What are the Challenges of DoD CUI Identification?

In the U.S., contractors, and subcontractors who are part of the U.S. DoD’s Industrial Base (DIB), make up the DoD supply chain. Each of the members has been entrusted with protecting specific types of confidential information they handle as part of their work with the DoD. When it comes to CMMC cybersecurity, Controlled Unclassified Information is the term used for this sensitive data. 

Many DoD suppliers have agreements to safeguard specific DoD-related CUI (DFARS 252.204-7012). However, many people are unsure what precisely defines DoD CUI. The great majority of queries made by such vendors concern DoD CUI Identification, such as “what CUI is?” and “what data am I expected to protect?”

This issue is worsened as the Department of Defense has failed to appropriately identify and label CUI for its contractors and vendors, as required by DoDI 5200.48. Furthermore, remarks like “simply treat all data as CUI” and “guard all CUI the same” have been made in the past by DoD and other authorities.

However, these statements often mislead DoD vendors.

It’s a common misconception that all contract details and information should be considered CUI. The National Archive and Records Administration (NARA) has indexed limited types of data as CUI. The DFARS clause only requires the protection of only those information that are specifically labeled as controlled defense information. 

Vendors who first identify the elements of DoD CUI are better at saving money and resources on the protection of sensitive data. By determining the components of DoD CUI, you can utilize your resources on appropriate tasks like CMMC compliance, cybersecurity implementation, operation, maintenance, etc. 

To properly scope cybersecurity programs for the impending Cybersecurity Maturity Model Certification (CMMC), one needs to know what data they need to safeguard.

However, many DoD contractors have to utilize their own devices to detect DoD CUI at workplaces. The detection and identification of CUIs is a difficult task.

Things to Consider when Identifying DoD Controlled Unclassified Information

Data related to the COTS products are not considered CUI or sensitive data. 

The safeguarding standards of DFARS 7012 do not apply to information about solely commercial off-the-shelf (COTS) goods. If your company’s products are genuinely COTS, you shouldn’t be worried about the CUI protection. 

Check if you have the DFARS 252.204-7012 clause in agreements to detect DoD CUI in your company. If the provision isn’t present, you should seek other relevant requirements to implement NIST SP 800-171 and/or safeguard CUI.

If your company does not meet any of these criteria, it does not handle CUI and will not be entrusted with it in the future. As a result, the data your company saves, processes, and sends are not CUI.

ITAR and other export-controlled information is frequently linked to DoD operations, projects, and contracts. If your organization handles such data, it is a probability that you might be handling CUI. You must safeguard the data in accordance with the DFARS 7012 clause. 

If your organization receives, stores or processes controlled unclassified information from DoD prime contractors or DoD; they must take measures to protect CUI.