Controlled Unclassified Information
What is CUI?
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
Why is it important?
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters.
How is CUI management changing?
In May 2018, the Under Secretary of Defense for Intelligence and Security designated DCSA as the administrator of the DoD CUI Program for contractually established CUI requirements for contractors in classified contracts.
DCSA’s objective is to create scalable department-wide prioritization and assignment schemas, common assessment standards, reciprocity across services and contracts, a common CUI data repository, and trainings.
What is the current status of DCSA CUI Oversight Mission?
- DCSA is in the process of establishing a team to manage CUI responsibilities.
- The Critical Technology Protection (CTP) Enterprise Security Operations (ESO) Office is the lead office with respect to the DCSA CUI Oversight Mission and Industry
- At this time DCSA is not conducting any oversight of CUI associated with classified contracts/cleared contractors.
- DCSA will continue to keep both Government and Industry informed on any implementation of CUI oversight responsibilities before implementation occurs.
Are there any established CUI Timelines?
There are no timelines to provide at this time. DCSA is currently in the process of evaluating our responsibilities outlined in DoDI 5200.48, "Controlled Unclassified Information."
What current policy documents address CUI oversight?
Are there CUI courses created for Industry?
- Yes, the Center for Development of Security Excellence (CDSE) has developed an eLearning course titled “DoD Mandatory Controlled Unclassified Information (CUI) Training For Contractors (IF141.06.FY21.CTR).
- At the request of the Government Contracting Activity for contracts with CUI requirements, the course is mandatory training for all DoD and Industry personnel with access to CUI. The course provides information on the eleven training requirements for accessing, marking, safeguarding, decontrolling and destroying CUI along with the procedures for identifying and reporting security incidents.
- CDSE also has a CUI Toolkit available at https://www.cdse.edu/toolkits/cui/current.html. The Toolkit includes training, policy documents, resources, and an FAQ video.
What can Industry do now?
- Review existing contracts and engage with Government customers to determine which, if any, CUI requirements are applicable to current contracts.
- Review CUI resources and training available on the CDSE website.
- Review the DoD CUI Registry at https://www.dodcui.mil to become familiar with CUI organizational index groupings and CUI categories.
What is the Cyber Maturity Model Certification?
- In November 2020, the DoD Rule implementing the requirements for the Cyber Maturity Model Certification or CMMC, which is third party certification of non-Federal Information Systems and addresses implementation of DFARS 7012 and NIST 800-171, went into effect. The CMMC effort is being managed by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD (A&S)).
- The A&S website has additional information and is located at: https://www.acq.osd.mil/cmmc/index.html.
- Any questions on CMMC should be directed to OUSD (A&S) who has contact information on their website.
This page will be routinely updated with news and information related to DCSA’s CUI oversight responsibilities.