On March 1, 2012, the Under Secretary of Defense for Intelligence released the new DoD Information Security Manual, DoDM 5200.01, Volumes 1-4. This new four volume manual supersedes its predecessor single volume manual, DoD Manual 5200.1-R. Of special note to government contractors is Volume 4 of the series, “DoD Information Security Program: Controlled Unclassified Information (CUI).” The new CUI Manual outlines and implements Executive Order 13556, “Controlled Unclassified Information.” The intent of the CUI Manual is to provide an open and uniform program for managing information that has not been given a classified designation but still requires some level of safeguarding or dissemination controls.
The practical application of the CUI Manual to government contractors is that any information marked as: (1) a trade secret or (2) as confidential commercial or financial information should now be designated as CUI by the government agencies they work with. This is because the CUI Manual states that any information protected by the Freedom of Information Act (FOIA) exemptions (such as Exemption 4 which protects trade secrets and confidential commercial or financial information) or information protected by the Privacy Act of 1974, be marked as For Official Use Only (FOUO), and protected as CUI. Since government contractors also routinely handle CUI, they will begin to see new clauses in their pertinent contract documents (e.g. contract clauses, statement of work, or DD Form 254), regarding additional control measures for information they receive or handle from the government. These non-disclosure of information clauses will prohibit the release of unclassified information to the public without the approval of the contracting authority and will also have to be flowed down by prime’s to all of their respective subcontractors. An example of this non-disclosure type clauses is the recently revised DFARS clause at 252.204-7000 “Disclosure of Information.”
The CUI Manual does not provide any greater legal protections to contractors trade secret information but it does ensure uniform handling and protection measures of such information throughout different government agencies. Contractors are advised to continue to mark their proprietary and trade secret information and ensure that any such information given to the government is now handled as CUI. Any CUI that comes under contractor control must be handled according to the new Manual and contractors must ensure that access to CUI is only given to those persons who have been determined to have a valid need for such access in connection with the accomplishment of a lawful and authorized government purpose. If unauthorized disclosures of CUI occur, a formal security inquiry is not required, however, appropriate management actions will be taken including disciplinary actions, sanctions and in the case of some information (i.e. Privacy Act or export-controlled technical data) civil or criminal charges.