What is Controlled Unclassified Information

By Rita Lanouette

The Department of Defense (DoD) currently conducts business with more than 350,000  contractors. Some are large companies like Raytheon, which employs over 160,000  employees, while others are small family-owned businesses. These contractors, regardless of size, the products they produce, or the services they provide have something in common. To continue doing business with the government, they must understand how to manage and protect Controlled Unclassified Information (CUI) for both current and upcoming contracts.  

CUI is information that is created or owned by, or on behalf of, the government. It includes personally identifiable information (PII), technical information, designs, specifications, analyses, source code, test results, information on particular parts or materials such as orders, details on a system's vulnerabilities, export-controlled information, and much more.  

In November 2010, President Obama signed Executive Order 13556, which outlines the categories of unclassified information that need to be safeguarded due to risk and vulnerability. This order is the legal basis that established the framework for the protection of CUI within the government and throughout the defense industrial base. The CUI program was put in place to provide a standardized procedure for dealing with unclassified information that does not meet the requirements for classification under Executive Order 13526 but still needs to be protected because of a law, rule, or government-wide policy. That protection involves safeguarding CUI while it is being stored or handled and provides controls for how the information is disseminated.  

It has been demonstrated that the national security of the United States is directly impacted when CUI is lost or improperly safeguarded. Over 22 million people, including government employees and contractors who had undergone background checks as well as their family and friends, were impacted by the significant CUI incidents at the Office of Personnel Management (OPM) in 2014 and 2015 that targeted U.S. government security clearance records. The data collected included personally identifiable information (PII) including names, Social Security numbers, addresses, dates of birth, and the fingerprints of 5.6 million individuals. To mitigate this and to inform and protect those impacted, the government spent more than 350 million dollars. At the time, Michael Hayden, the former director of the CIA, described the information leak as a  serious counterintelligence threat that might easily endure 40 years, or until the affected federal employees start to retire. 

Defense Federal Acquisition Regulation Supplement (DFARS) 22.204-7012, a DoD cybersecurity regulation, requires all DoD contractors and subcontractors to adhere to certain security requirements related to ensuring adequate security and timely incident reporting when CUI is involved. For DoD contractors, the risk is the potential for information security flaws or breaches in their computer networks, which could allow adversaries to obtain protected information. Companies must be able to identify any 

CUI that has entered their networks, regardless of whether it was marked as such when they received it, in order to prevent that possibility.  

Signs You May Have CUI Requirements 

The answers to the following queries will help identify whether the information being handled as part of a government contract is CUI.  

Does your defense project include technical or export-controlled information with a  military or space application? 

Do you have marked legacy information such as For Official Use Only (FOUO), Sensitive but Unclassified (SBU), or Unclassified Controlled Technical Information  (UCTI)? 

Has the customer provided documents marked CUI?  

Has the customer discussed CUI requirements with you? 

Has the customer submitted a Procuring Contracting Officer Letter (PCOL) that contains CUI direction? 

Answer yes to any of the above, and you should check your contract and other contractual documents for specific CUI requirements.  

Check for CUI Requirements 

Consider the following questions when checking your contractual documents for CUI  requirements:

• Do the Contract Clauses include DFARS 252.204-7012, 252.227-7013, 252.239-7010 or NIST SP 800-171?  
• Does the Contract or DD Form 254 specify compliance with DoDI 5200.48? Does the Contract DD Form 254 Blocks 10j, 11l, or 13 identify CUI requirements? Does the program’s Security Classification Guide (SCG) identify legacy-controlled unclassified or CUI elements? 
• Do other Contract documents specify CUI (e.g., Request for Proposal (RFP), Request for Quote (RFQ).  

Answer yes to any of the above, and you have CUI requirements. However, it’s important to note that many of the Federal Acquisition Regulation (FAR) and DFARS clauses are considered boilerplate and as such are included in most DoD contracts—because they have universal applicability because they represent a set of conditional statements. In the case of DFARS 252.204-7012, it must be flowed down to all vendors, but its requirements are only applicable if CUI is delivered, shared, or produced under the contract, or in performance of the contract.  

Contact your Contracts Officer, if you believe your contract or project includes CUI, but CUI requirements are not found in contractual documents. Requesting an updated DD Form 254 is recommended in this situation. You should also contact your Contracts Officer if CUI requirements are unclear or if you are struggling to comply with them.  

Contractors and subcontractors should be aware the government has broad suspension and debarment powers. Failure to comply with CUI requirements may result in a contract breach, termination for default or convenience, and a subpar Contractor Performance Assessment Reporting System (CPARS) performance rating, which may have an impact on decisions about future contract awards. If a cyberattack or data breach happens as a result of non-compliance, there may also be liquidated damages of up to $5,000 per impacted person. 

The DoD Mandatory CUI Training course offered by the Agency’s Center for Development of Security Excellence (DCSE) satisfies the minimum CUI training requirements for the industry when they are imposed by Government Contracting Activity (GCA) for contracts with CUI requirements. The Defense Counterintelligence and Security Agency (DCSA) CUI Resources list provides a helpful summary of DoD websites where you can find additional information, tools, and resources related to CUI.

Are you interested in a government career or within the private sector leading your company’s business dealings with the government? The University of Dayton School of Law's Government Contracting program offers a unique opportunity to transition to these exciting careers. With convenient evening classes that are 100% online, the Government Contracting program provides students with sought-after expertise in legal subjects necessary to thrive in all contracting and acquisition roles. Earn your degree in as little as one year.