Safeguarding CUI and Data Rights

Eric Marquette

Welcome back to CMMC Unlocked, everyone. Today, we’re diving into the world of Controlled Unclassified Information—CUI—and its close cousins, CDI and CTI. I’m Eric Marquette, joined by Ruby Sturt and Paul Netopski. Paul, you want to kick us off with the basics? What are these acronyms all about?

Paul Netopski

Absolutely, Eric. So, Controlled Unclassified Information, or CUI, is information that the government creates or possesses—or that a contractor creates or possesses for the government—that requires safeguarding or dissemination controls, but doesn’t meet the threshold for classification. Covered Defense Information, or CDI, is a subset of CUI, specifically called out in DFARS 252.204-7012. And then there’s Controlled Technical Information, CTI, which is technical information with military or space application that’s subject to access and dissemination controls. These categories matter because if you’re a defense contractor, you’re required to protect them under federal law and your contract terms.

Ruby Sturt

And just to add, it’s not always obvious what’s what, right? I mean, I’ve seen teams get tripped up thinking anything sensitive is CUI, but it’s got to be tied to a law, regulation, or government-wide policy. Paul, didn’t you have a contractor once who mixed up CUI and CDI?

Paul Netopski

Yeah, that’s right. They assumed all technical data was CUI, but missed that only information specifically identified in the contract or by law needed those protections. It led to a lot of confusion—and, honestly, some unnecessary controls. It’s critical to understand the definitions and check your contract language carefully.

Eric Marquette

So, let’s talk about the NARA CUI Registry. Not every category in the registry applies to every organization, right?

Paul Netopski

Exactly. The NARA CUI Registry is a government-wide list of CUI categories, but only those categories that are referenced in your contract or the applicable law actually apply to you. Just because something’s in the registry doesn’t mean you have to protect it unless your contract or a codified rule says so.

Ruby Sturt

And that’s where it gets tricky, because sometimes contracts aren’t super clear. Like, you might get a document with no markings, or the contract just says “protect sensitive info.” What do you do then?

Paul Netopski

If the contract’s unclear, the best move is to ask your contracting officer for clarification. You can also check the CUI Registry for the specific category and look for the codified requirement. But don’t just guess—if you’re not sure, get guidance. It’s better to ask than to over- or under-protect information.

Eric Marquette

Alright, so once you know what you’re dealing with, you’ve got to figure out where that data lives. Scoping and boundary setting—Paul, why is this so important?

Paul Netopski

It’s essential because you need to define the technology, people, and physical locations that will process, store, or transmit CDI or CUI. If you can segment those systems or teams, you limit your exposure and make compliance much more manageable. Data flow diagrams are a great tool for this—they help you visualize how information moves through your organization.

Ruby Sturt

I love a good whiteboard session for this. I worked with a small manufacturer once, and we literally mapped out every way data came in and out—email, USB drives, even the printer in the corner. It was a bit chaotic, but seeing it all laid out made it so much easier to spot where controls were needed.

Eric Marquette

And it’s not just about IT, right? Physical documents, people carrying USBs, even someone jotting notes in a notebook—all of that can be in scope if it touches CUI or CDI.

Paul Netopski

Let’s walk through how you actually determine if something is CUI or CTI. First, are you engaged in a DoD contract? If yes, check if the information is marked or identified as CUI in the contract, task order, or delivery order. If not, is it listed in the CUI Registry and does it fall under a referenced law or regulation? And finally, did you collect, develop, or use it in support of the contract?

Ruby Sturt

I remember helping a team untangle this once. We made a checklist—contract engagement, markings, registry references, and so on. It was a bit of a slog, but by the end, everyone was clear on what needed protection and what didn’t. Sometimes just having a step-by-step process makes all the difference.

Eric Marquette

And if you’re ever in doubt, again, reach out to your contracting officer or your organization’s information protection team. They’re there to help you get it right.

Eric Marquette

Let’s get into marking and safeguarding. There are specific guidelines for how CUI, CDI, and CTI should be marked, right?

Paul Netopski

Yes. The CUI Marking Handbook lays out the requirements. You need to use the word “CONTROLLED” or “CUI” as a control marking, and for CUI Specified, you add the category, like “CUI//SP-CTI.” Limited dissemination controls are also marked with double slashes. And it’s not just about documents—emails, media, and even physical files need proper markings.

Ruby Sturt

Training is huge here. I’ve seen so many marking errors—like people forgetting to mark attachments, or using the wrong category. It’s easy to slip up if you’re not used to the process, but those mistakes can really hurt you in an audit.

Paul Netopski

Exactly. Consistent training and spot checks are key. And remember, if you aggregate enough CUI, it could become classified, so always be on the lookout for that risk.

Eric Marquette

Now, let’s talk about policy updates. The 2023 NDAA Section 874 and DoDI 5200.48 have brought some changes, especially around marking and training. The DoD is now requiring program classification guides and protection plans to include CUI marking guidance at their next update, and there’s a push for more consistent training and feedback loops.

Ruby Sturt

But the rollout hasn’t always been smooth, has it? I mean, I’ve heard from folks who are still waiting for clear instructions, or who get conflicting guidance from different sources. Communication is a real challenge with these policy shifts.

Paul Netopski

That’s true. The guidance is evolving, and timelines for compliance can be tight. Organizations need to stay plugged in to updates and make sure their teams are trained on the latest requirements. If you’re not sure, check the DoD CUI Program site or reach out to your contracting officer.

Paul Netopski

Let’s shift to business processes and technical controls. Everything needs to align with NIST SP800-171. That means integrating cybersecurity into your daily workflows—not just IT, but HR, procurement, and even facilities. Technical controls are important, but so are policies, procedures, and training.

Ruby Sturt

Yeah, and it’s a balancing act, isn’t it? You want strong security, but you don’t want to grind productivity to a halt. I always tell teams to look for ways to automate controls where possible, and to make security part of the routine, not an extra chore.

Eric Marquette

And don’t forget to document everything. If it’s not written down, it didn’t happen—at least as far as an assessor is concerned.

Eric Marquette

Let’s talk data rights. There’s been a lot of focus lately on managing data rights events and using proper markings to reduce lifecycle costs. The August 2023 “Reducing Life Cycle Costs with Proper Data Right Markings” webinar had some great takeaways—like, if you get the markings right up front, you avoid a lot of headaches down the road.

Paul Netopski

Absolutely. Proper data rights management isn’t just about compliance—it can save you money and prevent disputes. Make sure you know what rights you’re granting or retaining, and mark your deliverables accordingly. That clarity helps everyone, from the engineers to the legal team.

Ruby Sturt

And if you’re not sure what applies, those DAU “Let’s Talk Data Rights” webinars are a goldmine. They cover everything from software rights to reverse engineering. Worth checking out if you haven’t already.

Paul Netopski

There are a ton of resources out there for defense contractors. The DIB Cybersecurity Program offers free services, like vulnerability scanning and threat intelligence. CISA has training, tabletop exercises, and even a catalog of free cybersecurity services. And for small businesses, the N-CODE pilot is a real game-changer—it provides a secure cloud environment to help meet CUI requirements at little or no cost.

Ruby Sturt

Don’t forget the DAU events and training—webinars, workshops, even hands-on cyber ranges. And there are programs like SCORE and the NIST Small Business Cybersecurity Corner for more general support. There’s really no excuse not to get trained up these days.

Eric Marquette

And if you’re just starting out, the Blue Cyber Education Series is a great entry point. They’ve made cybersecurity approachable for small businesses and academic teams alike.

Eric Marquette

Alright, as we wrap up, let’s talk about where to get help. If you need expert support, DAU’s Mission Assistance program can connect you with specialists. For incident reporting, you’ve got the DoD Cyber Crime Center and the DIB CS Program—hotlines and email contacts are all available online. And don’t forget CISA’s 24/7 reporting line for cyber issues.

Paul Netopski

And for ongoing improvement, leverage government and industry initiatives—APEX Accelerators, MEP Centers, and the National Cybersecurity Alliance all offer resources. I’d be curious to hear from our listeners—what resources have you found most helpful in your compliance journey? There’s a lot out there, and sharing what works can help the whole community.

Ruby Sturt

Yeah, and if you’re feeling overwhelmed, you’re not alone. Reach out, ask questions, and use the support that’s available. Compliance is a team sport, and there’s always someone who’s been through it before.

Eric Marquette

That’s a great note to end on. Thanks for joining us on CMMC Unlocked. We’ll be back soon with more insights and practical tips. Paul, Ruby, always a pleasure.

Paul Netopski

Thanks, Eric. Thanks, Ruby. Looking forward to next time.

Ruby Sturt

Cheers, both of you. And thanks to everyone listening—catch you next episode!