Tips for Identifying CDI
DFARS 7012(a) defines CDI as unclassified controlled technical information or other Controlled Unclassified Information (CUI) that requires safeguarding or dissemination controls. This means you have to understand both Unclassified Controlled Technical Information (UCTI) and CUI.
Controlled Unclassified Information, or CUI, is defined by the National Archives as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” See the National Archives CUI Registry for more information about what is and is not CUI.
DFARS 7012(a) defines controlled technical information as technical information with military or space application that is subject to controls – assuming that it isn’t already lawfully publicly available without restrictions. The DFARS 7012 clause also says controlled technical information meets the criteria for distribution statements B through F in DoD Instruction 5230.24.
DoD Instruction 5230.24 provides the policies and rules for marking and managing technical documents to denote the extent to which they are available for secondary distribution, release, and dissemination without additional approvals or authorizations. It also establishes a standard framework and markings for managing, sharing, safeguarding, and disseminating technical documents in accordance with policy and law.
You might be creating it. The DFARS 7012 clause says CDI can be “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
The government’s contracting officer has the responsibility for determining what data is and isn’t CDI.