Bill Kobren -- our faculty friend and colleague in the Life-Cycle Logistics area -- authored a DAU blog last week announcing the fact UnderSecDef (Intelligence & Security) issued a new DoD Instruction 5200.48, Controlled Unclassified Information (CUI) on March 6, 2020.

While Bill addressed his blog to Defense Acquisition Workforce members in general -- and life cycle logisticians and product support managers in particular -- I would like to highlight several key aspects that will affect the DoD International Acquisition and Security Cooperation communities, our allies and friends, and U.S. and foreign industry. This long-awaited (and lengthy) DoDI establishes comprehensive policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD.

Key Aspects

The largest immediate impact will be how we (and DoD contractors) mark DoD CUI documents from this point onward. Newly created CUI documents will have to be marked using the new CUI markings specified in DoDI 5200.48. Most legacy CUI documents won't need re-marked or redacted while under DoD control. However -- and this is a big however -- any such legacy documents or new derivative documents will have to be marked with the new CUI markings if the information still "qualifies as CUI and the document is being shared outside DoD" (para 3.2.a.). Table 1 contains a few "DoD CUI Registry Category Examples" and Table 2 contains "Dissemination Control and Distribution Statement Markings" that replace all of the legacy "Distribution Statement" markings for Critical Technical Information in DoDI 5230.24 except for export control markings (para 4.3.b.) The entire set of Federal and DoD CUI Registry Categories can be accessed via Intelink if you have a valid CAC card. Fair warning -- there are a lot of categories!

The gory details of what DoD personnel will have to accomplish with respect to marking and protecting both CUI hard copy and digital CUI resident on Information Technology (IT) systems is contained in Section 3 (Programmatics), pages 12-26. Requirements for Dissemination, Decontrolling, and Destruction of CUI are contained in Section 4, pages, 27 -30. Industry responsibilities are covered in Section 5, Application of DoD Industry, pages 30-32, and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012 through contractual arrangements.

International Acquisition & Exportability (IA&E) Impacts

DoD IA&E workforce members have long been aware of CUI since there is so much of it in our programs, and since DoD's international transactions with allied and friendly nation government and industry personnel have always required careful marking and handling of U.S. and foreign CUI. All of our International Cooperative Program (ICP) international agreements contain a CUI Article/Section, and most of them require development of a Program/Project Security Instruction (PSI) based on guidance from the NATO-sponsored Multinational Industrial Security Working Group (MISWG) that initially issued recommendations regarding Classified Military Information (CMI) and CUI protection from the 1990s onward. The DoD Security Cooperation (SC) community has also emphasized the need for CMI and CUI protection in the Security Assistance Management Manual (SAMM) for Foreign Military Sales (FMS) and other types of SC transactions.

For many years, the Distribution Statements in DoDI 5230.24 for DoD acquisition program/technical info -- when coupled with DoD Component International Program Organization (IPO) guidance on how to obtain authorization for foreign disclosure of CUI (when justified) and applying adaptations of "REL TO" markings adopted by DoD and many of its allies/friends post 9/11 -- have gotten the job done. However, with the advent of DoDI 5200.48, DoD CUI policies and procedures have changed significantly and we'll all have to begin learning and following the "new rules."

DoD documents marked "FOUO" (or variations thereof) have been a harder problem to solve in the past, primarily because the FOUO marking was applied so broadly and vaguely, and because it was often a significant challenge to figure out who the Office of Primary Responsibility (OPR) actually was for such documents. Blended documents with CUI from multiple DoD organizations posed an even greater challenge, even when senior DoD officials supported foreign release. In many situations, the process for releasing CMI documents proved to be much easier than releasing CUI since classified documents have always been subject to standardized classification, OPR, and declassification marking requirements. The new DoDI 5200.48 -- once the DoD workforce learns how to categorize DoD CUI documents and mark them properly -- should help quite a bit in this area.

Summary

I predict that U.S. Government's and DoD's transition from the old way of marking and handing CUI -- a combination of "FOUO, SBU, US Only" and other similar markings plus DoDI 5230.24 Distribution Statements -- to a much more complex and robust CUI marking and handling regime will be lengthy and difficult. However as one of my old security mentors used to say about CUI, "we should mark it clearly so everyone understands what it is, and why it should be protected, or be prepared to lose it." The new DoDI 5200.48 provides everyone in government and industry the opportunity to achieve this outcome.

Until next time, Prof K