CDI is Covered Defense Information. CDI means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government wide policies, and is— (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Please note the following:
The Department of Defense (DoD) on October 4, 2016, issued a rule finalizing cyber reporting regulations applicable to DoD contractors and subcontractors set forth in 32 CFR Part 236. The rule finalizes an interim rule DoD issued on October 2, 2015 and addresses cyber incident reporting obligations for DoD prime contractors and subcontractors.
Notably, the final rule clarifies the by now well-known definition of the term ‘covered defense information’ (“CDI”). This same term is used in DFARS 252.204-7012. This DFARS clause defines CDI to include four different categories: (1) covered technical information (“CTI”); (2) operations security; (3) export-controlled information; and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.
Given the similarities of this final category to the definition of controlled unclassified information (“CUI”) promulgated in connection with the National Archives and Records Administration’s (NARA) rule, we have understood this latter category to include CUI identified by NARA pursuant to its efforts under EO 13556. The DoD’s new final rule provides support for this understanding because it narrows the definition of CDI to only two categories: (1) CTI and (2) CUI. This modification accordingly appears to make clear that the “catch-all” category of CDI contained in DFARS 252.204-7012 was intended to align with NARA’s CUI efforts.
As such, consider the following:
- NIST 800-171 refers to “Controlled Unclassified Information”, but was dated before the new rules were put in place.
- Unclassified Controlled Technical Information” was the original term in DFAR 252.204-7012 (pre-NIST 800-171 pronouncement).
- Covered Defense Information is a new term that encompasses all of the above, as well as new types of information, thus CDI is the core definition and concept to grasp.
So, what then is CDI?
- Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
- Unclassified information, which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Thus, it is:
- Controlled technical information (Military)
- Export controlled information (commodities, tech, software etc.)
- Critical information (DoD Directive, OPEC, etc.)
- ‘Catch All’ (privacy or proprietary business information)
- Research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
Need to Implement a DoD CUI Program? Talk to Arlington
DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:
- CUI Scoping & Gap Assessments
- CUI Policy Development
- CUI Identification
- CUI Contractual Language Review
- CUI Marking (Digital)
- CUI Marking (Physical)