controlled Unclassified Information
What is CUI?
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
Why is it important?
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters.
How is CUI management changing?
In March 2020, DoD Instruction 5200.48 directed DCSA with eight responsibilities related to CUI. During the first half of 2021, DCSA developed an implementation plan to execute these responsibilities and will be utilizing a phased approach to operationalize its CUI responsibilities beginning October 1, 2021.
What is the current status of DCSA CUI Oversight Mission?
- DCSA is not currently conducting any oversight of CUI associated with classified contracts/cleared contractors at this time and during Phase 1, DCSA will not assess contractor compliance with contractually established CUI system requirements in DoD classified contracts associated with the National Industrial Security Program.
- DCSA will instead focus on preparing and executing program administration activities, which includes developing processes and procedures, engaging with Government and Industry stakeholders, and producing tools, training, and resources to support Industry’s development, management, and sustainment of CUI programs within their contractor facilities.
- The Critical Technology Protection (CTP) Enterprise Security Operations (ESO) Office is the lead office in respect to the DCSA CUI Oversight Mission and Industry.
- DCSA will continue to keep both Government and Industry informed as program implementation matures.
What current policy documents address CUI oversight?
- The Center for Development of Security Excellence (CDSE) has developed an eLearning course titled “DoD Mandatory Controlled Unclassified Information (CUI) Training FY21 (IF141.06.FY21)
- The course fulfills CUI training requirements for industry when it is required
by Government Contracting Activities for contracts with CUI requirements.
- CDSE also has a CUI Toolkit available at https://www.cdse.edu/toolkits/cui/current.html. The Toolkit includes training, policy documents, resources, and an FAQ video.
- Training is required when requested by the Government Contracting Activity for contracts with CUI requirements.
- Per CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program (September 14, 2016), at a minimum, training must:
- Convey individual responsibilities related to protecting CUI;
- Identify the categories or subcategories routinely handled by agency personnel and any special handling requirements (i.e., for CUI Specified);
- Describe the CUI Registry, its purpose, structure, and location (i.e., http://www.archives.gov/cui/);
- Describe the differences between CUI Basic and CUI Specified;
- Identify the offices or organizations with oversight responsibility for the CUI Program;
- Address CUI marking requirements, as described by agency policy;
- Address the required physical safeguards and methods for protecting CUI, as described by agency policy;
- Address the destruction requirements and methods, as described by agency policy;
- Address the incident reporting procedures, as described by agency policy;
- Address the methods and practices for properly sharing or disseminating CUI within the agency and with external entities inside and outside the Executive branch; and
- Address the methods and practices for properly decontrolling CUI, as described by agency policy.
- Industry organizations may develop their own CUI training, so long as the training includes these eleven requirements.
What can Industry do now?
- Review the DoD CUI Registry at https://www.dodcui.mil to become familiar with CUI organizational index groupings and CUI categories.
- Continue to review existing contracts and engage with Government customers to determine which, if any, CUI requirements are applicable to current contracts.
- Discuss the results of these engagements with your DCSA Industrial Security Representative.
- Review CUI resources and training available on the CDSE website.
What is the Cyber Maturity Model Certification?
- In November 2020, the DoD Rule implementing the requirements for the Cyber Maturity Model Certification or CMMC, which is third party certification of non-Federal Information Systems and addresses implementation of DFARS 7012 and NIST 800-171, went into effect. The CMMC effort is being managed by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)).
- The A&S website has additional information and is located at: https://www.acq.osd.mil/cmmc/index.html.
- Any questions on CMMC should be directed to OUSD (A&S) who has contact information on their website.
This page will be routinely updated with news and information related to DCSA’s CUI oversight responsibilities.