Tips for Identifying CDI

Does your organization handle CDI? These easy tips can help you understand what CDI is and how data is classified as CDI.

Where is CDI really defined?

DFARS 7012(a) defines CDI as unclassified controlled technical information or other Controlled Unclassified Information (CUI) that requires safeguarding or dissemination controls. This means you have to understand both Unclassified Controlled Technical Information (UCTI) and CUI.

What is Controlled Unclassified Information (CUI) and where is it defined?

Controlled Unclassified Information, or CUI, is defined by the National Archives as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” See the National Archives CUI Registry for more information about what is and is not CUI.

What is controlled technical information and where is it defined?

DFARS 7012(a) defines controlled technical information as technical information with military or space application that is subject to controls – assuming that it isn’t already lawfully publicly available without restrictions. The DFARS 7012 clause also says controlled technical information meets the criteria for distribution statements B through F in DoD Instruction 5230.24.

What is DoD Instruction 5230.24 and what are distribution statements B through F?

DoD Instruction 5230.24 provides the policies and rules for marking and managing technical documents to denote the extent to which they are available for secondary distribution, release, and dissemination without additional approvals or authorizations. It also establishes a standard framework and markings for managing, sharing, safeguarding, and disseminating technical documents in accordance with policy and law.

Does CDI come from the government, or might I be creating it?

You might be creating it. The DFARS 7012 clause says CDI can be “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

Who determines what is and isn’t CDI?

The government’s contracting officer has the responsibility for determining what data is and isn’t CDI.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_gat_gtag_UA_136970874_1	1 minute	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description