CUI

RESOURCES

NEW eResilience article on cyber assurance for prime contractor bidding teams

A new Contract Management magazine article from eResilience discusses supply chain cyber compliance risk and explores issues and strategies that prime contractors should be aware of when sharing CUI with suppliers and subcontractors. This article appeared in the August 2024 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission. Link | Download
August 9, 2024

NEW Briefing: Appropriate Use of CUI in the DoD

The DoD Office of the Undersecretary of Defense for Intelligence and Security (I&S) released a set of briefing slides providing information on DoD implementation of the CUI program. Link | Download
May 22, 2024

NEW DoD issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems

The DoD has issued a Class Deviation to modify the DFARS 252.20 4-7012 clause so that instead of requiring CUI-handling contractors to implement specifically NIST SP 800-171 Revision 2 instead of "the version of NIST SP 800-171 in effect at the time the solicitation is issued". This means the CMMC program will continue to use 171 R2 as the underlying standard for compliance even after 171 R3 becomes final. The class deviation is effective immediately and will remain in effect indefinitely, until rescinded.  Link | Download
May 2, 2024

NEW Cybersecurity Maturity Model Certification (CMMC) Program: Proposed Final Ruling

The DoD has released the proposed final ruling for the CMMC program. Link | Download
December 22, 2023

DoD CUI Awareness and Marking Brief

The DoD has cleared a briefing from November 2020 on CUI Awareness and Marking for public release. These slides provide good information about how CUI is identified and marked. Link | Download
April 1, 2021

Limited Dissemination Control (LDC) Markings: Quick Reference Guide

The DoD has released a list of the new Limited Dissemination Control (LDC) Markings and descriptions of what each marking means. Link | Download
March 9, 2021

NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”

NIST 800-172 prescribes enhanced security requirements designed to further protect Controlled Unclassified Information (CUI) from advanced persistent threats by protecting the confidentiality, integrity, and availability of that information on nonfederal information systems associated with critical programs or high value assets.  This publication does not replace NIST SP 800-171, but creates additional security requirements that will need to be implemented for selected systems. Link | Download
February 2, 2021

DRAFT – NIST SP 800-172 (Formerly known as “171B”)

Enhanced security requirements for protecting Controlled Unclassified Information: A supplement NIST SP 800-171 (Final public draft)  Link |Download
August 20, 2020

UPDATE: DFARS Frequently Asked Questions (rev 3): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76

This update to the DFARS Cyber FAQs provides important new information and answers to additional questions. Link | Download
July 20, 2020

Supplier Performance Risk System for NIST SP 800-171 DoD Assessment

The DoD has updated its Supplier Performance Risk System (SPRS) which will now store results from DoD NIST 800-171 Basic, Medium, and High assessments. The SPRS will be accessible by DoD components for the purpose of assessing contractor cybersecurity readiness levels. Link | Download
July 1, 2020

Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1

The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place.  Link | Download
June 24, 2020

DoD Instruction 5200.48 Controlled Unclassified Information (CUI) (March 6,2020)

This new DoD Instruction document establishes an official DoD CUI registry and associated DoD-wide policies, responsibilities, and procedures for CUI. Link | Download
March 6, 2020

NIST SP 800-171 Revision 2/Final, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 21, 2020)

This is the final release of NIST SP 800-171 Rev. 2, which supersedes the previous SP 800-171 Rev.1. Revision 2 includes minor editorial changes but does not change the basic or derived security requirements.  Link | Download
February 21, 2020

Updated DoD Instruction 8582.01 (December 9, 2019)

The newly updated DoD Instruction 8582.01 replaces the previous version issued June 6th, 2012. This instruction comes from the office of the Chief Information Officer of the Department of Defense, to establish policies, assign responsibilities, and provide directions for managing security on all non-DoD systems that store or process any non-public DoD information, including CUI Link |Download
December 9, 2019

National Archives Controlled Unclassified Information (CUI) Registry – CUI Categories List

The CUI registry helps you understand what type of information is considered sensitive. There are many types and categories of CUI, and the registry provides descriptions as well as information and resources about marking and dissemination controls. Link
November 25, 2019