DoD CUI Categories to Protect for NIST and DFARS Compliance

Organizations seeking contracts with the Department of Defense (DoD) need to comply with the Defense Federal Acquisition Register Supplement (DFARS). These security rules inform the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171), which exists primarily to protect controlled unclassified information (CUI). To secure lucrative DoD contracts, organizations need to protect all DoD CUI categories.

What Are the DoD CUI Categories Organizations Need to Protect?

The DoD defines all categories of CUI in its CUI Registry, available via spreadsheet or PDF. The registry breaks down into several organizational index groupings, each of which contains its own CUI Categories. There are three primary considerations for organizations orbiting the DoD:

• The categories of CUI specific to the Defense Organizational Index Grouping
• The various other categories of CUI defined across the entire DoD CUI Registry
• The DoD’s guidance on marking requirements for CUI and other sensitive data

This guide will walk through the kinds of CUI that need to be marked and how to mark them.

DoD CUI Categories for the Defense Organizational Index Group

The most critical kinds of CUI to account for are those pertinent to Defense specifically:

• Controlled Technical Information (CTI) – Specific documents detailing maintenance, repair, or other details of Defense technology, protected by 48 CFR 252.204-7012
• DoD Critical Infrastructure Security Information (DCRIT)  – Data that could reveal vulnerabilities that would compromise Defense posture, protected by 10 USC 130e
• Naval Nuclear Propulsion Information (NNPI) – Information critical to the security of nuclear reactors and plants, protected by both 42 USC 2013 and 50 USC 2511
• Unclassified Controlled Nuclear Information (DCNI) – Other files on nuclear plants specific to the Department of Energy, protected by 10 USC 128(a) and 32 CFR 223

Organizations seeking DoD contracts are most likely to come into contact with these forms of CUI, so it’s critical to understand their specific characteristics and any applicable regulations.

DoD CUI Categories Across Other Organizational Index Groups

There are several other categories of CUI your organization may come into contact with, albeit less likely. The remaining organizational index groups and their respective CUI categories are:

• Critical Infrastructure – Ammonium Nitrate (CRITAN), Chemical-terrorism Vulnerability Info (CEII), Critical Energy Infrastructure Info (CEII), Emergency Management (EGMT), ​​General Critical Infrastructure Info (CRIT), Information Systems Vulnerability Info (ISVI), Physical Security (PHYS), Protected Critical Infrastructure Info (PCII), SAFETY Act Info (SAFE), Toxic Substances (TSCA), and Water Assessments (WATER).
• Export Control – Export Controlled (EXPT) Export Controlled Research (EXPTR).
• Financial – Bank Secrecy (FSEC), Budget (BUDG), Comptroller General (COMPT), Electronic Funds Transfers (XFER), Financial Supervision Info (FSI), General Financial Info (FNC), International Financial Institutions (FINT), Mergers (MERG), Net Worth (NETW), and Retirement (RTR).
• Intelligence – Foreign Intelligence Surveillance Act (FISA), FISA Business Records (FISAB), General Intelligence (INTEL), Geodetic Product Info (GEO), Intelligence Financial Records (IFNC), Internal Data (ID), and Operations Security (OPSEC).
• International Agreements – International Agreement Info (INTL).
• Law Enforcement – Accident Investigation (AIV), Campaign Funds (FUND), Committed Persons (CMPRS), Communications (LCOMM), Controlled Substances (SUB), Criminal History Records Info (CHRI), DNA (LDNA), General Law Enforcement (LEI), Informant (INF), Investigation (INV), Juveniles (JUV), Law Enforcement Financial Records (LFNC), National Security Letter (LNSL), Pen Registers / Trap & Trace (TRACE), Reward (RWRD), Sex Crime Victim (SCV), Terrorist Screening (LSCRN), and Whistleblower Identity (WHSTL).
• Legal – Administrative Proceedings (ADPO), Child Pornography (CHLD), Child Victims/ Witnesses (CVIC), Collective Bargaining (BARG), Federal Grand Jury (JURY), Legal Privileges (PRIVILEGE), Legislative Material (LMI), Presentence Reports (PRE), Prior Arrests (PRIOR), Protective Orders (LPROT), Victims (LVIC), and Witness Protection (WIT).
• Natural and Cultural Resources – Archeological Resources (ARCHR) and Historic Properties (HISTP).
• North Atlantic Treaty Organization – NATO Restricted and NATO Unclassified.
• Nuclear – General Nuclear (NUC), Nuclear Recommendation Materials (RECCOM), Nuclear Security-Related Info (SRI, distinct from NNPI above), and Unclassified Controlled Nuclear Info – Defense (UNCI, distinct from DNCI above)
• Patents – Patent Applications (APP), Inventions (INVENT), and Secrecy Orders (PSEC).
• Privacy – Contract Use (CONTRACT), Death Records (DREC), General Privacy (PRVCY), Genetic Info (GENETIC), Health Info (HLTH), Inspector General Protected (PRIIG), Military Personnel Records (MIL), Personnel Records (PERS), and Student Records (STUD).
• Procurement and Acquisition – General Procurement and Acquisition (PROCURE), Small Business Research and Technology (SBIZ), and Source Selection (SSEL)
• Proprietary Business Information – Entity Registration Info (CONREG), General Proprietary Business Info (PROPIN), Ocean Common Carrier and Marine Terminal Operator Agreements (OCCMTO), Proprietary Manufacturers (MFC), and Proprietary Postal (POST)
• Provisional – Operations Security Info (OPSEC), Personnel Security (PERSEC), Privacy Info, and Sensitive Personally Identifiable Information (PII).
• Statistical – Statistical Info (STAT)
• Tax – Federal Taxpayer Info (TAX), Tax Conventions (CONV), and Written Determinations (WDT).
• Transportation – Railroad Safety Analysis Records (RAIL) and Sensitive Security Info (SSI)

If your organization processes any of these types of information, you should familiarize yourself with the particular legal codes applicable to them, indexed throughout the DoD CUI Registry.

Watch the full webinar!

DoD CUI Marking Examples and Unclassified Marking Guidance

Organizations that handle CUI should abide by the same practices used by the DoD to mark and identify CUI and certain other sensitive documents. The DoD CUI markings correspond to the abbreviations for all the DoD CUI categories above. Required marking practices are defined in a DoD guide, Controlled Unclassified Information Markings, from September of 2020.

The guide’s examples show how the marker “CUI” must appear at the top and bottom (header and footer) of every page in CUI files, and a designation indicator on the first page must include:

• The DoD component name (unless it is already identified in letterhead)
• The office responsible for the creation of the document or piece thereof
• The specific categories of CUI contained within the document’s pages
• Any applicable limited dissemination control (LDC) or distribution statement
• The name and current contact information for point of contact is personnel must report any incidents

If documents are classified, other banner and footer designations may take the place of “CUI,” such as “SECRET” or a specific indicator of the stakeholders for whom the file is classified.

Safeguard All CUI for DFARS, NIST, and CMMC Compliance

Companies that have already achieved DFARS and NIST compliance also need to prepare for Cybersecurity Maturity Model Certification (CMMC), which is currently being rolled out by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)). CMMC implementation comprises all of the NIST protections for CUI, along with several others.

To start mapping over controls and fully protect all DoD CUI categories, contact RSI Security today!

Speak with a DFARS compliance expert today – Schedule a free consultation