Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
If you are following along on the CUI program home game, you know that the CUI program was created to apply a consistent set of requirements across the entire Executive Branch of the federal government which define what is sensitive, unclassified information and how that information should be safeguarded and disseminated. These requirements are defined in 32 CFR 2002, which was published in 2016. When the United States Department of Defense first created DoDI 5200.48 back in 2016 (DoDI 5200.48 defines DoD's implementation of the CUI program), 32 CFR 2002 was pretty new and, understandably, the early version of 5200.48 had some inconsistencies. DoD released an updated version of DoDI 5200.48 about a year and a half ago, and it addressed some of those inconsistencies. DoD recently released an updated policy memo which makes some additional changes to 5200.48. https://lnkd.in/gmsySBBq Those changes have, unfortunately, created a bit of added confusion about when CUI can be disseminated to authorized holders, and especially when: a) the disseminator is a government contractor; and b) the authorized holders are not US persons. The CMMC Information Institute put together the flowchart, below, to try to help walk government contractors through when CUI can be disseminated to someone who is not a US person (or, really, anytime). Hopefully it is helpful!
#UPDATE: Final version available from the CMMC Information Institute website (https://lnkd.in/eSN5NEdU) and in the comments below. The United States Department of Defense recently published a memo that updates their Controlled Unclassified Information ("CUI") program, as reflected in DODI 5200.48, to be more consistent with certain aspects of 32 CFR 2002. As you may know, 32 CFR 2002 is the authorizing legislation that created the CUI program and applies to the entire Executive Branch, so removing some of the inconsistencies is a great step toward the agency-agnostic approach envisioned for the CUI program! More specifically, the memo (link below) removes DODI 5200.48's requirement regarding the need for review of CUI before it can be released by a federal agency to a foreign entity. DoDI 5200.48 now (properly) only requires review when the CUI is subject to export controls or a limited dissemination control like NOFORN. The memo can be found here: https://lnkd.in/gbUfrcCX The memo has created a bit of a stir in the government contractor space. Some are interpreting it as applying to government contractors, and that is not the case. The memo applies to the release of CUI by DoD, as an agency of the federal government, to a foreign entity (which has a specific definition in 32 CFR 2002). The unfortunate side-effect of the memo is that it seems to have created much more confusion about how and when CUI can be disclosed to non-US persons. The CMMC Information Institute has prepared the flowchart, below, to help people with this analysis. A higher resolution version will be available on our website tomorrow. Thank you to all those who weighed in on early drafts! We hope it is helpful!
Would you please DM me the latest copy? I can't seem to download or save the latest.
Now we just need to get primes to properly mark CUI and FCI for subs. I've lost count of how many times I've had to go to primes and ask if a document is CUI and they say yes but all it has is the company letter head.
James, I am a bit confused by this diagram. Non US Entities and Individuals have access to export controlled CUI (ITAR) data all the time. This chart says that they cannot. They just need the appropriate license from DDTC. Am I missing something?
I know Mary had a little lamb... when did she get an upgrade?? 😅
Thank you James Goepel
Thanks for posting
Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
3wFor those who may not see it in the original post, there is an updated version here: