How do I know what CUI Data I have to determine the CMMC level to attain?

Cyber Security

This question has haunted most if not all Defense Contractors, big and small. Make no mistake, understanding your responsibilities when it comes to Controlled Defense Information (CDI), Controlled Technical Information (CTI), or Controlled Unclassified Information (CUI) is vital in a DoD contracting environment. Whether you’re a defense prime contractor or a subcontractor, knowing if your project involves CDI, CTI, or CUI determines how you handle, mark, and protect the sensitive information you’re working with. Specific standards—like NIST 800-171, DFARS 7012, and CMMC—guide these efforts and are crucial for maintaining national security and contract integrity.

To determine if you’re handling CDI/CTI/CUI, start by reviewing your contract’s documentation. The requirements and criteria for these categories of information are often detailed in the Contract Data Requirements List (CDRL), a critical component for DoD contracts specifying what data must be delivered, how, and when. Hand-in-hand with the CDRL is the Subcontractor Data Requirements List (SDRL), intended for subcontractors. Both documents should clearly state whether your contractual duties involve CDI, CTI, or CUI. Look for specific references to security requirements, marking instructions, and any mention of DFARS or DoDI clauses that might apply to your work.

Once you’ve identified that you’re dealing with CDI, CTI, or CUI, it’s crucial to adhere to the prescribed marking and handling requirements. These are not just suggestions but mandatory protocols that safeguard sensitive information. According to DoDI 5230.24, distribution statements used to mark CDI/CTI/CUI range from B through F, each indicating a different level of dissemination control. DFARS 252.204-7012 sets the requirements for safeguarding covered defense information, which includes cyber security measures and incident reporting guidelines. It’s not only about marking information correctly but also ensuring that it is stored, transmitted, and destroyed according to stringent standards to prevent unauthorized access.

Engaging with your Contracting Officer (CO) can provide the customized guidance and clarification needed to navigate the complexities of CDI, CTI, and CUI responsibilities. Contacting the CO is a step that should not be underestimated, as they offer authoritative answers and direction on how to meet contractual obligations while maintaining compliance. The CO can help demystify requirements, assist in interpreting the CDRL and SDRL, and ensure that proper protocols are in place for handling sensitive information. Their involvement is essential in cases where the contract documents may not provide clear guidance or when unique situations arise that aren’t explicitly covered in the standard regulations.

Additionally, familiarize yourself with the Controlled Unclassified Information (CUI) | National Archives i.e, the CUI Registry ( They have a wealth of information and training for everyone. This registry is the official government-wide online repository for Federal-level guidance regarding CUI policy and practice. It includes information on categories, markings, and controls related to Controlled Unclassified Information. For more detailed guidance or specific queries, the registry recommends consulting your agency’s CUI implementing policies and program management.

In conclusion, the prudent handling of CDI, CTI, and CUI is a fundamental aspect of defense contracting. By understanding how to identify these types of information, strictly following marking and handling requirements, and maintaining open communication with Contracting Officers for guidance, contractors can ensure they are fulfilling their obligations and protecting sensitive data. It is a shared responsibility that upholds the integrity of national security. Contractors who navigate these waters successfully demonstrate their commitment to compliance and their role in safeguarding the nation’s defense information.