The CUI Dilemma

Companies supporting the defense market are scrambling to understand exactly how to classify and protect jajalger2018.orgrmation. Walk this use to your company? This blog will aid you price the adhering to the peak four usual questions around unclassified government data in a commercial that infrastructure.

You are watching: When two pieces of cui or other

What is CUI/CDI/CTI Data?Why to be I forced to safeguard CUI/CDI/CTI together a defense contractor?Do I have CUI/CDI/CTI data in my IT System?How execute I safeguard CUI/CDI/CTI data?

TheBase Requirements

The march 6, 2020 relax of DoDInstruction5200.48 ControlledUnclassifiedjajalger2018.orgrmation(CUI) consists of the adhering to requirements because that DoD home builders in section 5.3.

a. Whenever DoD gives jajalger2018.orgrmation to contractors, that must determine whether any kind of of the details is CUI via the contracting vehicle, in whole or part, and mark together documents, material, or media in accordance v this issuance.

b. Whenever the DoD gives CUI to, or CUI is created by, non-DoD entities, security measures and dissemination controls, consisting of those command by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, together appropriate.

c. DoD contracts must require builders to screen CUI for aggregation and compilation based on the potential to create classified details pursuant come security category guidance addressing the build-up of unclassified data or jajalger2018.orgrmation. DoD contracts shall require home builders to report the potential group of aggregated or compiled CUI come a DoD representative.

d. DoD personnel and also contractors, pursuant to mandatory DoD contract provisions, will certainly submit unclassified DoD details for review and approval for release in accordance through the conventional DoD ingredient processes and also DoDI 5230.09.

e. Every CUI records need to follow the approved mandatory disposition authorities at any time the DoD offers CUI to, or CUI is generated by, non-DoD reality in accordance with section 1220-1236 of location 36, CFR, ar 3301a of title 44, U.S.C., and also this issuance.

Understanding the definitions and best methods will aid you build a baseline of knowledge to develop a plan and properly safeguard unclassified federal government data in your details systems.

What is CUI, CDI and also CTI Data?

Controlled Unclassified jajalger2018.orgrmation (CUI) and Covered Defense jajalger2018.orgrmation (CDI) are relatively new markings, but similar markings have actually a long history within the government. CUI is one umbrella hatchet that incorporates all CDI and Controlled Technical jajalger2018.orgrmation (CTI). These 3 markings are given to unclassified contents that have to be protected in a very specific manner both within and outside a federal government jajalger2018.orgrmation system. In the past, the federal government used many different markings to identify this type of jajalger2018.orgrmation. You may have seen or offered some of this in the past: Unclassified managed Technical details (UCTI), Sensitive but Unclassified (SBU), For official Use only (FOUO), regulation Enforcement perceptible (LES), etc. These are currently all rolling up right into the category of CUI content. Clear together mud…. Right? No one said this was easy….

CUI as a category encompasses both CTI and also CDI. CTI is identified as technical jajalger2018.orgrmation with a army or room application that is significant with a circulation statement in accordance through DoDI 5230.24 (Distribution explanation on technological Documents). In general, the regulating Department the Defense (DoD) office is responsible for determining if details is CTI and also properly noting it before contractor access to the jajalger2018.orgrmation. However, if a contractor creates unclassified CTI in the power of a contract, the contractor have to work through the contracting officer to ensure that the ideal forms space completed, declaration of job-related are in place and also distribution statements space assigned to each piece of content. This content need to be defended at the same level as various other CDI and also CUI content; it just has actually special marking and tracking requirements.

The CUI regimen was originally developed for every Executive Branch Agencies. Believe it or not, this regime is significantly simplified. Before the existing CUI regimen every company used a different collection of markings, details classifications, and also rules for exactly how to manage and also control the jajalger2018.orgrmation. In general, CUI is jajalger2018.orgrmation significant or figured out in a government contract or listed to a government contractor by the DoD in link with a contract; however, it can likewise be contents that is occurred by the contractor during the power of a contract. This contents is significant or figured out by the DoD as requiring safeguarding or certain dissemination controls.


I recommend that you review and also learn the brand-new CUI noting program to ensure data is appropriately identified. Acquire started by checking out the federal government marking guidance.

There space hundreds of different sets of regulations, laws, and also U.S. Code that specifies exactly how each of the CUI specified jajalger2018.orgrmation varieties must be controlled. The best means to determine what the demands are for any type of specific type is to walk to the CUI Registry and search for the contents you room interested in. The complete list of CUI categories can be uncovered in the CUI Registry. There are 24 category of content and also 83 sub categories of content! Each classification is identified as one of two people CUI simple or CUI Specified.


CUI Basic includes the baseline handling and dissemination controls as figured out in the Final dominion issued by NARA (the national Archives and Records Administration) ~ above November 14, 2016. The Federal Systems Modernization plot (FISMA) requires that CUI an easy be safeguarded at the FISMA middle level and also can be significant as either CUI or Controlled.

See more: How To Draw A Jordan Sign - How To Draw Jordan, Jumpman Logo

CUI Specified is a subset of CUI wherein the authorizing law, policy, or regulation puts more restrictive controls on the handling and also control the the CUI mentioned content. The underlying authority maintains the taking care of controls top top CUI stated content and also ONLY a designating company may use the limited dissemination controls to CUI content. This can not be done by an agency that was no the original designating authority. Much more importantly, agencies cannot boost CUI Basic’s affect level above moderate exterior to their company without an commitment with the external company or contractor organization operating an system on their behalf.

The adhering to is a rapid reference list of usual categories the CUI specified subsets: