Supplying to Defense: your obligations for CUI security

If you, or your organisation, find yourselves in any part of the US DoD supply chain, you will need to comply with mandatory rules for managing sensitive, but Unclassified, information. This is because Defense industrial base organisations need to be certified to at least CMMC Level 1 by January 1, 2026 — and certification is not possible without control of your CUI.

Under the new CMMC 2.0 regime, if a business fails to achieve CMMC certification, it will not be permitted to bid on defense contracts. Failing to maintain a certification can also result in the loss of government contracts, breach of contract lawsuits, potential violations of the federal False Claims Act, and banishment from future contracts.

Do I need to formally manage CUI?

Every organisation and individual, from the official corporate members of the US Defense Industrial Base (such as Dell, Palo Alto, Slack, and ServiceNow), right through to individual contractors (and subcontractors), in the US and overseas, need to comply with policies around protecting Controlled Unclassified Information (or CUI).

CUI can exist in any Federal Government Agency, but Defense has some specific controls. The DoD notes that “unlike with classified national security information, DoD personnel at all levels of responsibility and across all mission areas receive, handle, create, and disseminate CUI”.

CUI as a concept has been around since the Obama era, but it became policy for Defense in March 2020 under DoD Instruction 5200.48, “Controlled Unclassified Information”. The policy covers CUI identification, sharing, marking, safeguarding, storage, dissemination, destruction, and records management.

What actually is CUI?

CUI is defined as “Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure”.

This is because anyone providing services to the US Government is creating, capturing, transmitting, and/or storing records that belong to the Government. Even when you are the custodian, if you created it on behalf of the Government, you are not the owner.

How do we know what ‘must be safeguarded’? It’s a broad definition, because the categories are broad. Essentially, if something is:

  • Sensitive
  • Valuable
  • Useful to an adversary
  • Required to be protected under a certain law

…it is considered controlled information (even if it’s not national-security-classified). DoD provide the example of “information developed during the course of a contract, grant, or other legal agreement (e.g., draft documents, reports, or briefings and deliverables)”, which is something every Defence Industry supplier holds.

What do we need to do with our CUI?

If you have Controlled Unclassified Information, you need to

  • Label it. All CUI documents need to say ‘CUI’ or ‘CONTROLLED’ in the header/footer, and identify the owning Agency. Note, you don’t have to relabel old documents that had legacy confidentiality markings if they stay in the DoD network, but as soon as you take them out, you have to re-mark them as CUI.
  • Protect it. Any nonfederal systems storing CUI must meet the standards in the NIST SP 800-171.
  • Govern it. Non-DoD information systems processing, storing, or transmitting CUI must have these security commitments incorporated into all contracts, grants, and other legal agreements in accordance with DoDI 8582.01.

But before you do any of that, you have to identify it:

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.”

How will this be possible?

You’re obligated to identify every piece of CUI you create or capture, at the point it originates. This means that every person in your company has to know the 20 categories (and 125 subcategories) of CUI and in what circumstances to apply them. They then need to mark their records, and add metadata, so that they can be found again and properly protected and governed.

But relying on individuals to know, and to follow, complex regulatory obligations is a key compliance risk, and also affects productivity and ease of use.

Instead, you can use Castlepoint to automatically identify content — including emails, database entries, webpages, and chats, not just documents — that contains CUI content. And you can search across every system in your enterprise for that CUI, from a single pane of glass, without the need for any metadata tagging. This helps prevent breaches.

You can also use Castlepoint to be alerted any time potential CUI is created, moved, or disseminated outside approved, secure NIST-certified systems. This helps detect breaches.

And most importantly, you can use Castlepoint to demonstrate your CUI control, and meet your CMMC certification requirements.

Castlepoint can be rolled out in hours, and won’t have any impact on your users, source systems, or data. Contact us to find out how to get started.