This sure sounds like an easy question, and, given the Federal government’s involvement, it isn’t.

HINT:  If you want to skip the long-winded answer, go to What is Controlled Unclassified Information (CUI)?.

Step 1: Define Covered Defense Information (CDI)

The answer begins with the DFAR’s Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.  Paragraph (a) has two key definitions we need to bring highlight:

“Controlled Technical Information (CTI)” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
“Covered Defense Information (CDI)” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

So, does the DFARs clause ever define CUI, no.  Nor does it clearly define the relationship between CDI & CTI.

Step 2: Define CUI

To get the official definition of CUI, we need to go to https://www.archives.gov/cui/about, which states:

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

That really didn’t help.

Step 3: Understand NARA’s CUI categories

The second definition points us to the National Archives & Records Administration (NARA) at http://www.archives.gov/cui/registry/category-list.html to figure out this mess.  If you go to the, you will see a list of categories and sub-categories like:

  • Critical Infrastructure
  • Defense
    • Controlled Technical Information
    • DoD Critical Infrastructure Security Information
    • Naval Nuclear Propulsion Information
    • Unclassified Controlled Nuclear Information – Defense
  • Export Control
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • North Atlantic Treaty Organization (NATO)
  • Nuclear
  • Patent
  • Privacy
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax
  • Transportation

What matter to us is the definition for CTI:

“Controlled Technical Information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, “Distribution Statements of Technical Documents.” The term does not include information that is lawfully publicly available without restrictions. “Technical Information” means technical data or computer software, as those terms are defined in Defense Federal Acquisition Regulation Supplement clause 252.227-7013, “Rights in Technical Data – Noncommercial Items” (48 CFR 252.227-7013). Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.”

The italicized part is what really matters.

Step 4: Bring it all together

In short hand, CDI is the CUI Category of Defense CTI.

We find it best to bring all of this together in the form of a question:

Since 2015, has your organization ever “Collected, developed, received, transmitted, used, or stored” any “technical information” such as “research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code” “in support of the performance of” a DoD “contract” ?

If you can answer yes to this question, then your organization handled CUI, CDI, or CTI.

For more information, please contact us at [email protected].