DOD Releases New Controlled Unclassified Information Instruction

The recently released DOD Instruction 5200.48 establishes policies, responsibilities, and procedures for controlled unclassified information (CUI), as well as a DOD CUI repository.  It is intended to respond to challenges in sharing CUI and address inconsistent definition and marking requirements. 

CUI requires an organization or individual to have a “lawful governmental purpose” for access which, is a lower standard than the “need-to-know” required for classified access.  NIST SP800-171 outlines standard security requirements for CUI, however, some CUI may require additional protection based on impact to national security. The security requirements for non-DOD systems storing, processing or transmitting CUI will be incorporated into all contracts and will follow 8582.01. DOD contracts must also require contractors to monitor CUI for the potential of aggregated CUI that generates classified information.   DOD CUI is further organized into indexes such as defense, privacy, or proprietary.  The officially maintained list of Indexes and Categories is stored in the DOD CUI Registry on the follow DOD Intelink website, which requires a government common access card (CAC) to access.

Under DODI 5200.48, the Under Secretary of Defense for Policy is responsible for policies and procedures relating to disclosing CUI to foreign governments, NATO, and other agreements, as well as requirements for CUI to be identified in international agreements, arrangements, and contracts that have licensing export controls to foreign partners. 

The Under Secretary of Defense for Acquisition and Sustainment is responsible for maintaining processes, policies and procedures, in accordance with DFARS, to protect DOD CUI related to contracting and agreements.  The USD(A&S) is also responsible for supporting the implementation of CUI requirements into Federal Acquisition Regulations relating to defense contractors.

Under Secretary of Defense for Research and Engineering is responsible for establishing processes, policies, and procedures that protect CUI for grants and cooperative R&D arrangements. The DOD CIO integrates and oversees CUI metadata tagging standards and oversees Defense Industrial Base Cybersecurity Activities.

Legacy CUI documents in DOD control or stored on access-controlled websites or databases do not need to be re-marked.  However new documents derived from legacy documents should reflect the new marking standard and any documents shared outside the DOD should be remarked before distribution. “CUI” replaces legacy markings in the header, footer, and portion markings. While “CUI” does not need to be preceded by an unclassified marking such as “U” in “U//FOUO”, any portions or subparagraphs should be properly marked “U” or “CUI” in a mixed document.  Also, “CUI” can still be combined with other subcategory and distribution markings such as “NOFORN” and “REL TO” as necessary.

Topics: Cybersecurity, Industrial Security, Government Policy