Controlled Unclassified Information
What is CUI?
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
Why is it important?
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. There are over 1 million contracts in the NISP alone with DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting for the protection of DoD CUI” and over 3 million with CUI in the cleared industrial base overall.
How is CUI management changing?
In May 2018, the designated senior agency official for CUI – the Under Secretary of Defense for Intelligence – designated DCSA with DoD enterprise management of CUI. A senior action officer working group was formed in November 2018, including:
- DoD CIO
- OSD Acquisitions and Sustainment (A&S)
- OSD Research and Engineering (R&E)
- Missile Defense Agency (MDA)
- Defense Contract Management Agency (DCMA)
- Information Security Oversight Office (ISOO)
The objective is to create scalable department-wide prioritization and assignment schemas, common assessment standards, reciprocity across services and contracts, a common CUI data repository, and trainings.