There's an idea tempting every defense contractor as they learn more about CMMC: maybe I don't actually have any controlled unclassified information (CUI). It's an attractive narrative. After all, contracting officers and prime contractors are supposed to identify CUI in awards. So, maybe you've never received any CUI in the first place and the hullabaloo surrounding DFARS 252.204-7012 and CMMC doesn't apply to you?
As part of implementing CMMC, I've gone through the process of identifying CUI with a number of organizations and stakeholders. For me, the easiest way to tackle the challenge is to focus on two common categories of CUI with established definitions and existing markings: Controlled Technical Information (CUI//SP-CTI) and Export Controlled Information (CUI//SP-EXPT).
Controlled Technical Information
Until the Department of Defense fully implements their CUI program (which includes updated marking conventions for controlled techncial information) we're limited to using the definition of CTI and its legacy markings in order to identify it when it's received from third parties. According to the CUI Registry, Controlled Technical Information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
CTI follows existing marking instructions preceding the NARA CUI program:
Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents."
Here's the shortlist of Distribution Statement templates used by DoD:
I commonly see Distribution Statements B through F on the cover pages of documents and on technical drawings (in a bordered box populated with controlling office information, or in detail sections near other specifications).
Export Controlled Information
I've had several conversations where someone tells me they don't receive or handle CUI, and in the same breath will explain, "but we do handle ITAR."
There's no easy way to say this: export controlled information is CUI. According to the CUI Registry description for export controlled information, this includes (links added):
dual use items; items identified in export administration regulations [EAR], international traffic in arms regulations [ITAR] and the munitions list [USML]; license applications; and sensitive nuclear technology information.
Here's an example of an Export Control Warning Label:
I regularly see these markings on engineering drawings, as well as in section-marked contract data requirements lists (CDRLs) found in contract awards with detailed statements of work.
What About Other Kinds of CUI?
At the time of this writing, it's still rare to see anything from DoD agencies marked using guidance from the CUI Registry and its other categories. Domestic agencies are getting better at implementing their CUI programs, and so we're seeing adoption in areas of government where CMMC is quickly becoming a hot topic.
Moving Forward in the Face of Uncertainty
The combination of Controlled Technical Information (CUI//SP-CTI) and Export Controlled Information (CUI//SP-EXPT) represents a huge segment of CUI within the defense industrial base. Even if we don't have perfect clarity on every category from the federal CUI Registry, or the DoD CUI Registry: we can still use these example categories to determine whether we have some CUI. Knowing that you have some CUI is just as important as identifying all of your CUI, because it reveals the following for defense contractors:
- The safeguarding and rapid reporting obligations of DFARS 252.204-7012 apply to your organization
- You should already have a system security plan detailing your implementation of NIST Special Publication 800-171 requirements
- You should be targeting CMMC level 3 for future implementations, due to the presence of CUI in your organization