Working as a contractor for the federal government means complying with a wide range of rules. Some of these are large, obvious, and well-enforced, like the security frameworks we so often discuss here on the Ignyte blog. Others are small rules, scattered throughout disparate memos and resources, and it can sometimes be easy to forget them – or not even know them at all.
And, of course, it doesn’t help matters that these rules can change from time to time.
One such recent change – or rather, clarification – is the matter of sharing CUI. Let’s talk about the latest changes to CUI sharing, what they mean now, and what they may mean in the future.
Refresher: What is CUI?
When working with the federal government, you have to obey a variety of information security rules. While a significant portion of these rules relate to cybersecurity, others focus on access control and the accessibility of information.
To help make these rules more reasonable, information is categorized into a series of specific types of information, each with different levels of control.
The highest levels of control are put on classified information, which is information considered to be Top Secret, Secret, or simply Confidential. The higher the level of classification, the more restricted access to the information is, and the more an individual or entity must demonstrate a legitimate need to obtain the information.
This isn’t as cloak-and-dagger as it often sounds. A common example is that all military pilots generally require Secret clearance, because many of the documents used as part of military exercises and military aviation are classified as Secret. Simply having Secret clearance doesn’t mean said pilots can access all Secret documents, though; they can only access those necessary for their jobs.
All of this is above the usual pay grade of what we discuss here on this blog. Control of truly classified information goes beyond the frameworks we cover, such as FedRAMP and CMMC. What we’re typically more concerned with is CUI or controlled unclassified information.
CUI is information that is sensitive enough to warrant protection, but not so sensitive that it deserves to be classified. It encapsulates everything from the personally identifiable information for government employees, all the way to information about naval nuclear propulsion, bank secrecy, and the identity of whistleblowers. The government maintains a comprehensive list of the sorts of information that is controlled but unclassified, which you can browse through here.
CUI comes in two forms: basic and specified. Basic is general CUI, while Specified often has additional rules on top of basic CUI rules, such as specifics from the Department of Defense for naval nuclear propulsion information.
Finally, below even CUI, is uncontrolled information. Basic public information and other completely non-sensitive information doesn’t need to be controlled at all. This is the basis of how scaling security and impact levels work, and how contractors can get away with Li-SaaS security when they don’t otherwise handle even CUI for the government.
You can read a much deeper dive into what CUI is, what Basic and Specified mean, and how it can all impact you in our Practical Guide to Understanding CUI Regulations.
In General, Can CUI Be Shared?
The answer to this question is a qualified yes.
A government agency needs to share CUI with a contractor in order for that contractor to be able to function. The whole point of frameworks like CMMC is to establish security for that sharing of CUI, in a way that maintains its safety and security and prevents it from being leaked or shared with entities that don’t have authorization to have that information.
CUI can be shared with partners, agencies, and congress, but if you want to share it with a foreign entity, you may not be able to. Some countries as a whole are flagged such that CUI and other forms of controlled information are not sharable with them, and others have export controls in place.
As things stood until recently, sharing with a foreign entity was possible if the CUI was not otherwise marked as NOFORN (No Foreign Dissemination), controlled via some other form of export control, or if the foreign entity was on the list of countries that cannot be given CUI at all. In order to share, however, the DoD would need to obtain specific permission from the originator of the CUI to share with the foreign entity.
CUI can be restricted according to a variety of dissemination controls. The classifications include:
- NOFORN – No Foreign Dissemination at all.
- FED ONLY – The information can only be shared with federal employees.
- FEDCON – The information can only be shared with federal employees and contractors.
- NOCON – The information cannot be shared with contractors.
- DL ONLY – The information comes with a specific list of people, contractors, and entities that can share it.
- RELIDO – Releasable by information disclosure only.
- REL TO – The information can only be shared with a specific list of nationals.
- DISPLAY ONLY – The information can be viewed by foreign recipients, but copies of it cannot be made.
You can read more about all of these here.
Recent Changes to CUI Sharing
Now that we’ve established the baseline, let’s talk about the recent DoD memo from February 15, 2024. This memo, titled Change to Policy on Sharing Controlled Unclassified Information with Foreign Entities, is exactly that. If you want to read the full memo, you can find it here.
This memo is a change to a policy, but it also highlights an important thing to know. The rules for information sharing vary depending on who you are and your role in the overall ecosystem. As a federal contractor, whether or not you have CMMC certification determines whether or not CUI can be shared with you. However, whether or not you can share that information onwards can depend on other factors. The DoD and other federal agencies can choose to share CUI with more flexibility and freedom than contractors.
The memo addresses a particular conflict in the rules regarding CUI.
Prior to this memo, DoD personnel were able to share CUI with foreign entities so long as the information was not expressly marked as not releasable to foreign nationals. However, in order to share that information, the DoD employee in question would need to obtain a positive foreign disclosure decision made by the authority that controls the information in question to allow it to be released to a foreign entity at all.
Since the overall purpose of the CUI program is to facilitate sharing and collaboration and streamline the sharing of nonessential information (while allowing for the protection of more strictly controlled information), this was at odds with the directive. These additional roadblocks simply made it harder for DoD personnel to share CUI in a manner necessary to do their jobs and collaborate with foreign entities.
The meat of the memo is the acknowledgment of this conflict and a change. Here’s what it says:
“In keeping with the purpose of the CUI program and the NDS, the memorandum eliminates the requirement in Paragraph 3.7(b)(4) of reference (c) that a positive foreign disclosure decision must be made before CUI is released to a foreign entity. All other requirements related to the foreign dissemination of CUI, including limits on CUI marked as not releasable to foreign nationals by the originator and the requirement for DoD Components to establish processes and procedures for approving the sharing of CUI with foreign entities, remain in effect.”
To clarify a couple of the terms in that paragraph, reference (c) is DoD Instructions 5200.48, “Controlled Unclassified Information (CUI),” March 6, 2020. Paragraph 3.7(b)(4) is:
“CUI designated information may be disseminated to a foreign recipient in order to conduct official business for the DoD, provided the dissemination has been approved by a disclosure authority in accordance with Paragraph 3.4.c. and the CUI is appropriately marked as releasable to the intended foreign recipient.”
You can read the whole of DoD Instructions 5200.48 here, if you wish, though because it’s rules that govern the Department of Defense and not its contractors, it’s probably not entirely relevant to know for most of you.
The Limitations of the DoD Memo
There are two very significant limitations to this memo. Seeing as all it does is strike one small rule from a much larger overall framework of rules, it may not seem like these limitations are critical, but they are, especially for our user base.
The first limitation is that this does not supersede ITAR or Export Control regulations. In fact, any specifics on CUI, ranging from NOFORN designation to ITAR classification to CUI-specified designations with additional rules, will still apply and generally prevent the information from being shared with foreign nationals or entities.
This is nothing new; we just wanted to make sure it was crystal clear that removing one restrictive limit on sharing CUI does not suddenly make widespread sharing of CUI without restriction possible or allowable. There are still controls in place, and there are still strict penalties for sharing information that should not be shared.
The second and more important of the two limitations is that this is explicitly a DoD Internal memo. That means it applies to the Department of Defense and its employees, and not to contractors. Government contractors looking to share CUI still need to behave as before; this memo changes nothing for them, or for us.
Will More Changes to CUI Sharing Come Soon?
For the moment, we’re in a holding pattern. As it currently stands, it’s business as usual for contractors; we have to play by the rules of documents such as DFARS 252.204-7012 governing the way we can share, access, and use CUI and related information.
We at Ignyte expect that the government will, in the near future, review this memorandum and the related rules and will issue similar changes for contractors. When the goal is to reduce barriers to sharing information that facilitates collaboration without jeopardizing security in some way, it makes sense to extend it beyond the walls of the DoD and to the network of government contractors that collaborate with foreign nationals and entities.
As things stand right now, there’s no additional guidance for contractors. We anticipate changes, but we aren’t the government and aren’t inside sources, so we can’t say with certainty whether or not those changes will be forthcoming, what they will contain, or when they will be released. All we can do is anticipate them.
How can you navigate this situation? If you’re a DoD employee, you can breathe a slight sigh of relief as one additional piece of paperwork and administrative burden is taken off of your plate. If you’re a non-DoD government employee or a contractor working with the federal government, it’s business as usual, and no changes should be made yet.
We will, of course, share updates as we know them. If the government chooses to allow more freedom of collaboration using standard CUI for contractors, we’ll be more than happy to help share the good news. If it doesn’t happen, then so it goes.
As always, remember that other specifications and rules, ranging from NOFORN designation to rules on certain CUI Specified information types to ITAR and Export Control rules will all still be in effect. If and when this change trickles down to contractors, it won’t be an immense and significant change, just a small adjustment to administration and the permission slips we’ve had to gather for so long.
As a 3PAO and service provider working all throughout government contracting, we’re excited about this change as a way to streamline and facilitate operations for many of our clients. If you would like to discuss the repercussions of the potential change and see if there’s anything you should do to prepare for it, feel free to reach out.
Of course, you are still required to comply with all of the usual security measures and frameworks for protecting and securing your CUI. Whether you’re looking into ITAR, CMMC, FedRAMP, or any of the many other frameworks, we can help. We have a deep well of experience across the board, and we can lend advice and show you how the Ignyte Platform can speed up and streamline the process of applying for – and achieving – certification. Simply reach out or request a demo of our platform today, and we can get the ball rolling.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.