Do I have CUI? Distribution Statement Deepdive
Explore the complexities of CUI and distribution statements in DoD contracts, and learn how to navigate DFARS and CMMC requirements with expert insights from Ryan Bonner.
2 Minutes Read
Watch the Podcast
Listen to the Podcast
This blog is adapted from the Sum IT Up podcast. Click here to learn more.
In this week's podcast:
In this episode of the Sum IT Up podcast, Summit 7's Jacob Horne and Ryan Bonner, CEO of DEFCERT, explore the complexities of Controlled Unclassified Information (CUI) and Department of Defense (DoD) distribution statements. The discussion emphasizes the challenges contractors face in identifying CUI, the importance of reverse-engineering government decisions to classify data, and how understanding CUI better than their customers can help contractors manage compliance obligations, minimize scope, and reduce costs. Ryan highlights updates to the DoD’s CUI registry, distribution statements, and the legal implications of controlled technical information (CTI), providing practical advice for contractors navigating the cybersecurity landscape.
Key Takeaways:
1. "Do I Have CUI?"
-
- Identifying CUI is a key challenge for contractors. The DFARS clause 252.204-7012 applies to all DoD contracts, placing the responsibility on contractors to determine if they are handling CUI. If misunderstood, this clause can lead to costly compliance efforts.
2. Updates to DoD's CUI Registry:
- Ryan Bonner discusses recent changes in the DoD’s CUI registry, including the addition of legal authorities to CUI categories like the U.S. Munitions List and the Commerce Control List, which affect how technical data is classified.
3. Controlled Technical Information (CTI):
- CTI is a specific type of CUI that relates to export-controlled data. The conversation touches on how certain technical information (e.g., blueprints) is subject to stringent export laws, such as ITAR, and has led to hefty fines for companies like RTX.
4. Are Distribution Statements CUI?
- Not all documents with DoD distribution statements are automatically considered CUI. Contractors must conduct careful analysis to determine if a distribution statement indicates CUI, as these markings are not always aligned.
5. Why Not Treat Everything as CUI?
- Treating all information as CUI is inefficient and costly. Reverse-engineering authorities behind CUI categories can help contractors avoid unnecessary compliance, which can expand the scope of their cybersecurity efforts and increase costs.
6. Reverse Engineering CUI Authorities:
- Contractors should use legal authorities in the DoD’s CUI registry to determine if data is CUI. Understanding these rules enables contractors to push back on customers when the CUI designation is incorrect.
7. Soft Skills in Managing CUI Classification:
- Ryan stresses the importance of soft skills in negotiating CUI classifications with customers. Social capital and strategic communication can help avoid unnecessary conflict and compliance burdens.
8. Practical Application of CUI Knowledge:
- The episode concludes with practical advice on how contractors can implement these strategies, emphasizing that a thorough understanding of CUI categories and distribution statements can reduce risks and save costs.
Episode Links:
- Ryan CS2 Denver: How To Know If You Have CUI - Ryan Bo...
- RTX Charging Letter: jacob-evan-horne_whoopsie-daisy-62b-defens...
- DoD CUI Registry: https://www.dodcui.mil/
- NARA CUI Registry: https://www.archives.gov/cui/registry...
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.