8/15/2018 10:33 AM
Protecting Covered Defense Information and Why It is Important
This article is meant to introduce to, and inform readers of, some
critical aspects of CUI. This year the federal government has been
ramping up its efforts to ensure information security procedures are
effectively and timely implemented to ensure national security. CUI
is included in that information but is often overlooked. After
reading this article, you should be familiar with terms and entities
that will help kickstart your research efforts on this topic.
Controlled Unclassified Information
CUI; Information that doesn’t require a
clearance to view but is not publicly available.
Covered Defense Information
CDI; Describes CUI that “requires
safeguarding or dissemination controls,” as required by law, and
is provided to or handled by the contractor on behalf of the
The head of a
federal component that has been assigned specific
responsibilities, functions and authorities to provide defined
levels of support for federal activities
Table 1 Definitions
On November 9, 2010, the President signed Executive Order 13556, which
the National Archives and Records Administration (NARA) as the Executive
Agent for the management of Controlled Unclassified Information
(CUI). Unlike classified information, CUI does not require a
clearance to handle, however it is sensitive enough to impact
government operations if made public.
Covered Defense Information (CDI) is a term to describe a subset under CUI
that focuses on information relating to the DoD. It is defined as
marked information provided by the DoD that requires
safeguarding/dissemination (DFARs 252.204-7012(a)). CDI is usually
distributed in support of specific contracts and other operations,
and does not include information that is publicly available, much
like other types of CUI. CDI can further be specified into four
subcategories: covered technical information (CTI), operations
security, export-controlled information, and any other marked
information that needs safeguarding.
The important thing to know about CDI is that since it is given to the
contractor by the DoD, it is the responsibility of the contractor to
ensure the security and integrity of the provided CDI. Cyber
incidents that involve CDI require an incident collection form (ICF)
to be filed in accordance with DFARs 252.204-7012.
Technical Information (CTI) is technical information with military or
space application that requires controls on access, use,
reproduction, and other handling on the information (DFARs
DFARs further defines technical information to include, but is not limited to:
Engineering research and data
Engineering drawings and associated lists
Studies and analyses and related information
Computer software executable code and source code.
CTI doesn’t require a clearance to view, but is not publicly available,
and is considered a subcategory for Covered Defense Information
(CDI), as CTI focuses on information specific to military operations,
as opposed to general DoD information.
NIST Special Publication (SP) 800-171 was published to provide guidelines
to contractors and agencies for securing CUI.
The policies implemented by NARA as part of the CUI program can be
found in the publication under a simplified, compiled and succinct
format. It is an excellent starting point that will give you the
foundation of understanding needed to successfully implement CUI
The document can be found
We highly recommend giving this document a look-through.
In SP 800-171, NIST states:
protection of Controlled Unclassified Information (CUI) while
residing in nonfederal information systems and organizations is of
paramount importance to federal agencies and can directly impact the
ability of the federal government to successfully carry out its
designated missions and business operations. (p. iii)
At this point, you may be saying, “Okay Google, why is CUI of
‘paramount importance’ to the government’s missions?”
Like any defensive line, the best way to get in is through the weakest
link. The weakest links here, are small businesses. “According to a
report from Verizon, 71 percent of cyberattacks occurred in
businesses with fewer than 100 employees in 2012,” says the
Washington Press. There are numerous programs out there that
encourage federal agencies to work with small businesses, such as the
8a program and the Small Business Administration, but there has not
been much emphasis on securing these businesses prior to Executive
Additionally, federal entities are no longer to authorized to
work with new or existing contractors whom do not comply with NIST SP
To wrap everything up, the President issued an Executive Order in 2010
that called for the tightening up of CUI-related security controls.
This order mandated the CUI program and established NARA as the
Executive Agent for it. We have now reached the point where the
changes required of the order are relevant to federal contractors.
Without compliance with these policies, no contractor will be able to
work with the government in any capacity when CUI is involved, which
is almost always the case. The DoD has subsets of CUI (CDI and CTI)
that need to be understood as well. These subsets are subject to the
same regulations as CUI but are further regulated in some cases. NIST
SP 800-171 is an excellent resource for learning what policies are,
how they’re being enforced and how they should be implemented.
We know this is a lot to take in, but not to worry. Vigilant
Technologies offers free IT assessments that will let you know your
level of compliance with EO 13556. To get started fill out our brief
assessment form and we’ll get back to you with details on how we
can help you ensure you’re ready to work with the government.
Is your infrastructure compliant? Take our free
Infrastructure Assessment to see if you're on the right track!
National Institute of
Standards and Technology. (2016, December).
Unclassified Information in Nonfederal Systemsand Organizations.
Retrieved from NIST:
Defense Information - The Basics. (n.d.). Retrieved from
Department of Defense Office of Small Business Programs Web site:
Washington. (2017, March 8).
Small Business Cybersecurity: Coordinating Federal Resources.
Retrieved from House Small Business Committee:
Wolfowitz, P. (2003, November
DoD Directive 5101.1, September 3, 2002; Incorporating
Change 1, May 9, 2003; Certified Currrent as of November 21, 2003.
Retrieved from Office of the Under Secretary of Defense for
Acquisition, Technology and Logistics:
The following directive, issued by the DoD, gives a good explanation
of an Executive Agent and its responsibilities:
0 comment(s) so far...
Vigilant Technologies is a Veteran Owned company headquartered in Tempe, Arizona. We provide products, services and enterprise-wide integration of innovative IT solutions to commercial, Federal, State and Local government clients. Our Leading edge services include Private/Hybrid Cloud, Server Consolidation, Virtualization implementation, and Infrastructure Management.
Need to get a hold of us? No problem!
4500 S. Lakeshore Drive
Tempe, Arizona 85282