Understanding Covered Defense Information in Defense Contracting

Paul Netopski

Welcome back, everyone, to CMMC Unlocked! I'm Paul Netopski, joined as always by Roz the Rulemaker. Hope you brought your acronym bingo card today, because we're diving into CDI, CUI, FCI, CTI—seriously, Roz, there's almost more acronym stew here than security controls, right?

Roz the Rulemaker

Absolutely, Paul. It's no wonder people get overwhelmed. So let’s just demystify these, quickly. FCI—Federal Contract Information. Think “routine but not public” contract info, based on FAR 52.204-21. CDI—Covered Defense Information—comes direct from DFARS 252.204-7012. That's information, unclassified but controlled, that needs safeguarding as required by law or contract. CUI stands for Controlled Unclassified Information, a broader bucket under 32 CFR 2002. And CTI is Controlled Technical Information—DoD's flavor, cited in their instructions and regulatory clauses. ITAR, EAR, those are export control lanes, but we'll stay on the defense contract side for now.

Paul Netopski

Exactly. All these map into this big compliance mosaic, but they funnel into CMMC requirements, which are built on NIST Special Publication 800-171. Now, why do we obsess over these? Because—at CMMC Level 2 and up, your organization is on the hook to prove it protects CUI and CDI in line with those 110 controls from NIST 800-171. Otherwise? You’ll never get that DoD contract, period.

Roz the Rulemaker

And not all data that looks technical or sensitive is CUI, right? So, Paul, I know you’ve seen some wild misclassifications in the field.

Paul Netopski

Oh, definitely. One CMMC Level 2 assessment comes to mind—small manufacturer, plenty of technical drawings, specs, test reports. One engineer flagged everything with a "CUI" watermark—every. single. page. Even their lunch order forms were getting tagged! In reality, some of those drawings weren't actual contract deliverables or didn't meet the legal definition. That kind of over-marking caused a real bottleneck in contract reviews and confusion about how to handle the documents. We had to circle back with the contracting officer and disentangle what was truly CUI per the contract requirements. It was a teachable moment that literally slowed down their submission and risked non-compliance. So—classification isn’t a guessing game. You have to tie it back to contract language and regulatory definitions.

Roz the Rulemaker

Contract ramifications, for sure. That’s a good segue to how those markings and data rights get applied. But before we get into that, if you’ve got policies, trainings, or stories from the trenches—stick with us, because we’re breaking those down as we go.

Roz the Rulemaker

So, when we talk about identifying and marking CUI or CDI, DoD regulations aren’t subtle. The document header or footer needs to be labeled “CUI”—not “CONTROLLED”—specifically in DoD environments. And you have to include a designation block stating who controls it, which office, applicable CUI category, any dissemination controls, and the POC. Sometimes this also requires a distribution statement, like “Statement D” or “Statement E” from DoD 5200.48 and 5230.24. All these specifics are how you make sure the downstream users know how to treat the information.

Paul Netopski

And Roz, on data rights, that's where contract negotiations get tricky. So, under federal contracts, you’re likely to see unlimited rights, government purpose rights, limited rights, restricted rights, and then sometimes SBIR or commercial data licenses as well. If something’s developed fully at government expense, it's usually “unlimited rights”—the government can use and share it freely. But if it’s developed at private or mixed expense, then you see “limited” or “restricted.” Commercial computer software has its own licensing. And let's not forget—the exact language should match what’s asserted in your contract response or NDA. Get it wrong, and you could be giving away way more than intended…or causing a compliance gap.

Roz the Rulemaker

What about improperly marked material? Let’s say a prime contractor gets information labeled “CUI” with no designation block—what’s the practical step for an employee, Paul?

Paul Netopski

Great question. First up—don’t panic, don’t distribute it further. Notify the sender and request a corrected document per proper protocol. If needed, escalate to your contracting officer or legal team. Sometimes past audits have uncovered stuff marked “FOUO” or “SBU,” which isn’t CUI; that should be correctly remarked before sharing externally. I actually saw an audit finding once where a team failed to update legacy markings, and it triggered a corrective action—they had to recall and redistribe a pile of documents. That’s a small error with big implications.

Roz the Rulemaker

Yeah, corrective actions eat up time and resources, and can mess with deliverables. So, proper identification and communication cannot be an afterthought—otherwise you set off a compliance domino effect.

Roz the Rulemaker

Now, when you step into procurement—contracts, subcontracts, all that legalese—you’re inside the FAR and DFARS universe. Before you even accept a contract or PO, you need to review all the required clauses. Which data rights apply? What CUI or CDI handling obligations do you have—for both prime and suppliers? Many flow-downs aren’t straightforward, especially for subs. And don’t assume all your T&Cs match just because the prime handed them over.

Paul Netopski

Right, and if you’re on the supplier side, don’t just accept boilerplate. Negotiate, request clarifications, and validate whether clauses like DFARS 252.204-7012 or FAR 52.204-21 even apply—it depends on the deliverables, not just contract buzzwords. And remember—if you can’t comply, or the terms were added after your quote, you may have room to say no or ask for revised pricing.

Roz the Rulemaker

The risks for compliance failures are real. DOJ’s Civil Cyber-Fraud Initiative and the False Claims Act penalties are massive. Look at the recent L3 Technologies settlement—$62 million. Even unintentional errors or ‘reckless disregard’ for the rules can bring fines, investigations, and whistleblower actions. We're talking treble damages, plus statutory penalties per claim. So, procurement teams need to ask sharp questions: Is there a valid contract number? What’s the information exchange—FCI, CDI, CUI, ECI? What’s the chain of precedence—T&Cs, SOW, DD254? If the answers are murky, red flag it. Don’t move forward until it’s crystal clear.

Paul Netopski

And don't forget, sometimes suppliers have negotiation power—especially if they’re the sole source. But often, you may just want to walk away from burdensome or unclear flow-downs that were never disclosed up front. Better that than stumbling into a compliance trap that costs you more in penalties than the contract was worth.

Paul Netopski

Even the tightest contracts and controls fall apart if your frontline team doesn’t know what they’re handling. That’s why training is so critical—everyone who interacts with CDI or CUI needs to understand not just the rules, but how they work in real life. What gets marked? How to spot legacy markings? And what to do when in doubt? Don’t just tick a “read the policy” checkbox—build recurring learning into your schedule, with mandatory acknowledgments, scenario walkthroughs…even signatures for accountability.

Roz the Rulemaker

It’s also not a “set it and forget it” job. Regular audits and self-assessments are key—spotting misclassifications and marking errors before the government or a third-party assessor does. And you need a feedback loop with contracting officers and suppliers. Sometimes guidance shifts, or audits bring new risks to light. Those communications ensure your policies, trainings, and even templates evolve as regulations and contract language do.

Paul Netopski

Exactly. Continuous improvement isn’t a buzzword—it's self-defense. If your team can spot a CUI marking miss, or flag an ambiguous contract clause before it hits external review, you’re well ahead of the penalty curve. Plus, that creates a culture where everyone feels responsible for compliance, not just a check-the-box mentality.

Roz the Rulemaker

Let’s talk safeguards. It’s not just about labeling files—real protection means solid access controls. Role-based permissions, least privilege, and multi-factor authentication—those are your core defenses for ensuring only authorized users ever touch CDI.

Paul Netopski

Absolutely. And secure storage is just as vital. Encrypted file shares, restricted document vaults, secure cloud setups—however you do it, CDI and CUI need to be protected in transit and at rest. Don't dump it in a public folder or leave it on an unprotected device. Storage is only as secure as your weakest link.

Roz the Rulemaker

And if there’s a breach, or even suspected mishandling? You need an incident response procedure specifically for CDI events. So, who do you report to? How do you contain the risk, notify the right parties, and mitigate the exposure? These aren’t just cyber incidents—they can trigger contractual obligations and even legal reporting under CMMC rules.

Paul Netopski

Exactly. If you’ve embedded these response plans in operations, you’re not scrambling when something goes sideways. Instead, you follow a clean, practiced process and document what you did—to the letter. Not just for the audit trail, but for your own peace of mind.

Roz the Rulemaker

No process or technical safeguard matters if your people aren’t bought in. That’s why stakeholder engagement isn’t a formality. You need comms campaigns, regular training for anyone touching CDI, and checkpoints to reinforce responsibilities. When in doubt, over-communicate.

Paul Netopski

And don’t overlook the value of certification programs, either. If your staff works with CDI, make ongoing CUI, data rights, and compliance training part of their job requirements—refresh it regularly, not just at onboarding. Make it part of performance reviews. Tie it to internal recognition if you can—that helps with retention and accountability.

Roz the Rulemaker

I like to see leadership set the tone—making CDI protection a part of town hall messages and policy rollouts. The more you embed it in company culture, the less it feels like a bureaucratic hassle and more like business as usual—or frankly, just smart risk management.

Paul Netopski

And attracting top contract talent, too. High compliance standards can actually be a competitive edge, if you communicate that story to your staff and stakeholders effectively.

Roz the Rulemaker

Finally, all this only works if you actually monitor what’s going on. Routine CDI audits—scheduled and unscheduled—let you find mistakes, improper markings, or unauthorized access before they snowball. Don’t just wait for the annual assessment or CMMC review to discover problems.

Paul Netopski

And please, use automated monitoring tools wherever possible. Track access logs, monitor data movement and storage. Those automated alerts are often your best early warning for unauthorized access or anomalous actions. Otherwise, you’ll always be one step behind.

Roz the Rulemaker

And when you do find something—don’t sweep it under the rug. Create a formal review process for every audit finding. Address it, adapt your policy or training, document the fix, and close the feedback loop. That’s how organizations mature—by learning from their actual environment, not just what the textbook or regulation says.

Paul Netopski

That wraps up another intense round of CMMC Unlocked. Thanks for sticking with us as we dove deep into the world of CDI. Roz, always a pleasure decoding federal alphabet soup with you.

Roz the Rulemaker

Same here, Paul. And thanks to all our listeners. Don’t forget—if you’ve got questions, send them our way. Next episode, we’ll dig further into real-world compliance scenarios and maybe unpack some recent case studies. Until then, keep those markings crisp and your compliance tighter.

Paul Netopski

Stay vigilant out there, everyone. See you next time.

Roz the Rulemaker

Take care, all. Goodbye!