Controlled Unclassified Information (CUI) is the lifeblood of the Defense Industrial Base. It’s the sensitive data that keeps our country safe, and it’s also a massive compliance headache. One of the biggest questions that comes up is: who is actually responsible for this stuff?

Is it the government agency that created it? The prime contractor who received it? The subcontractor who is using it to build a critical component? The answer, unfortunately, is “all of the above.” CUI is like a hot potato, and everyone in the supply chain has a responsibility to handle it correctly.

The Chain of Custody

Here’s how it generally works: the government agency that creates the CUI is responsible for designating and marking it as such. But the moment that data enters your environment, you’re on the hook for protecting it.

If you’re a prime contractor, that means you have to flow down all the CUI protection requirements to your subcontractors. And if you’re a subcontractor, you have to implement the same level of security as the prime, even if you didn’t create the data yourself.

Here’s what you need to do:

   Protect it: You must safeguard CUI in accordance with NIST SP 800-171.

   Train your people: Everyone who touches CUI needs to know the rules.

   Control access: Don’t let anyone see CUI who doesn’t have a need to know.

   Mark it: If you create new documents that contain CUI, you have to mark them appropriately.

   Report it: If you think CUI has been compromised, you have 72 hours to report it to the DoD.

Don’t Assume – Verify

You can’t just assume that the CUI you receive is properly marked. You have to do your own due diligence. And if you create new CUI in the course of your work, you’re responsible for identifying it, marking it, and protecting it.

It’s a lot to keep track of, but it’s a critical part of being a responsible steward of sensitive government data.