The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause – ah, we all know it well. It’s the government contract language that requires the safeguarding of Controlled Unclassified Information (CUI).
As we also know well, mandating required action is one thing; knowing exactly what to do is another. Unsurprisingly, this has caused no lack of confusion among government contractors.
Many factors have played into the controversies surrounding federal government’s contracting requirements for data categorization. The leading issue seems to be that most contractor program managers and contracting officers fail to correctly label data, thereby failing to label data correctly and meet the “standards and basic requirements” of the Defense Federal Acquisition Regulation Supplement (DFAR) as established in Safeguarding Covered Defense Information (DFARS 252.204-7012).
Several of these requirements mandated by the DFARS begin with a fundamental understanding of terms and definitions. Of particular interest are the following, as outlined in “Paragraph (a) Definitions” in the above link:
Controlled Technical Information (CTI)
Controlled Technical Information is defined as technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure or dissemination. Note, this does not apply to information that is lawfully publicly available without restriction. If CTI is so distributed or disseminated, it requires the use of Distribution Statements B through F as set forth in DoD Instruction 5230.24, Distribution Statements on Technical
Documents. In many cases, DoD contracts simply reference CTI generically, i.e., with
little or no specification of what it actually is.
Covered Defense Information (CDI)
Covered Defense Information is unclassified controlled technical information or other data as described in the Controlled Unclassified Information (CUI) Registry. CDI requires safeguarding or dissemination controls consistent with laws, regulations and government-wide policies. Further, CDI is that information which is:
Marked or otherwise identified in the contract, task order or delivery order, and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
Collected, developed, received, transmitted, used or stored by, or on behalf of, the contractor in support of the performance of the contract.
Technical information is data or computer software, as defined in DFARS 252.227-7013, Rights in Technical Data. This can include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies, analyses and related information; it cam also include computer software executable code and source code.
Who is responsible for identifying and marking covered defense information?
The answer to this question can be found within the document Safeguarding Covered Defense Information – The Questions and Concerns: it lies with the entity identified by the DoD as the “requiring activity.” This terminology is completely unfamiliar to most people, but simply means the organization charged with meeting a mission and delivering requirements (complete definition from the DAU here) – in other words, the organization charged with meeting a mission, delivering the government’s requirements, holding ultimately responsibility your contract’s program. The DoD states:
The DoD requiring activity is responsible for identifying covered defense information (CDI) in accordance with DoD procedures for identification and protection of controlled unclassified information found in DoDM 5200.01 Vol 4, DoD Information Security Program: Controlled Unclassified Information (CUI). The requiring activity is also responsible for determining the appropriate marking for the CDI in accordance with the procedures for applying distribution statements on technical documents found in DoDM 5200.01 Vol 4 and DoDI 5230.24, Distribution Statements on Technical Documents. The requiring activity must document in the Statement of Work that CDI is required for performance of the contract and specify requirements for the contractor to mark the CDI developed in the performance of the contract.
The DoD followed this up in 2023 with Clarifying Guidance for Marking and Handling Controlled Technical Information in accordance with Department of Defense Instruction 5200.48, “Controlled Unclassified Information. This document provided additional guidance for Controlled Technical Information (CTI) and Fundamental Research.
The Challenge
It would appear the DoD is referencing a great deal of information, defining it in the broadest possible terms, leaving plenty of room for interpretation, and laying the responsibility for managing that information with the contract holder. Practically speaking, that’s correct!
If you feel your organization has had trouble getting a handle on how to meet this challenge, you’re not alone. There are several practical steps you can take.
Begin by looking at the contract for terms like “CUI controls and protective measures requirements”; the requirements will be described within the “pertinent contract documents” that follow. These descriptions, in turn, may include contract clauses, statements of work, or DD Form 254, “Department of Defense Contract Security Classification Specification” (as outlined in DoDM 5200.01-v4, Enclosure 3, paragraph1e).
If your contract includes Controlled Technical Information, all CTI must be marked with one of the Distribution Statements B through F as set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.
The contract will also include DFARS 252.227-7013, Rights in Technical Data – Noncommercial Items (48 CFR 252.227-7013). The contract data security requirements can also be found in accompanying DD Form 254.
Grey Areas
The above may be fine for contracts clearly containing CTI. But what about contracts where CUI isn’t received from the government or produced by the contractor?
For example your contract may have a DFARS Clause 252.204-7012, but included no documents specifically labeled “CUI,” “Controlled” or “CUI//SP-CTI.” Or, the contract didn’t include a DD254 specifying the data needing to be labeled. In this case:
Break down what is required in writing by the government; note all requirements which are both within the contract and from direct contact with the program manager. Find within DFARS Clause 252.227-7013 the DoD Distribution Statements of Technical Documents; this is where the government specifies all requirements for the contract’s deliverables.
You may still be coming up short in finding the CUI data categorization and labeling information. If so:
Determine if you make a commercial product for the government. If the product being manufactured, created, or developed for the government is already commercially available to the public; if so, it is considered Commercial Off-The-Shelf (COTS). Conversely, if the product is something that must be modified in order to meet the requirements of the contract, then it is Controlled Unclassified Information (CUI) – the very reason the contract has DFARS Clause 252.204-7012.
But what if the product isn’t so easily defined? For example, a product could, in whole or in part, be “technically” available for any public entity, yet still requires a degree of modification for the contract. Understanding FAR 2.101, Commercial Items will help you determine which pieces, parts or end-items are considered COTS. Take special note of Commercial Items (3) (ii), Minor Modifications. This paragraph specifically addresses what constitutes “minor modifications.” Essentially, modifications that “do not significantly alter the…function or essential physical characteristics…change the
purpose of a process” are considered minor.
When It’s Still Not Clear
If after having gone through all contract documents and still finding no specific CUI categorization requirements, ask yourself:
Based on the information within FAR2.101, is the product my organization makes for the government publicly available for use?
Has my organization sold, leased, or licensed the product to the public?
If you answered “yes” to either question, odds are the product is a commercially available item, and therefore does not require the security protections outlined in FAR/DFARS. However, you may also receiving documents referencing CUI items in the contract; or, you may be required by the contract to label deliverables as “CUI.” This is because the product you make is part of a larger program that itself is CUI.
Unfortunately, when passing contract information to you, the government and prime contractors use this strategy to ensure CUI data isn’t accidentally transmitted without protection. This also ensures that in the typical over-dissemination of information (i.e., information sent to more parties or in more detail than is absolutely required), such information is automatically considered “CUI.”
The Devil Really Is in the Details
Although all DoD and federal government requirements for contracts and the safeguarding of FCI/CUI have similar language, connecting the dots between each FAR, DFARS and DoD instruction is essential for understanding which data needs to be protected. Doing so will also allow your contracting manager or project manager ask the correct questions of the prime contractor or government when inquiring about CUI data labeling and categorization.
If you have outstanding questions or concerns, you should reach out to the program manager DoD activity for your contract’s program. And for additional guidance, you can always contact us at Monarch ISC. We can help you understand your contract requirements.