UCTI CUI CDI Overview
DFARS NIST SP 800-171 – UCTI vs. CUI vs. CDI
Defense contractors having to comply with DFARS 800-171 often find themselves struggling to interpret the actual meaning and applicability of Unclassified Controlled Technical Information (U/CTI), Controlled Unclassified Information (CUI), and Covered Defense Information (CDI). It can be challenging, no question about it, especially when the FAR pronouncements and the Department of Defense (DoD) themselves have not provided clear guidance on this matter. Flank, a leading provider of DFARS 800-171 services and solutions, offers the following interpretation and guidance for U/CTI, CUI, and CDI. Visit us at flank.org to learn more about our services.
Unclassified Controlled Technical Information (U/CTI)
“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F (per, http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm) using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.
The term does not include information that is lawfully publicly available without restrictions. Thus, “technical information” means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data-Non-Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
Controlled Unclassified Information (CUI)
CUI is information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. More specifically, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information.
Covered Defense Information (CDI)
CDI means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government wide policies, and is— (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Please note the following:
The Department of Defense (DoD) on October 4, 2016, issued a rule finalizing cyber reporting regulations applicable to DoD contractors and subcontractors set forth in 32 CFR Part 236. The rule finalizes an interim rule DoD issued on October 2, 2015 and addresses cyber incident reporting obligations for DoD prime contractors and subcontractors.
Notably, the final rule clarifies the by now well-known definition of the term ‘covered defense information’ (“CDI”). This same term is used in DFARS 252.204-7012. This DFARS clause defines CDI to include four different categories: (1) covered technical information (“CTI”); (2) operations security; (3) export controlled information; and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.
Given the similarities of this final category to the definition of controlled unclassified information (“CUI”) promulgated in connection with the National Archives and Records Administration’s (NARA) rule, we have understood this latter category to include CUI identified by NARA pursuant to its efforts under EO 13556. The DoD’s new final rule provides support for this understanding because it narrows the definition of CDI to only two categories: (1) CTI and (2) CUI. This modification accordingly appears to make clear that the “catch-all” category of CDI contained in DFARS 252.204-7012 was intended to align with NARA’s CUI efforts.
As such, consider the following:
- NIST 800-171 refers to “Controlled Unclassified Information”, but was dated before the new rules were put in place.
- Unclassified Controlled Technical Information” was the original term in DFAR 252.204-7012 (pre-NIST 800-171 pronouncement).
- Covered Defense Information is new term that encompasses all of the above, as well as new types of information, thus CDI is the core definition and concept to grasp.
So, what then is CDI?
- Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
- Unclassified information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Thus, it is:
- Controlled technical information (Military)
- Export controlled information (commodities, tech, software etc.)
- Critical information (DoD Directive, OPEC, etc.)
- ‘Catch All’ (privacy or proprietary business information)
- Research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses
- and related information, and computer software executable code and source code.
DFARS 800-171 Toolkit Available for Download
Becoming compliant with DFARS 800-171 can be an incredibly challenging process, but thanks to our industry leading DFARS 800-171 Compliance All-in-One Toolkit, you’ve got all the tools, templates, and other supporting documentation for helping ensure rapid compliance with the DFARS provisions. Available for instant download, you’ll receive professionally developed NIST SP 800-171 specific policies, procedures, forms, checklists, templates, scoping & readiness documents, and more that map directly to both the Basic and Derived Security Controls.
Available for instant download, the DFARS Compliance 800-171 All-in-One Toolkit comes complete with the following 8 sections:
- NIST SP 800-171 Policy Packet
- NIST SP 800-53 Information Security Policies and Procedures Packet
- DFARS System Security Plan (SSP) Templates
- DFARS Scoping & Readiness Assessment Toolkit
- DFARS Project Management Template
- DoD Cyber Incident Response and Reporting Program (CIRRP)
- Third-Party Due-Diligence & Vendor Management Program
- Risk Assessment Program