CMMC Assessment Preparation

What Governs the DoD CUI Program

Explore what DoD instruction implements the DoD CUI program and its importance for data protection.

Alex Fuerst

Alex Fuerst

6 min read
What Governs the DoD CUI Program

Word count: ~1,740 Specificity markers hit: (1) NIST/CMMC control references — EO 13556, 32 CFR Part 2002, DoDI 5200.48, DFARS 252.204-7012, NIST SP 800-171 Rev 2, MP.L2-3.8.4; (2) Cost/time — DoDI 5200.48 implemented 2020, 8-hour reporting window for certain incidents; (3) Tool/product names — NARA CUI Registry (archives.gov/cui), ISOO, DIBNet portal; (4) Common mistake — assuming the CUI Registry doesn't apply to them; (5) Decision point — whether to verify CUI categories in the NARA Registry vs. relying on contracting officer guidance

---

The DoD CUI program doesn't have a single governing document. It has a governance chain: a federal executive order that established the program, a NARA regulation that defined the rules, a DoD instruction that implemented those rules within the department, DFARS clauses that made them contractual obligations, and NIST standards that defined the technical security controls. Understanding where each layer fits helps you know which documents govern which decisions.

Here's the chain, from the top down.

Layer 1: Executive Order 13556

Executive Order 13556, signed in November 2010, is the foundation. Before it, federal agencies each had their own system for managing sensitive-but-unclassified information. The Department of Defense called it "For Official Use Only" (FOUO). Other agencies used "Sensitive But Unclassified," "Law Enforcement Sensitive," "Sensitive Homeland Security Information," and dozens of other labels. None of these were standardized. Markings varied, handling requirements varied, and information shared between agencies created confusion about what protections applied.

EO 13556 directed the National Archives and Records Administration (NARA) to establish a single, government-wide program for managing Controlled Unclassified Information. NARA was designated as the executive agent, and the Information Security Oversight Office (ISOO) — housed within NARA — was given authority to develop policy and oversee implementation.

The EO established two key principles that flow through every layer below it:

  1. CUI markings and handling requirements must be standardized across the federal government. An agency can't invent its own category.
  2. Only information that falls within a statute, regulation, or government-wide policy can be designated as CUI. CUI designation isn't discretionary — information either meets the legal standard or it doesn't.

Layer 2: 32 CFR Part 2002 — The NARA Rule

NARA published the implementing regulation for EO 13556 as 32 CFR Part 2002, which took effect in September 2016. This regulation is the primary authority for how CUI is managed across all federal agencies and their contractors.

32 CFR Part 2002 defines:

  • The categories and subcategories of CUI, maintained in the NARA CUI Registry at archives.gov/cui
  • The marking standards for CUI — what the header banner must say, how to indicate specific category and subcategory when required
  • The handling requirements by CUI type — general CUI vs. CUI Specified (categories with additional restrictions defined by the underlying authority)
  • Who can designate information as CUI — only authorized holders acting within their organizational authority
  • The principles for decontrolling CUI when the protection requirement ends

The NARA CUI Registry is the authoritative list of every CUI category. If information doesn't appear in the Registry, it cannot be designated as CUI. The Registry is organized by category (e.g., "Defense," "Export Control," "Legal") and subcategory (e.g., "Naval Nuclear Propulsion Information," "Export Controlled Research"). Each entry includes the underlying legal authority and basic handling requirements.

This matters for contractors: you don't determine what is CUI based on how sensitive it feels. You determine it by matching the information to a category in the NARA CUI Registry and verifying that your contract or the originating agency has actually designated it as CUI.

Layer 3: DoD Instruction 5200.48 — DoD-Specific Implementation

The DoD implemented 32 CFR Part 2002 through DoD Instruction 5200.48, published in March 2020. DoDI 5200.48 translates the government-wide NARA rule into DoD-specific policies and procedures. It establishes:

  • The DoD's CUI categories and how they map to NARA Registry categories
  • Specific marking requirements for DoD CUI, including the requirement to include the DoD component's CUI Senior Agency Official contact information on some documents
  • Destruction requirements for CUI — methods acceptable for different CUI categories
  • Training requirements for DoD personnel who create or handle CUI
  • Incident reporting procedures for potential CUI compromise

DoDI 5200.48 is written for DoD personnel — the uniformed and civilian employees of the Department. It describes internal DoD obligations, not contractor obligations directly. However, it's the document your contracting officers use to implement CUI requirements in contracts, and it defines the DoD's expectations for how CUI should be handled by anyone in the supply chain.

One specific contractor-relevant provision: DoDI 5200.48 establishes an 8-hour reporting window for CUI incidents involving information that may affect national security. Contractors are generally governed by the 72-hour cyber incident reporting requirement in DFARS 252.204-7012, but when the incident involves CUI that could affect national security interests, faster reporting may be expected. Know this when you write your incident response procedures.

Layer 4: DFARS 252.204-7012 — The Contractual Obligation

The NARA rule and the DoD instruction govern government agencies. They create obligations for contractors through the contract. DFARS clause 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — is the mechanism.

When this clause appears in your contract, you are legally obligated to:

  1. Implement NIST SP 800-171 security requirements on all systems that process, store, or transmit covered defense information. The clause cites NIST 800-171 Rev 2 as the baseline standard.
  1. Report cyber incidents to the DoD within 72 hours of discovery. The report goes to the DoD Cyber Crime Center (DC3) via the DIBNet portal. "Cyber incident" means a breach or potential breach that affects covered defense information or systems.
  1. Submit your SPRS score. Your self-assessed NIST 800-171 score must be reported in the Supplier Performance Risk System (SPRS). This score is visible to contracting officers evaluating your readiness.
  1. Preserve forensic evidence. If a cyber incident occurs, you must preserve images of compromised systems and related artifacts for at least 90 days, available for DoD review.
  1. Flow down to subcontractors. Any subcontractor who will process, store, or transmit covered defense information under your prime contract must receive the same clause requirements. This is your responsibility as prime — not the government's.

The clause applies when two conditions are met: (1) the contract includes DFARS 252.204-7012, and (2) covered defense information will flow through the contract. Covered defense information includes CUI designated as such in the contract, as well as information that meets the definition of CDI under the clause even if not formally marked.

Layer 5: NIST SP 800-171 — The Technical Standard

The specific security requirements that DFARS 252.204-7012 mandates are defined in NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." As of early 2026, CMMC Level 2 assessments are based on Rev 2 (110 requirements across 14 families).

NIST 800-171 is not a DoD document — it's published by the National Institute of Standards and Technology, a bureau of the Department of Commerce. DFARS 252.204-7012 adopts it by reference, making it contractually binding on DoD contractors. NIST updates the standard independently of the DoD; when NIST publishes a new revision (as it did with Rev 3 in May 2024), the DoD must separately update the DFARS clause or the CMMC rule to adopt the new revision.

The practical implication: When you see that NIST has published a new revision of 800-171, don't assume it immediately applies to your contracts. Your contract references a specific version, and your CMMC assessment evaluates against the version in 32 CFR Part 170. Until the DoD formally updates those references, Rev 2 governs.

The CUI Marking Obligation: Where the Governance Chain Meets Daily Work

All of this governance chain produces a concrete daily obligation: CUI you create or handle must be marked correctly. This is NIST 800-171 control MP.L2-3.8.4 (marking media containing CUI) and the marking requirements in DoDI 5200.48 and 32 CFR Part 2002.

The marking standard: - Documents must include a CUI banner at the top and bottom of each page - The banner must say "CUI" at minimum; many DoD programs require the specific category designation (e.g., "CUI//SP-CTI" for Controlled Technical Information with Specified handling) - Digital files must be marked when transmitted — email subject lines, document file names, and metadata should reflect CUI designation

The common mistake: Contractors assume they don't need to verify CUI categories because their contracting officer tells them what's CUI. This is partially correct — the government designates information as CUI, and you handle what they designate. But when you create new documents that contain technical data, specifications, or export-controlled research, you may be the one who needs to apply the marking. DoDI 5200.48 and your contract may authorize you to designate CUI you generate. If you're generating technical documents and not applying CUI markings, check your contract and the NARA Registry.

What Your Assessor Expects

CMMC assessors don't audit governance chains directly, but they expect you to understand what governs your program. During interviews, expect questions about:

  • Why DFARS 252.204-7012 appears in your contracts and what it requires
  • What sources you use to determine which information is CUI (correct answer: the NARA CUI Registry and the designation in your contracts)
  • How you handle CUI received from the government vs. CUI you generate internally
  • How marking obligations flow to subcontractors

More practically, your System Security Plan should document the legal and regulatory basis for your CUI protection requirements. The SSP should cite the applicable DFARS clauses, reference NIST 800-171 as the control standard, and reference the relevant CUI categories from the NARA Registry.

Assessors also examine whether your program is built on the actual governance requirements or on an approximation. An organization that says "we follow CMMC" without being able to trace CMMC back to the DFARS clause in their contract and the regulatory chain above it tends to have a compliance-on-paper program. The governance chain isn't just background — it's the answer to "why do we do this?" and your team should be able to answer that.

Read more