On 6th March 2020, the Under Secretary of Defense for Intelligence and Security [USD (I&S)] approved the DoDI 5200.48 for CUI, the Department of Defense’s official instruction for managing Controlled Unclassified Information (CUI). The main purpose of the directive is to establish a standardized approach for federal agencies and contractors for managing, handling, processing, and destroying CUI. The directive has been formed to eliminate inconsistent CUI handling practices and promote uniformity in CUI protection across the defense ecosystem.
The directive applies to defense agencies, military departments, and private contractors seeking to do business with the DoD. Organizations must ensure that CUI is handled securely & in a policy-based manner. Special considerations must be taken while working in environments vulnerable to insider threats and cybersecurity risks.
Applicability and Responsibility under DoDI 5200.48
DODI 5200.48 applies to all components of the Department of Defense, including military services, defense agencies, DoD field activities, and applicable contractors. It covers all arrangements, agreements, contracts, and other transaction authority actions involving CUI.
The Under Secretary of Defense for Intelligence and Security (USD (I&E)) establishes CUI policy and oversees the DoD Information Security Program. The DoD Component Heads are responsible for implementing the policy across their respective organizations. Authorized holders of CUI, including cleared personnel and third parties, are accountable for day-to-day compliance, especially around access, safeguarding, and destruction.
DODI 5200.48 Requirements
Section 3 of DODI 5200.48 details programmatic responsibilities and requirements that govern proper management, safeguarding, and dissemination of Controlled Unclassified Information. Key elements of the program include:
- Establishing CUI Programs: Under Section 3.1 a the DoD follows Part 2002 of Title 32 CFR that establishes the CUI Executive Agent under NARA (National Archives and Records Administration) Information Security and Oversight Office to implement and oversee the CUI program
- Legacy Requirements: Section 3.2 states that Legacy information from the DoD does not need to be re-marked but must be reviewed for CUI compliance when used in new documents.
- Handling Requirements: Section 3.3 of the program promotes information sharing while ensuring necessary safeguards are in place. The requirements outline the responsibilities of originators and authorized CUI holders, including decontrolling of CUI.
- Marking Requirements: Section 3.4 states that the CUI must be correctly marked with NARA’s CUI Marking Handbook and DoD guidance using standardized banners and headers.
- General Requirements: Section 3.5 highlights that each DoD Component must appoint a Component Senior Agency Official (CSAO) to oversee the management and implementation of CUI Further the requirements for CUI procedures (Ref: Section 3.6) mandate that an annual report must be submitted by the concerned DoD Component head that outlines the implementation of CUI, training statistics, incident management, costing, and inspection activities. The General requirements, as mentioned under Section 3.7, lays down the preliminary requirements for implementation, marking, and management of the CUI program.
- Original Classification Authority: Section 3.8 outlines the responsibilities of the DoD Original Classification Authority (OCA). While OCAs primarily apply to classified information, the directive clarifies responsibilities when classified and CUI coexist, ensuring proper differentiation and handling of each.
- Disclosure & Release: Section 3.9 mentions the requirements for authorized release or disclosure of CUI, whether to foreign entities, other government agencies, or the public. All releases must comply with applicable laws, DoD policy, and dissemination controls.
Whereas the requirements for Controlled Unclassified Information (CUI) release and disclosure are specified in Section 3.9. The last section of General Requirements 3.10 covers the system and network security requirements for CUI.
These programmatic instructions establish a standardized approach for ensuring that CUI is protected across its lifecycle, from creation and use to eventual destruction. These help maintain the data integrity and confidentiality of sensitive unclassified information.
CUI Dissemination, Decontrolling, and Destruction
Section 4 of DODI 5200.48 outlines how CUI should be disseminated, decontrolled, and ultimately destroyed to prevent data leaks or unauthorized access. These measures are essential to safeguard CUI throughout its lifecycle.
General Dissemination Requirements for CUI (Sections 4.1 & 4.2)
As per section 4.1, the dissemination of CUI is limited to authorized individuals with a lawful government purpose. Contractors and partners may access CUI only when contractually permitted and when it aligns with DoD mission objectives.
Legacy Distribution Statements (Section 4.3)
Legacy CUI documents, especially those involving export-controlled information, included distribution statements as per DoDI 5230.24. These statements helped clarify how the DoD and its contractors share the responsibility to protect the CUI.
Decontrolling of CUI (Section 4.4)
Decontrolling is the process of removing CUI status. As stated in Section 4.4. a, CUI may be decontrolled when no longer required for protection. Decontrol may occur automatically (e.g., upon expiration of a control), through agency decision, or in response to legal or regulatory changes. Decontrol must also be documented to ensure audit readiness.
Destruction of CUI (Section 4.5)
Section 4.5.a mandates that when CUI (electronic data or paper records) is no longer needed, it must be destroyed to render it unreadable, indecipherable, and irrecoverable. Acceptable destruction methods must comply with NIST SP 800-88 Revision 1, which outlines secure sanitization techniques for both digital media and paper-based records.
For electronic data, data must be destructed using any one of the applicable techniques:
- Clear: The NIST Clear method recommends using a software to overwrite data on CUI containing storage devices, either once or using multiple passes.
- Purge: It includes using methods like Secure Erase or Cryptographic Erase.
- Destroy: It includes using physical techniques like destroying the CUI containing media with methods like shredding, incineration, or pulverization.
DoD contractors and agencies should ideally use a certified data erasure software like BitRaser that meets NIST 800-88 guidelines for media sanitization and can generate a digitally signed certificate of data destruction as per NIST guidelines for audits and compliance needs. CUI destruction, if done improperly, can be a significant data breach vector. BitRaser provides NIST-compliant data erasure, making it a robust solution for CUI destruction. It supports multiple erasure standards, including DoD 5220.22-M, integrates reporting for compliance, and eliminates the need for physical destruction, thereby aligning with sustainability goals as well. By automating and verifying data erasure, BitRaser addresses one of the most critical, yet often underestimated, aspects of the CUI lifecycle.
Conclusion
DODI 5200.48 serves as a critical guideline for the secure handling and destruction of Controlled Unclassified Information within the Department of Defense and its contractors. Ignoring the data destruction while handling the data lifecycle can jeopardize compliance and lead to severe breaches. Book a demo with BitRaser today to explore how our DoD-based data erasure solution can help you permanently and verifiably destroy CUI in line with DODI 5200.48 and NIST SP 800-88 standards.
+1-844-775-0101
