Who Controls CUI: The Authority Chain

Word count: ~1,700 Specificity markers hit: (1) regulatory/control references, (2) time estimates for designation decisions, (3) tool/resource names, (4) common mistakes, (5) decision point with guidance — 5 of 5

---

# Who Controls CUI: The Authority Chain

Contractors often ask: "Who told me I have to protect this information?" The short answer is your contract. The longer answer involves a chain of authority that goes all the way up to a presidential executive order, passes through a federal oversight office most contractors have never heard of, and flows down through DoD policy and acquisition regulations before it reaches your inbox.

Understanding that chain matters practically. It tells you which agency's CUI designations are authoritative, why some information is CUI and other similar-looking information isn't, and what happens when you get conflicting guidance from your contracting officer, your prime, and the CUI Registry. It also explains why your CMMC requirements look the way they do.

Executive Order 13556: The Foundation

The CUI program started with Executive Order 13556, signed in November 2010. Before EO 13556, federal agencies each ran their own unclassified-but-sensitive information programs under different names: For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive But Unclassified (SBU), and dozens more. The result was inconsistency — information designated "FOUO" by one agency might not be treated the same way by another, and contractors working across agencies had to manage a patchwork of different labels and handling rules.

EO 13556 standardized all of this into a single Controlled Unclassified Information program, applicable government-wide. It established one authority structure, one registry of categories, and one set of handling rules. The Executive Order gave authority to manage this program to a single office.

ISOO: The Executive Agent

The Information Security Oversight Office (ISOO) at the National Archives and Records Administration (NARA) is the executive agent for the CUI program. ISOO's role:

• Writing and updating the federal CUI regulations (32 CFR Part 2002)
• Managing the CUI Registry (the authoritative list of all CUI categories)
• Issuing guidance to federal agencies on CUI implementation
• Overseeing agency compliance with the CUI program
• Adjudicating disputes about whether something qualifies as CUI

ISOO doesn't directly interact with contractors. Their reach is through regulations and agency policies. If you've ever wondered whether a piece of information is actually CUI and which category it falls under, the CUI Registry at archives.gov/cui is ISOO's answer to that question. It's the authoritative source — not your contracting officer's interpretation, not your prime's policy, not a generic description you found online.

The Registry lists every CUI category (there are roughly 100), the specific laws or regulations that make the information CUI, handling requirements, and whether the category requires basic or specified protection. "Basic" CUI has uniform handling requirements. "Specified" CUI (marked CUI//SP-[category]) has additional requirements imposed by the underlying law or regulation.

32 CFR Part 2002: The Implementing Regulation

ISOO published 32 CFR Part 2002 in 2016 as the implementing regulation for EO 13556. This is the federal rule that defines:

• What CUI is (and isn't)
• Who can designate information as CUI (only federal agencies — not contractors)
• How CUI must be marked
• What "safeguarding" and "dissemination controls" mean
• Incident reporting requirements when CUI is compromised

32 CFR Part 2002 is the legal backbone of the entire CUI system. When your contract requires you to protect CUI, the contract is ultimately enforcing this regulation. When your CMMC program requires specific controls, those controls exist to satisfy this regulation's safeguarding requirements.

One important principle in 32 CFR Part 2002: only authorized federal agencies can designate information as CUI. Contractors cannot create CUI — they receive it from the government or generate it on behalf of the government under a contract that specifies the CUI nature of the deliverable. This means if you're unsure whether information you've created is CUI, the answer comes from your contract and from the agency you're working with, not from your own judgment.

DoD's Implementation: DoDI 5200.48

The Department of Defense published DoD Instruction 5200.48 as its CUI implementation policy. DoDI 5200.48 translates the government-wide 32 CFR Part 2002 into DoD-specific procedures:

• DoD-specific CUI categories and subcategories (Controlled Technical Information, Export Controlled, Naval Nuclear Propulsion Information, etc.)
• Procedures for DoD components and contractors working with DoD CUI
• Integration with existing DoD classification and marking guidance
• The role of the DoD CUI Program Office

For contractors, DoDI 5200.48 is particularly relevant because it defines the types of information most commonly encountered in defense contracts. Controlled Technical Information (CTI) is one of the largest CUI categories in the DoD space — it includes technical data and computer software with military or space application where DoD has release or disclosure authority. If your contract involves engineering drawings, specifications, test data, or software for DoD systems, you're almost certainly working with CTI.

The Contract Flow: DFARS and FAR

The CUI authority chain reaches contractors through two acquisition regulations:

DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement) — the primary clause for DoD contractors. It requires contractors to: - Implement NIST SP 800-171 to protect CUI - Report cyber incidents affecting CUI to the DoD within 72 hours - Preserve and submit CUI artifacts after an incident - Flow down equivalent requirements to subcontractors who handle CUI

If this clause is in your contract, you have legally binding obligations under the CUI program, regardless of whether your organization has formally acknowledged it. The clause has been required in relevant DoD contracts since 2017.

FAR 52.204-21 (Federal Acquisition Regulation) — the broader government-wide basic safeguarding clause. It requires implementation of the 15 basic safeguarding requirements from NIST SP 800-171 for systems handling Federal Contract Information. This is the Level 1 baseline.

The FAR CUI Rule (48 CFR, published 2024, phased implementation) extends CUI requirements to civilian agency contractors beyond DoD. Once fully in effect, contractors working with any federal agency's CUI will face requirements similar to DFARS 252.204-7012.

Decision point: If your contract includes DFARS 252.204-7012, you're in the DoD CUI system with Level 2 obligations. If your contract only includes FAR 52.204-21, you're at Level 1 with basic safeguarding obligations. If you're a subcontractor, look at your prime's subcontract for the equivalent flow-down clause.

The Prime-to-Sub Flow

Prime contractors are responsible for flowing CUI protection requirements down to subcontractors who handle CUI. The prime can't give a sub a CUI document and then say compliance is someone else's problem — the prime has a contractual obligation to include appropriate clauses in subcontracts.

In practice, this means: - Primes must identify which subcontractors receive CUI - Subcontracts must include clauses equivalent to DFARS 252.204-7012 (or the applicable flow-down requirement) - Primes should verify their subs have adequate protection — some primes audit their subs, review SPRS scores, or require evidence of CMMC certification before sharing CUI - If a sub has a CUI incident, the reporting obligation flows back to the prime who then reports to DoD

As a sub, you can't escape the CUI requirements by saying your prime "handles the compliance." Once CUI is in your hands, you're responsible for protecting it per the requirements in your subcontract.

Why the Authority Chain Matters to You Practically

Designation disputes: If your contracting officer marks something as CUI and you're not sure it qualifies, the CUI Registry is the arbiter. Not every piece of information in a DoD contract is CUI — many contractors over-protect because they're uncertain. Check the Registry category definitions. If the information doesn't fit a listed category, it may not be CUI.

Handling conflicts: If your prime gives you CUI handling guidance that conflicts with what's in the Registry or 32 CFR Part 2002, the regulation takes precedence. Your prime cannot create handling requirements more lax than the regulation — they can make them stricter, but not looser.

Determining your scope: CUI designations originate from the government. If you're not sure what in your environment is CUI, the answer starts with your contract's data requirements list and any CUI designation notices from the contracting agency. A document isn't CUI because it seems sensitive — it's CUI because an authorized federal agency designated it as CUI in a specific category.

Incident reporting: The 72-hour reporting requirement in DFARS 252.204-7012 runs to the DoD via the DIBNET portal. The authority for this requirement is 32 CFR Part 2002 and DoDI 5200.48. Knowing this chain means knowing where to report and why the timeline is mandatory, not advisory.

Common Mistakes

Treating the prime's word as final. Primes sometimes give incorrect guidance about what is or isn't CUI, or about handling requirements. The prime is downstream in the authority chain — they're implementing the government's requirements, not setting them. When in doubt, consult the CUI Registry and the relevant regulation directly.

Assuming all government information is CUI. Not everything from DoD is CUI. Publicly releasable contract requirements, administrative correspondence, and information already in the public domain don't become CUI because they appear on a government contract. Correctly scoping CUI reduces your compliance burden and prevents over-application of handling requirements to information that doesn't warrant them.

Missing the FOUO transition. FOUO (For Official Use Only) is no longer a valid designation. Legacy documents marked FOUO should be reviewed and re-marked as the appropriate CUI category (or determined not to be CUI). If you're still using FOUO in your organization's marking procedures, that's a gap.

Ignoring subcontractor obligations. If your prime audit finds you passing CUI to subs without appropriate flow-down clauses, that's your problem, not your sub's. Build CUI handling verification into your subcontract management process before your C3PAO assessment — the assessor will ask about subcontractor CUI handling.

What Your Assessor Expects

CMMC assessors evaluate the MP.L2-3.8.4 (marking media) and CA.L2-3.12.4 (SSP) controls with awareness of the CUI authority chain. They expect you to be able to explain:

• Which CUI categories appear in your environment and why
• How you determined your in-scope assets based on CUI data flows
• How you received CUI (from which agency, under which contract)
• How your handling procedures align with the specific requirements for each CUI category in your environment

"We protect everything the same way" sounds defensive — it may be correct, but the assessor wants to see that you understand the authority chain, not just that you applied a blanket policy.

---

For CUI category definitions and handling requirements, the CUI Registry at archives.gov/cui is the authoritative reference. Bookmark it. When in doubt about whether something is CUI or how to handle a specific category, that's your first stop — not your prime contractor and not a consultant's summary.