Controlled Unclassified Information


What is CUI?

CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.

CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.

Why is it important?

Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. 

How is CUI management changing?

In March 2020, DoD Instruction 5200.48 directed DCSA with eight responsibilities related to CUI. During the first half of 2021, DCSA developed an implementation plan to execute these responsibilities and will be utilizing a phased approach to operationalize its CUI responsibilities beginning October 1, 2021. 

What is the current status of the DCSA CUI Oversight Mission?

•DCSA is not currently conducting any oversight of CUI associated with classified contracts/cleared contractors at this time and during Phase 1, DCSA will not assess contractor compliance with contractually established CUI system requirements in DoD classified contracts associated with the National Industrial Security Program.
•DCSA will instead focus on preparing and executing program administration activities, which includes developing processes and procedures, engaging with Government and Industry stakeholders, and producing tools, training, and resources to support Industry’s development, management, and sustainment of CUI programs within their contractor facilities.
•The DCSA CUI Program Office is managed by the Enterprise Security Operations office within the Critical Technology Protection mission area at DCSA.
•DCSA will continue to keep both Government and Industry informed as program implementation matures.

 

CUI Implementation: Phase 1

On October 1, DCSA began operationalizing its eight CUI responsibilities using a phased approach and will be in initial operating capability throughout the duration of Fiscal Year 2022 (FY22). This first phase will begin with the standup of a centralized program administration office (hereafter referred to as the DCSA CUI Program Office) which will begin executing several administrative functions, which includes developing processes and procedures, engaging with Government and Industry stakeholders, and producing tools, training, and resources to support Industry’s development, management, and sustainment of CUI programs within their contractor facilities.

DCSA will also develop unauthorized disclosure and threat notification processes in accordance with two of its eight responsibilities. As processes are developed, information will be provided to Government and Industry partners on how to report both unauthorized disclosures of, and threats to, CUI. Effective October 1, 2021, and until formalized processes in place, Government and Industry partners should notify, via encrypted email, the DCSA CUI Program Office mailbox at dcsa.quantico.ctp.mbx.eso-cui@mail.mil for any instances involving unauthorized disclosures of, or threats to, CUI.

DCSA will not assess contractor compliance with contractually established CUI system requirements in DoD classified contracts associated with the National Industrial Security Program during Phase 1. Instead, the DCSA CUI Program Office will develop and disseminate a number of tools and resources to support industry’s self-management and attestation of CUI programs resident at their locations.

DCSA will not assess contractor compliance with contractually established CUI system requirements in DoD classified contracts associated with the National Industrial Security Program during Phase 1. Instead, the DCSA CUI Program Office will develop and disseminate a number of tools and resources to support industry’s self-management and attestation of CUI programs resident at their locations.

As resources are finalized and approved for release, they will be posted to this page.

What can Industry do now?

Review and become familiar with the two CUI registry resources that provide government approved CUI categories and organizational index groupings:

Continue to review existing contracts and engage with Government customers to determine which, if any, CUI requirements are applicable to current contracts.

• Discuss the results of these engagements with your DCSA Industrial Security Representative.
• Complete CUI training when required by Government customers.
• Review CUI resources available on this page and training available on the CDSE website.

 

Review the DCSA CUI Quick Start Guide for Industry for more information (21-10-18 CUI QUICK START GUIDE FINAL.pdf (dcsa.mil) ) and monitor this page for new resources.

 

DCSA Program Office tools and resources identified to assist with the development of a successful CUI program for DOD and Industry

Training for Industry is required when requested by the Government Contracting Activity (GCA) for contracts with CUI requirements. Industry may take the CUI training developed by the Center for Development of Security Excellence (CDSE) or create custom training.

If creating custom training, Industry must include the minimum requirements found in CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program (September 14, 2016) which includes the following:

  • Convey individual responsibilities related to protecting CUI.
  • Identify the categories or subcategories routinely handled by agency personnel and any special handling requirements (i.e., for CUI Specified).
  • Describe the CUI Registry, its purpose, structure, and location (i.e., http://www.archives.gov/cui/);
  • Describe the differences between CUI Basic and CUI Specified.
  • Identify the offices or organizations with oversight responsibility for the CUI Program.
  • Address CUI marking requirements, as described by agency policy.
  • Address the required physical safeguards and methods for protecting CUI, as described by agency policy.
  • Address the destruction requirements and methods, as described by agency policy.
  • Address the incident reporting procedures, as described by agency policy.
  • Address the methods and practices for properly sharing or disseminating CUI within the agency and with external entities inside and outside the Executive branch.
  • Address the methods and practices for properly decontrolling CUI, as described by agency policy.

If developing custom CUI training, DCSA provides the following additional resources:

Note that if using custom training, Industry should ensure that it is acceptable with the GCA.

The CDSE eLearning course titled “DoD Mandatory Controlled Unclassified Information (CUI) Training (IF141.06) fulfills training requirements. . It is accessed at DOD Mandatory Controlled Unclassified Information (CUI) Training IF141.06 (cdse.edu).

CDSE also provides a CUI Toolkit available at https://www.cdse.edu/training/toolkits/ .[MP1] [GB2]  The Toolkit includes training, policy documents, resources, and an FAQ video.

CUI Resources for Industry

Please note that several of the above resources refer to a “CUI Manager.” The term refers to the individual or group responsible for company CUI compliance. This is typically the Facility Security Officer or Security Manager. There is no federal requirement to formally designate such an individual or use the title “CUI Manager.”

The above tools are optional resources that include best practices.

The Cybersecurity Maturity Model Certification (CMMC) program is the Departments program to assist Industry to meet adequate security requirements of 32 CFR 2002.4 and DFARS 252.204-7012 in the implementation of National Institute of Standards and Technology (NIST) SP 800-171.

In September 2020, the DOD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments on the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

DOD announced “CMMC 2.0” in November 2021, providing an updated program structure and requirements designed to achieve the primary goals of the internal review including:

  • Safeguard sensitive information to enable and protect the warfighter
  • Dynamically enhance DIB cybersecurity to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

This announcement marked the completion of an internal program assessment led by senior leaders across the Department. These updates enhance CMMC by:

  • Reducing costs, particularly for small businesses
  • Increasing trust in the CMMC assessment ecosystem
  • Clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards

CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base (DIB). 

A key change in CMMC 2.0 is the streamlining of compliance levels from five to three and alignment with NIST cybersecurity standards. Key aspects of each level are:

  • CMMC Level 1 is foundational, based on 17 practices, and requires an annual self-assessment.
  • CMMC Level 2 is based on the 110 security controls of NIST SP 800-171 and requires triennial third-party assessments for critical national security information and annual self-assessments for select programs.
  • CMMC Level 3 is based on 110+ security controls of NIST SP 800-172 and requires triennial government-led assessments.

The Department does not intend to approve the inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

Industry is highly recommended to review this CMMC update located at the following website: https://www.acq.osd.mil/cmmc/.

Questions?

This page is routinely updated with news and information related to DCSA’s CUI oversight responsibilities. The DCSA CUI Program Office is dedicated to providing up-to-date information, tools, and resources to support Industry's implementation of CUI programs. Your comments, suggestions, and feedback are welcome at: dcsa.quantico.ctp.mbx.eso-cui@mail.mil