The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

DFARS 252.204-7012 Scoping Guide

CDI vs CUI: Covered Defense Information vs Controlled Unclassified Information

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and DIB compliance.

Last reviewed: · Last verified:

Educational research and reporting. Not legal, contractual, or compliance advice.

CDI vs CUI is not a choice between two security levels. Controlled Unclassified Information (CUI) is the government-wide category for information that a law, regulation, or Government-wide policy requires be safeguarded. Covered Defense Information (CDI) is the DFARS 252.204-7012 contract term for Controlled Technical Information — or other CUI Registry information — that also carries a specific connection to your DoD contract. In practice, CDI is qualifying CUI sitting inside a DoD contract relationship. Not every item of CUI is CDI on every contract, and the presence of the 7012 clause alone does not convert every file you touch into CDI.

That last sentence is where the money is.

The distinction sounds academic right up until you price it. The two-part definition buried in the clause is what identifies which information can pull a system into covered-system analysis in the first place. Get it wrong in one direction and you leave controlled information sitting on systems that were never hardened. Get it wrong in the other and you drag email, ERP, the shop floor, and your backups into an expensive environment your contract never asked for.

We read the current clause text, the CUI rule, and the CMMC program rule side by side to write this, and we link every regulatory claim to the authority it comes from so you can check our work. Below: the actual two-part test, a 15-scenario matrix showing how it resolves against real files, and the evidence you need before you spend a dollar.

One honest warning first, and we would rather lead with it than bury it. We cannot classify your specific file for you. Nobody can from the outside. We will show you exactly why — and exactly what to do instead.

CDI vs CUI at a glance

CDI vs CUI at-a-glance comparison
QuestionCUICDI
What is it?The government-wide category for controlled unclassified informationA contract term defined in DFARS 252.204-7012
Where does the authority come from?A law, regulation, or Government-wide policy supplies the control basis. NARA, through ISOO, administers the executive-branch CUI Program and approves the categories listed in the CUI RegistryThe Department of Defense, through the DFARS clause
Core testAn approved CUI Registry category, plus an authority requiring or permitting controlsQualifying CUI or Controlled Technical Information, plus a DoD contract-performance connection
Can it exist outside a DoD contract?Yes — across the executive branchNot as a 7012 term
Is it a separate sensitivity level?NoNo
Is it a separate CMMC level?NoNo
Where do you look first?The CUI Registry category and its authorityYour contract, its clauses, and how the information is actually used
The most common errorCalling every confidential business file “CUI”Calling every file under a 7012 contract “CDI”

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every regulatory and contractual claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they commit significant compliance budget.


CDI vs CUI: what is the difference?

CUI is the government-wide category for unclassified information that an approved authority requires or permits the Government to protect. CDI is the DFARS 252.204-7012 term for Controlled Technical Information, or other CUI Registry information, that also satisfies the clause’s DoD contract-performance test. The two overlap heavily, but they are not interchangeable labels, and they come from two different rulemakers.

The cleanest way to hold it in your head: CUI tells you what kind of information you have. CDI tells you when that information has landed inside a DoD contract relationship.

One is a category. The other is a relationship — and the obligations attach when DFARS 252.204-7012, or a valid flow-down of it, is actually in your contract.

CUI, in plain English

Controlled Unclassified Information is defined at 32 CFR 2002.4(h) as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Three things in that definition do real work, and most explainers skip all three.

First, there has to be an authority.Not a feeling. A law, a regulation, or a Government-wide policy. “This seems sensitive” is not a CUI designation. The rule describes three ways an authority can operate: it can require or permit controls without specifying them (CUI Basic), it can require or permit controls and spell them out (CUI Specified), or it can specify only some of them (CUI Specified, with CUI Basic controls filling the gaps).

Second, only approved categories count. Under 32 CFR 2002.4(k), CUI categories and subcategories are those the CUI Executive Agent has approved and listed in the NARA CUI Registry. The Registry is the authoritative list, and it identifies the basis for controls and the approved markings.

Third, your own private information is carved out. The definition expressly excludes classified information, and it excludes information a non-executive branch entity possesses and maintains in its own systems that did not come from — and was not created or possessed by or for — an executive branch agency. Your pricing strategy, your HR files, and your unrelated trade secrets are not CUI just because you are a defense contractor.

The program traces to Executive Order 13556, issued November 4, 2010, which designated the National Archives and Records Administration as Executive Agent; NARA delegated the role to the Information Security Oversight Office. The implementing rule at 32 CFR Part 2002 was published at 81 FR 63336 on September 14, 2016.

Note what CUI is not: it is not a DoD program. It runs across the executive branch.

CDI, in plain English

Covered Defense Information is defined inside DFARS 252.204-7012 itself. It is a contract term, and it is built in two parts.

Part one — the information must qualify. It must be unclassified Controlled Technical Information, or other information described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.

Part two — it must have a contract nexus. And it must be either:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Read branch (2) again, slowly. That is the branch most contractors miss. CDI is not limited to files DoD hands you. Information your own engineers develop in performance of the contract can be CDI. Information you receive from a prime can be CDI. Information you merely store in support of performance can be CDI.

“DoD never sent it to us” is not a defense. It is not even a complete answer.

The full comparison

REGULATION-STATED. Every cell below reflects the cited authority. The arrangement is ours; the content is not.

Full comparison of FCI, CUI, CDI, and CTI across key dimensions
DimensionFCICUICDICTI
Full nameFederal Contract InformationControlled Unclassified InformationCovered Defense InformationControlled Technical Information
Defining authorityFAR CouncilNARA / ISOO administer the program under EO 13556; the control basis comes from law, regulation, or Government-wide policyDepartment of DefenseDoD — a CUI Registry category, also defined in the 7012 clause
Primary sourceFAR 52.204-2132 CFR 2002.4(h); EO 13556; CUI RegistryDFARS 252.204-7012(a)DFARS 252.204-7012(a); CUI Registry, Defense grouping
Is it a CUI Registry category?No — separate designationIt is the umbrellaNo — CDI is a contract term, not a Registry categoryYes
Security standard15 basic safeguarding requirementsNIST SP 800-171 Rev. 2 in the DoD context — 110 requirements across 14 families“Adequate security” — NIST SP 800-171 per the clauseNIST SP 800-171 Rev. 2, as CUI
Relationship to CMMC levelThe information basis for Level 1 when the solicitation, contract, or valid flow-down requires Level 1 (Self)May support Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC), depending on the CMMC Status stated in the applicable instrumentNo separate CMMC level. Where a contract requires Level 2, that level uses the 110 NIST SP 800-171 Rev. 2 requirements — but CDI status does not choose your level or assessment typeNo automatic level. CTI is a CUI category; the required CMMC Status comes from the solicitation, contract, or valid flow-down
Can exist outside DoD contracting?Federal-wideYesNoAs a category, yes; as CDI, no
Classic mistakeAssuming all FCI is CUICalling anything confidential “CUI”Assuming the clause makes everything CDIAssuming every drawing is CTI

[PRIMARY SOURCES: FAR 52.204-21; 32 CFR 2002.4; DFARS 252.204-7012; 32 CFR 170.5; 32 CFR 170.14]

One clarification worth pinning down, because it trips up even experienced compliance leads: CTI is a CUI Registry category. CDI is not.Controlled Technical Information appears in the Registry under the Defense organizational grouping. Covered Defense Information does not appear there at all — it lives in the DFARS as a defined contract term. If someone tells you to “look up the CDI category in the CUI Registry,” they are describing something that does not exist.


What is CTI, and how does it relate to CDI and CUI?

Controlled Technical Information is an approved CUI category covering technical information with military or space application that is subject to access or dissemination controls. CTI sits at the center of the CDI definition, but CTI becomes CDI only when the DFARS 252.204-7012 contract-nexus test is also satisfied. A drawing is not CTI simply because it looks technical.

The clause defines CTI as technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination — information that would meet the criteria for distribution statements B through F under DoD Instruction 5230.24. It expressly excludes information that is lawfully publicly available without restrictions. [PRIMARY SOURCE: DFARS 252.204-7012(a)]

“Technical information” is itself defined by reference to DFARS 252.227-7013, and the clause gives examples worth reading closely if you run a shop floor: research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, and computer software executable code and source code.

Process sheets. Source code. Associated lists. That list is broader than most manufacturers assume.

So the chain runs: CTI is one category of CUI. CDI is qualifying CUI — very often CTI — with a DoD contract nexus. CDI is not a category at all.


Is CDI a subset of CUI, or are the terms interchangeable?

Operationally, CDI is a contract-specific subset of qualifying CUI: the 7012 definition is built from Controlled Technical Information or other CUI Registry information, so information that is CDI is also CUI. The reverse does not hold. CUI can exist with no connection to any DoD contract, and the same item of CUI can be CDI on one contract and not on another.

So: all CDI is CUI. Not all CUI is CDI.

Why “interchangeable” is wrong

Treating the terms as synonyms erases four things that decide your scope:

Why “subset” needs a qualifier

CDI is not a permanent sticker that attaches to information forever. It is the clause’s description of qualifying information in relation to a specific DoD contract. The same drawing can be CDI on the contract it supports and simply CUI in a context with no DoD contract nexus.

Think of CDI less as a category and more as a relationship.

DoD was asked to merge the two terms. It didn’t.

Worth knowing when a consultant tells you the terms have been unified. When DoD finalized the DFARS acquisition rule implementing CMMC — published September 10, 2025, effective November 10, 2025 — respondents asked the Department to streamline the CUI definition to match CDI, or to eliminate the CDI term. DoD responded that changing the codified CUI definition fell outside the scope of that rulemaking. [PRIMARY SOURCE: Federal Register, DFARS Case 2019-D041 final rule]

The 2025 rule did not merge the definitions. The current CUI and CDI authorities continue to define them separately. Anyone telling you otherwise is describing a change that did not happen.


The honest limit of this page — and what to do about it

Here is the part most compliance content will not tell you.

We cannot conclusively determine your file’s CDI status from a filename, a screenshot, or a one-sentence description.Neither can an outside adviser who has not reviewed the controlling authority, the file’s origin and use, the applicable contract or flow-down, its official release status, and the systems that touch it. Anyone who gives you a conclusive answer without reviewing that evidence is guessing — and guessing on your behalf is exactly the risk you are trying to eliminate.

We think that is the wrong question anyway.

The useful question is not “what does this file look like?” It is “which evidence satisfies each part of the regulatory and contractual test — and which piece am I missing?” That question you can answer. Today. Without a consultant, and without exposing a single sensitive document.


How do you determine whether information is CDI?

Run three separate checks in order: confirm the information qualifies as CUI or Controlled Technical Information, confirm the DoD contract-performance nexus described in DFARS 252.204-7012, then determine whether the clause is actually in your contract and which systems and subcontractors its obligations reach. Collapsing these three into a single yes-or-no question is the most common and most expensive scoping error.

REGULATION-STATED: the CUI definition at 32 CFR 2002.4 and the CDI definition at DFARS 252.204-7012(a).
DCR EDITORIAL APPLICATION: the three-gate CDI Contract-Nexus Grid below. It is our framework for organizing evidence — not a Government test, not a score, and not a compliance determination.

Gate 1 — Does the information qualify as CUI or CTI?

Gate 1 failure means the analysis stops. Information that does not qualify as CUI cannot be CDI, no matter which clauses appear in your contract.

There is a real risk on this side of the ledger that nobody warns contractors about. Under 32 CFR 2002.4(ee), misuse of CUI expressly includes designating or marking information as CUI when it does not qualify as CUI. Over-marking is not a safe default. It is its own category of error.

Gate 2 — Is there a DoD contract-performance nexus?

Gate 2 is where “we made it ourselves” stops being an argument.

Gate 3 — Which contractual and system obligations attach?

Qualifying CUI or CTI + DoD contract-performance nexus = CDI under DFARS 252.204-7012.

CDI touching a contractor system + an applicable 7012 clause or flow-down = covered-system and clause-obligation analysis.

A necessary caveat: this framework organizes evidence. It does not designate CUI, interpret your contract, or replace written direction from the originating authority, your prime, the Contracting Officer, a CMMC Registered Practitioner, or a qualified federal-contracts attorney. And identifying CDI is not the same as defining a CMMC assessment boundary — that is a separate determination under 32 CFR 170.19, covered further down this page.

The evidence to gather — and keep

A defensible scope record should include the following. Pull these, date them, and file them together:

That last line matters more than it looks. An undocumented scope decision is indistinguishable from no scope decision when someone asks you to defend it two years later.


Which real files are CUI, CDI, both, or neither?

File type alone cannot resolve the CDI vs CUI question. The same drawing, email, spreadsheet, process sheet, or purchase order can land in different buckets depending on its CUI category and authority, its official release status, its connection to a specific DoD contract, and how the company actually uses it. The matrix below applies the DFARS 252.204-7012 two-part test to fifteen representative contractor fact patterns.

DCR EDITORIAL APPLICATION.These are our applications of the cited definitions to representative fact patterns, not official designations. The Basis column maps each row to its controlling authority. We use “Likely,” “Not automatically,” and “Fact-dependent” deliberately. A page that answers every one of these with a confident yes or no is selling you certainty it does not have.

The Defense Compliance Report CDI–CUI Contract-Nexus Scenario Matrix — Version 1.1, July 2026

15-scenario CDI vs CUI analysis matrix applying the DFARS 252.204-7012 two-part test
#ScenarioCUI?CDI under 7012?WhyFirst evidence to checkBasis
1DoD or a prime provides a drawing marked CUI//CTI for use on your subcontractYesLikely yesCTI is a CUI Registry category, and it is provided for contract performanceMarking, distribution statement, contract or flow-down, originating office7012(a); CUI Registry
2Your engineer creates a process sheet by copying dimensions and tolerances from a controlled drawingFact-dependent — often yes if controlled content carries overLikely, if used in performance"Re-use" means incorporating, restating, or paraphrasing information from its originally designated form into a newly created documentSource drawing, what was copied, category authority, contract instructions32 CFR 2002.4(pp); 7012(a)(2)
37012 is in the contract, but the file is your unrestricted public product catalogNo, on those factsNoClause presence does not manufacture the information qualification in Gate 1Whether the catalog is genuinely public and unrestricted7012(a); 32 CFR 2002.4(h)
4A non-public purchase order with delivery dates and no controlled technical contentLikely FCI, not CUINot automaticallyNon-public contract information can be FCI without meeting a CUI category and authorityFAR and DFARS clauses, attachments, non-public statusFAR 52.204-21; 32 CFR 2002.4(h)
5Internal HR records, pricing strategy, or trade secrets unrelated to Government workNoNoThe CUI definition excludes information a non-executive branch entity possesses in its own systems that did not come from or for an agencyOrigin, purpose, whether controlled content is mixed in32 CFR 2002.4(h)
6Civilian-agency CUI held for an unrelated civilian contractYesNot for the unrelated DoD contractCUI is executive-branch-wide; CDI requires the DoD contract-performance nexusOriginating agency, the governing agreement, category, whether it touches DoD work32 CFR 2002.4(h); 7012(a)
7Civilian-agency CUI received and then used to perform a DoD contractYesPotentiallyThe definition reaches "other information as described in the CUI Registry" used in support of DoD contract performancePermission to reuse, category authority, DoD contract terms7012(a)(2)
8Technical data officially released by the originating agency without restrictionsNo, after valid public releaseNoThe CTI definition excludes information lawfully publicly available without restrictionsThe official release record, its scope, the exact version released7012(a); 32 CFR 2002.4(ll)
9A file marked CUI turns up on an unofficial public website after a leakPotentially still yesPotentially, if the nexus remainsPublic release occurs through the designating agency's official public release processesThe designating agency's official release or decontrol record32 CFR 2002.4(ll)
10A technical document bears Distribution Statement D but no visible CUI bannerStrong signal; needs reconciliationPotentiallyThe CTI definition ties to distribution statement B–F criteria, but the CUI designation comes from the designating authorityControlling DoD office, the statement itself, category, contract language7012(a); DoDI 5230.24
11You are a sub, you receive qualifying CUI, and the prime flows down 7012YesLikely yesFlow-down is required where subcontract performance will involve CDIThe flow-down, the information package, whether the information retains its CDI identity7012(m)(1)
12You generate a technical drawing for a DoD deliverable, but no CUI category, control, or authority can be identifiedNot automaticallyNot automaticallyMilitary relevance or contractual creation alone does not complete the Gate 1 testData-rights clauses, distribution controls, the SOW, written Government direction32 CFR 2002.4(h); 7012(a)
13aAn email carries a controlled drawing as an attachment, inline extract, preview, or pasted contentYes, for the controlled contentLikely, if the drawing is CDIThe mail workflow now processes and transmits the controlled informationMail routing, journaling, local downloads, mobile sync, backups7012(a); 32 CFR 170.19
13bAn email carries only a clean link to an authorized repositoryThe linked content is; the message may not beFact-dependentA link does not automatically place the linked file into the mail platform's processing pathMessage body, link previews, caches, endpoint downloads, identity services, security tooling32 CFR 170.19
14An ERP record holds a contract number, delivery date, and invoice metadataLikely FCI, not automatically CUINot automaticallyContract context alone does not establish an approved CUI categoryData fields, attachments, notes, integrations32 CFR 2002.4(h); FAR 52.204-21
15A shared drive mixes ordinary contract files with CTI drawingsMixedYes, for the qualifying contentA single repository can process and store both FCI and CDIInventory, permissions, inherited shares, backups, sync clients7012(a); 32 CFR 170.19

Methodology note.Rows marked “Likely” or “Fact-dependent” are marked that way because a defensible answer requires the actual contract, the category authority, the originating office, and in several cases written clarification. We would rather give you an honest “it depends, and here is exactly what it depends on” than a clean answer that falls apart under scrutiny.

Version log. v1.1 (July 2026) split former row 13 into 13a and 13b to separate attachments from repository links, and added the Basis column. v1.0 (July 2026) initial publication. We revise this matrix whenever a controlling source changes and note what moved and why.

Notice how many rows turn on evidence you already have — the contract, the marking, the flow-down, the data flow. That is the good news buried in this table. Most of the work is retrieval, not investigation.


Can unmarked information still be CDI or CUI?

A missing CUI banner is not proof that information is uncontrolled. It is equally unsafe to assume every unmarked file connected to a DoD contract is CUI. Reconcile the category and authority, the origin, the contract use, any distribution controls, and written instructions — then request clarification in writing when those signals conflict.

What a valid marking tells you

A proper marking is evidence that an authorized holder designated the information as CUI and made recipients aware of its status. It may identify the category or subcategory, whether the information is CUI Specified, any limited dissemination controls, and the originating or controlling office. [PRIMARY SOURCE: 32 CFR 2002.4(t)]

Markings are useful. Conflicting markings, authority, or provenance still require reconciliation.

What a missing marking does not tell you

A missing marking does not establish that no CUI category applies, that the content has been officially released, that a derivative file you created is uncontrolled, that your prime’s flow-down is irrelevant, or that you may transmit the information freely.

Markings are applied by people. People miss things. A gap in marking is a question to resolve, not an answer.

Why “assume everything unmarked is CUI” is also wrong

Over-designation carries its own consequences, and this is the part almost nobody tells small suppliers. As noted above, 32 CFR 2002.4(ee) defines misuse of CUI to include marking information as CUI when it does not qualify. Beyond the rule, the practical cost is real: every file you wrongly designate can expand the proposed boundary to the systems, backups, users, and security services that process, store, transmit, or protect it. Both errors are expensive. Only one of them gets talked about.

Contractor-created and derivative files

Creating a file during contract performance does not, by itself, make it CUI. But if the new file restates, incorporates, or paraphrases controlled content from a designated source, the analysis changes — that is exactly the activity 32 CFR 2002.4(pp) defines as re-use.

Your process sheet built from a controlled drawing is the textbook case. So is the CAM program derived from controlled geometry, the inspection report quoting controlled tolerances, and the quote package that pastes in a controlled specification. Keep the relationship between the source and the derivative documented. Then ask for handling instructions in writing.

“I found it on Google” is not a decontrol test

Under 32 CFR 2002.4(ll), public release occurs when the agency that originally designated the information makes it available to the public through that agency’s official public release processes. Disseminating CUI to non-executive branch entities as authorized does not constitute public release. Releasing information under the Privacy Act or in response to a FOIA request does not automatically constitute public release either.

An unofficial posting on a forum, a supplier portal, or a search result is not an official public release. Treat it as a question for the designating agency, not as permission.

The clarification request — copy this

Most contractors know they should ask. Fewer know what to ask for. Send something close to this:

Subject: CDI/CUI status and handling clarification — [contract or deliverable reference]

We are confirming the information-protection requirements and system scope for this effort. Please identify whether the referenced information is CUI and, if so: the applicable CUI Registry category, the controlling authority, the required marking and dissemination instructions, and whether the information is Covered Defense Information under DFARS 252.204-7012 for this contract. Please also confirm whether contractor-generated or derivative records that incorporate this information should carry the same handling requirements.

We are asking in order to avoid both under-protection and unnecessary over-scoping.

That last line does more work than it appears to. It signals to a prime or Contracting Officer that you are trying to get it right, not trying to get out of something.

One safety note: do not attach the disputed file to an ordinary clarification email unless you already know the approved handling channel. The question is safe to send. The file may not be.


Does CDI automatically mean CMMC Level 2 or a C3PAO assessment?

No on both counts. CDI has no standalone CMMC level. The required CMMC Status is selected for the procurement by the DoD Program Manager or requiring activity and stated in the applicable solicitation, contract, or valid flow-down — and Level 2 itself splits into a self-assessment path and a third-party path.

On the level. Handling CDI means you are handling CUI, and CUI is the information basis for Level 2 or, when expressly designated, Level 3. But the instrument decides. A contract can involve CUI and state Level 2 (Self). Another can state Level 2 (C3PAO). The information type narrows the possibilities; it does not pick one. [PRIMARY SOURCE: 32 CFR 170.5(b)]

On the assessment type. The possible statuses are Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC). Level 2 self-assessment and Level 2 certification assessment are different obligations with different evidence burdens and different costs. Level 3 sits on top of a Final Level 2 (C3PAO) status for the same assessment scope and adds 24 enhanced security requirements selected from NIST SP 800-172, assessed by DCMA DIBCAC. [PRIMARY SOURCES: 32 CFR 170.4; 32 CFR 170.14(c)(4); 32 CFR 170.19(d)]

And right now, the third-party path is paused. During the current suspension, Level 1 (Self) and Level 2 (Self) are the assessment types available for designation. So a provider telling you today that CDI means you must book a C3PAO is skipping several steps.

If you need the full comparison of the two Level 2 paths, that is its own decision: CMMC self-assessment vs C3PAO assessment. For the level structure itself, see our CMMC levels guide.


Does CMMC apply to CDI or CUI?

The CMMC Program rule at 32 CFR Part 170 is written around FCI and CUI, while DFARS 252.204-7012 separately imposes obligations for covered defense information. The rule is explicit that CMMC does not replace those obligations: 32 CFR 170.5(e) states the CMMC Program does not alter any separately applicable requirements to protect FCI or CUI, including requirements for covered defense information under 48 CFR 252.204-7012.

That citation is the whole answer, and it is worth reading twice if you have been told that achieving a CMMC status retires your 7012 duties. It does not.

Two regimes, running in parallel

CMMC speaks in terms of FCI and CUI. It provides a means of verifying implementation of the security requirements in FAR 52.204-21, NIST SP 800-171 Rev. 2, and selected requirements from NIST SP 800-172.

DFARS 7012 speaks in terms of CDI. It defines a covered contractor information system as an unclassified information system owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information — and it attaches safeguarding, cloud, incident-reporting, media-preservation, and flow-down obligations to that system.

For CUI at CMMC Level 2, both currently point to the same standard: NIST SP 800-171 Revision 2, 110 requirements across 14 families. Different vocabulary, different mechanisms, different triggers. One verifies; the other obligates.

Which NIST revision actually applies — a detail worth knowing

The standard 7012 clause text requires the version of NIST SP 800-171 in effect at the time the solicitation is issued. Read literally today, that phrasing points toward Revision 3. It does not, and here is why.

On May 2, 2024, DoD issued Class Deviation 2024-O0013, directing contracting officers to use a deviation version of 252.204-7012 requiring compliance with NIST SP 800-171 Revision 2 instead of the version in effect at solicitation. Revision 1 of that deviation, dated May 22, 2024, revised and superseded the original with administrative updates.

CMMC Level 2 remains based on Revision 2, and for solicitations and contracts using the class deviation, 7012 does too. Your actual contract and any applicable deviation remain controlling — read the instrument.

If a provider presents Revision 3 as the currently controlling CMMC or deviation-7012 baseline, ask for the authority. Forward-looking Revision 3 preparation is a legitimate planning exercise. Representing Revision 3 as today’s contractual baseline is a different thing.

Where the program stands, as of July 2026

What the suspension does not decide

The suspension does not determine whether a particular file is CUI or CDI. It does not officially release or decontrol anything. It does not remove 7012 from an existing contract. It does not amend the CDI definition. And it does not convert a data-classification question into a CMMC-level question.


How do DFARS 7019, 7020, 7021, and SPRS fit in?

DFARS 252.204-7012 safeguards CDI and carries the cloud, incident-reporting, and flow-down duties. The adjacent clauses handle assessment and eligibility: 7019 addresses current-assessment eligibility, 7020 authorizes Government NIST SP 800-171 assessments and SPRS score posting, and 7021 requires the contract-specified CMMC Status and annual affirmations in SPRS. Which numbers appear in your contract depends on whether it uses the Revolutionary FAR Overhaul class deviation.

DFARS adjacent clauses: 7012, 7019, 7020, 7021
ClauseWhat it does
252.204-7012Safeguarding of CDI. NIST SP 800-171 implementation, FedRAMP Moderate-equivalent cloud requirement, cyber incident reporting, media preservation, subcontract flow-down
252.204-7019Notice and current-assessment eligibility mechanism tied to the NIST SP 800-171 DoD Assessment Methodology
252.204-7020Authorizes Basic, Medium, and High NIST SP 800-171 DoD Assessments and provides for summary-level scores to be posted in SPRS
252.204-7021Requires the CMMC Status specified in the contract, the applicable CMMC unique identifiers, and annual affirmation in SPRS

[PRIMARY SOURCES: DFARS 252.204-7012; 252.204-7020; 252.204-7021]

The codified DFARS still contains 252.204-7019, 252.204-7020, and 252.204-7021. Separately, for a solicitation or contract using the applicable Revolutionary FAR Overhaul class deviation effective February 1, 2026, deviation Part 240 language and clauses may appear instead, and FAR 52.204-21 may appear as FAR 52.240-93. Both numbering schemes are circulating because the change came through class deviations rather than rulemaking. The operative solicitation, contract, and incorporated deviation control. Our SPRS score and posting guide walks the assessment and posting mechanics in detail.


What changes when information qualifies as CDI?

When CDI is processed, stored, or transmitted on a contractor-owned or contractor-operated system, that system meets the DFARS 252.204-7012 definition of a covered contractor information system. Where the clause applies, that classification drives the security baseline, the cloud requirement, and subcontract flow-down immediately — and it sets up conditional incident-reporting and media-preservation duties that trigger when a qualifying cyber incident is discovered.

REGULATION-STATED. Each row maps to its clause paragraph.

DFARS 252.204-7012 obligations that attach when CDI is identified
ObligationWhat the clause requiresWhen it appliesSource
Adequate securityImplement NIST SP 800-171 on covered contractor information systems not operated on behalf of the GovernmentOn application of the clause7012(b)(2)(i)
Which NIST revisionRevision 2, under Class Deviation 2024-O0013Where the deviation is usedClass Deviation 2024-O0013, Rev. 1
Variance requestsSubmit requests to vary from a NIST SP 800-171 requirement in writing to the Contracting Officer, for DoD CIO considerationAs needed7012(b)(2)(ii)(B)
External cloudIf a cloud service stores, processes, or transmits CDI, require and ensure it meets security requirements equivalent to the FedRAMP Moderate baselineWhenever an external CSP is in the CDI path7012(b)(2)(ii)(D)
Incident reporting"Rapidly report" means within 72 hours of discovery, at dibnet.dod.milTriggered by discovery of a cyber incident affecting a covered contractor information system, the CDI residing there, or designated operationally critical support7012(a), (c)
Reporting credentialA DoD-approved medium assurance certificate is required to submit the reportNeeded before you can report7012(c)(3)
Media preservationPreserve and protect images of affected systems and relevant monitoring/packet capture data for at least 90 days from submission of the incident reportTriggered after an incident report is submitted7012(e)
Malicious softwareSubmit isolated malicious software to the DoD Cyber Crime Center (DC3), not to the Contracting OfficerOn discovery and isolation in a reported incident7012(d)
Flow-downInclude the clause without alteration, except to identify the parties, in subcontracts for operationally critical support or where subcontract performance will involve CDIOn application of the clause7012(m)(1)
Flow-down judgmentThe prime must determine whether information required for subcontractor performance retains its identity as CDI, and consult the Contracting Officer if necessaryBefore flowing information down7012(m)(1)

The medium assurance certificate. The clause requires one to submit a report. Obtain the credential before an incident, not during one. Discovering the requirement at hour 60 of a 72-hour clock is a bad afternoon.

“Retains its identity.”That phrase in the flow-down paragraph is doing real work. When a prime hands a sub a subset of information, someone has to decide whether the piece the sub receives is still CDI. That determination sits with the prime — and if you are the sub receiving an unexplained “you need Level 2,” that is precisely the determination you are entitled to ask about.

The case that shows why this is not a vocabulary exercise

On May 1, 2025, the Department of Justice announced that Raytheon Company, RTX Corporation, and Nightwing Group agreed to pay $8.4 million to resolve False Claims Act allegations relating to non-compliance with cybersecurity requirements in federal contracts.

The details are the instructive part. The United States alleged that Raytheon and its then-subsidiary failed to implement required cybersecurity controls on an internal development system used to perform unclassified work on certain DoD contracts — specifically, that they failed to develop and implement a system security plan and failed to ensure the system complied with DFARS 252.204-7012 and FAR 52.204-21. The settlement resolved allegations that the noncompliant internal system was used to develop, use, or store covered defense information and federal contract information during performance on 29 DoD contracts and subcontracts, involving conduct between 2015 and 2021. The case originated as a qui tam suit brought by a former director of engineering, who received approximately $1.5 million of the settlement. [PRIMARY SOURCE: DOJ settlement release, Raytheon and Nightwing]

These were allegations. The settlement resolved them without any determination of liability, and we are not suggesting the amount is typical of anything.

Read the operative language once more: develop, use, or store. That is branch (2) of the CDI definition, almost verbatim. The exposure did not come from a file DoD sent over. It came from an internal system the company used in performance.

If you have ever thought “our dev environment isn’t really in scope,” that is the sentence to sit with.

The honest negative — both directions cost money

Under-scope, and uncontrolled systems, cloud services, or lower-tier suppliers end up handling information your contract requires you to protect. Under the current posture, that surfaces through self-assessment and annual affirmation, select Government-led or DIBCAC assessment activity, audits and investigations, contract disputes, whistleblower allegations, or False Claims Act enforcement — not only through a failed C3PAO assessment.

Over-scope, and you migrate ordinary business workflows, FCI-only systems, and unrelated corporate data into an expensive environment the contract never required. Per 32 CFR 2002.4(ee), over-marking is itself a form of CUI misuse. The three-gate analysis exists to keep you off both rocks.


Does every system connected to a CUI repository enter scope?

No. Identifying CDI or CUI is not the same as defining a CMMC assessment boundary. Under 32 CFR 170.19, a Level 2 assessment scope is built by categorizing assets — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets — each with different documentation and assessment treatment. Connectivity alone does not place a system in scope.

The CMMC Assessment Scope is the set of all assets in your environment that will be assessed against CMMC security requirements, and it must be specified before an assessment. Out-of-Scope Assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from systems that do, or are inherently unable to do so — with the important exception that assets providing security protection for a CUI asset are not out of scope.

For the full asset-category treatment and how to document each one, see our CMMC scoping guide.


What edge cases cause the most CDI vs CUI mistakes?

The hardest cases are rarely clearly marked files. They are mixed-origin repositories, contractor-generated derivatives, information that appeared publicly without official release, poorly documented flow-downs, and information tied to a different contract. Each resolves the same way: identify the controlling evidence, identify who owns the answer, and retrieve the next document.

DCR EDITORIAL APPLICATION. Routing judgments derived from the verified definitions above.

Edge cases: conflicting signals, controlling evidence, and who answers
Conflicting signalControlling evidenceWho must answerNext document to retrieve
CUI came from another federal agencyWhether and how it connects to this DoD contract's performanceOriginating agency; your Contracting OfficerThe governing agreement and the DoD SOW
Information is tied to a different DoD contractContract-by-contract provenanceYour contracts functionThe other contract and its data-handling terms
You created the technical information yourselfWhether it was created for or on behalf of the Government, or incorporates controlled source materialControlling DoD office; primeSource-document trail and data-rights clauses
It is publicly available somewhereOfficial public release through the designating agency's processDesignating agencyThe official release record
Distribution statement, no CUI bannerThe CTI criteria and the designating authority's marking directionControlling DoD officeWritten marking clarification
Mixed repository — shared drives, mail archives, ERP attachments, PLM, quality, ticketing, backups, endpoint caches, mobile sync, security toolingWhich assets process, store, transmit, or protect the contentYour IT and security ownersAsset inventory, permissions map, data-flow diagram
Prime says 'you need Level 2,' nothing elseThe CMMC Status stated in the applicable instrumentPrime contracts or security representativeThe solicitation, contract, modification, or subcontract language
CUI Basic vs CUI SpecifiedWhether the authorizing law or policy specifies controlsCUI Registry entry and the designating agencyThe Registry category page and its authority
Export Controlled content is involvedExport-control obligations run alongside, not inside, CMMCExport-control counsel; empowered officialITAR/EAR jurisdiction and classification determination

“You need Level 2” from a primeis a requirement notice, and you should take it seriously. It becomes the governing CMMC requirement when it is stated in the applicable solicitation, contract, modification, subcontract, or other valid flow-down. Ask the prime for the exact required CMMC Status — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — the information expected to flow down, the clause or subcontract language, and any known CUI category or handling direction. Ask them to document the “retains its identity” determination or consult the Contracting Officer as 252.204-7012 contemplates.

Export controldeserves its own analysis. Export Controlled is a CUI Registry category, and export-control requirements and CMMC are related but not identical. Foreign-person access restrictions do not collapse into a generic “CMMC compliant” claim. If ITAR or EAR is in your picture, bring counsel.


Who should confirm your CDI or CUI scope before you act?

The originating authority and the contract control the designation and the obligations. Ambiguous cases should be resolved in writing through the Contracting Officer or your prime. Your contracts, security, engineering, IT, and legal personnel each contribute evidence — but no vendor opinion substitutes for the controlling authority.

Who owns each scope-confirmation question
QuestionWho owns the answerType of authority
Which CUI category and authority apply?The originating or designating agency, or the controlling DoD officeFormal regulatory
What does my contract require?The Contracting Officer, contracts counsel, or a qualified federal-contracts attorneyContractual
What is my prime flowing down, and does the information retain its CDI identity?The prime's contracts or security representative — in writingContractual
Which of my systems touch the information?Your internal IT, security, and data ownersInternal operational
What is my CMMC assessment scope?You propose it and document it under 32 CFR 170.19Internal, assessor-reviewed
How do I remediate the environment?An RPO (Registered Provider Organization) or RP, a CMMC-focused MSP or MSSP, or an implementation specialistDCR provider-category recommendation
Which CMMC Status is required?The solicitation or contract, as determined by the Program Manager or requiring activityFormal regulatory
Is my evidence and documentation defensible?Internal readiness team, often supported by a GRC platformInternal operational
Am I ready for a formal assessment?Internal readiness first — then a C3PAO (Certified Third-Party Assessment Organization) at the appropriate stageDCR provider-category recommendation
Is a legal interpretation defensible?A qualified federal-contracts attorneyLegal

Keep readiness and assessment separated — and know why

This is codified, not just good practice. 32 CFR 170.8(b)(17) sets the Accreditation Body’s conflict-of-interest, professional conduct, and ethics policies, and C3PAOs must comply with them under 32 CFR 170.9(b)(2), along with achieving and maintaining ISO/IEC 17020:2012(E) compliance. Those policies bar an ecosystem member from participating in a Level 2 certification assessment for an organization it served as a CMMC consultant within the previous three years.

Keep implementation and formal assessment providers independent as a conservative procurement practice, even where the codified prohibition would not strictly bite. Verify current 32 CFR Part 170 requirements before engaging any assessment organization.

Before you request a single quote

Bring this packet:

That last bullet is not a gap in your packet. It is the part a competent provider will thank you for, because it tells them exactly where to focus. Bring this and you will get quotes built on evidence instead of assumptions.


What we actually verified for this guide

This guide was built by reading the controlling regulatory text directly rather than summarizing secondary coverage. The principal authorities are DFARS 252.204-7012 on Acquisition.gov, the CUI definitions at 32 CFR 2002.4 on eCFR, the CMMC Program rule at 32 CFR Part 170, the current Department of War CMMC program materials, the NARA CUI Registry, DoD class deviations, and the Department of Justice enforcement release cited below.

Primary sources verified for this guide
SourceWhat it supportsVersion or statusVerified
DFARS 252.204-7012 (Acquisition.gov)CDI, CTI, technical information, and covered contractor information system definitions; adequate security; cloud; incident reporting; media preservation; flow-downMAY 2024 clause textJuly 2026
32 CFR 2002.4 (eCFR)CUI definition; CUI Basic and Specified; public release; re-use; misuse; designating CUI; CUI RegistryCurrentJuly 2026
EO 13556 and 32 CFR Part 2002CUI Program origin; NARA as Executive AgentEO of Nov. 4, 2010; rule at 81 FR 63336, Sept. 14, 2016July 2026
NARA CUI RegistryApproved CUI categories, including Controlled Technical Information under the Defense groupingCurrentJuly 2026
32 CFR 170.5 (eCFR)CMMC does not alter separately applicable FCI, CUI, or 7012 CDI requirements; Program Manager selects CMMC StatusCurrentJuly 2026
32 CFR 170.4, 170.14, 170.19 (eCFR)15 / 110 / 24 requirement counts; Level 2 identical to NIST SP 800-171 R2; assessment scope and asset categoriesCurrentJuly 2026
32 CFR 170.8 and 170.9 (eCFR)Conflict-of-interest, conduct, and ethics policies applicable to C3PAOsCurrentJuly 2026
DoD Class Deviation 2024-O0013 and Revision 17012 compliance runs to NIST SP 800-171 Revision 2Issued May 2, 2024; Revision 1 dated May 22, 2024July 2026
FAR 52.204-21 (Acquisition.gov)FCI definition; 15 basic safeguarding requirementsNov 2021 clause textJuly 2026
DFARS 252.204-7019, -7020, -7021 (Acquisition.gov)Assessment eligibility, Government assessments and SPRS posting, CMMC Status and annual affirmationCodified DFARS; deviation alternatives may applyJuly 2026
Department of War announcement and CMMC program materialsJuly 13, 2026 suspension of Phase II; Phase III and IV held; 60-day review; Phase I remainsAnnounced July 13, 2026July 2026
DFARS final rule preamble (Federal Register, Sept. 10, 2025)DoD did not merge or eliminate the CUI/CDI definitions in that rulemakingFinal rule, effective Nov. 10, 2025July 2026
U.S. Department of Justice releaseRaytheon, RTX, and Nightwing $8.4M FCA settlement; allegations onlyAnnounced May 1, 2025July 2026

How this page was produced.The Defense Compliance Report Editorial Team read the current DFARS 252.204-7012 clause text and the CUI definitions at 32 CFR 2002.4 in full, side by side, and cross-checked the CMMC Program rule’s treatment of separately applicable requirements, scoping, and requirement counts. The CDI Contract-Nexus Grid and the scenario matrix are our editorial synthesis of those sources and are labeled as such throughout. We did not classify any reader’s data, review any private contract, and we do not represent this framework as Government guidance.

Independence. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of War or Department of Defense, DCMA DIBCAC, NIST, NARA, or any U.S. government agency. See our editorial methodology and corrections policy.


CDI vs CUI: frequently asked questions

What does CDI stand for?
CDI stands for Covered Defense Information. It is defined in DFARS 252.204-7012 as unclassified Controlled Technical Information, or other information described in the CUI Registry requiring safeguarding or dissemination controls, that is either provided to the contractor by or on behalf of DoD in support of contract performance, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of performance. It is not “Controlled Defense Information,” a common misreading.
Is CDI the same as CUI?
No. CUI is the government-wide category created under Executive Order 13556 and implemented at 32 CFR Part 2002. CDI is a Department of Defense contract term defined inside DFARS 252.204-7012. They overlap substantially, but they come from different authorities and are triggered differently.
Is CDI a subset of CUI?
Operationally, yes. The 7012 definition is built from Controlled Technical Information or other CUI Registry information, so information that qualifies as CDI is also CUI. The important qualifier is that CDI is not itself a CUI Registry category — it is a contractual term that depends on a DoD contract-performance nexus.
Is all CUI also CDI?
No. CUI is an executive-branch-wide program and can exist outside DoD and outside defense contracting entirely. The same item of CUI can be CDI on one DoD contract and not CDI in another context, because the contract-performance nexus is part of the definition.
Does DFARS 252.204-7012 mean every file in my contract is CDI?
No. The clause definition still requires the information itself to qualify — an approved CUI Registry category or Controlled Technical Information, with an authority requiring controls. A publicly available, unrestricted product catalog does not become CDI because a clause appears elsewhere in your contract.
Can information my own company created be CDI?
Yes, potentially. The definition expressly reaches information collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance. It must still satisfy the information-qualification test, but “we made it ourselves” does not remove it from consideration.
Can unmarked information still be CUI or CDI?
Potentially. A missing marking is not proof that information is uncontrolled, and it is not proof that it is controlled either. Reconcile the category authority, the origin, the contract use, and any written instructions, then request clarification in writing when the signals conflict.
Does a distribution statement make a document CUI?
Not by itself. The Controlled Technical Information definition ties to the criteria for distribution statements B through F under DoD Instruction 5230.24, so a distribution statement is meaningful evidence for technical information. The CUI designation itself comes from the designating authority, so a document with a distribution statement and no CUI banner is a reconciliation question.
Does finding CUI online mean it has been decontrolled?
Not necessarily. Under 32 CFR 2002.4(ll), public release occurs when the agency that originally designated the information makes it available through that agency’s official public release processes. Unofficial postings, authorized dissemination to specific recipients, and FOIA or Privacy Act disclosures do not automatically constitute public release.
Does CMMC apply to CDI or to CUI?
The CMMC Program rule is written around FCI and CUI. DFARS 252.204-7012 separately governs CDI, and 32 CFR 170.5(e) states expressly that the CMMC Program does not alter separately applicable requirements, including those for covered defense information under 252.204-7012. Both can apply to the same contractor at the same time.
Does handling CDI automatically put me at CMMC Level 2?
No. CDI has no standalone CMMC level. Handling CUI is the information basis for Level 2 or, when designated, Level 3 — but the required CMMC Status is selected for the procurement by the DoD Program Manager or requiring activity and stated in the applicable solicitation, contract, or valid flow-down.
Which NIST SP 800-171 revision applies to CDI right now?
Revision 2. Although the standard 7012 clause text references the version in effect when the solicitation is issued, DoD Class Deviation 2024-O0013, issued May 2, 2024 and revised May 22, 2024, directs compliance with NIST SP 800-171 Revision 2. CMMC Level 2 is also codified against Revision 2 — 110 security requirements across 14 control families.
Does every system connected to my CUI repository enter CMMC scope?
No. Under 32 CFR 170.19, Level 2 assessment scope is built by categorizing assets as CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope Assets. Assets that are physically or logically separated from systems that process, store, or transmit CUI can be out of scope — though assets that provide security protection for a CUI asset are not.
Is FCI a type of CUI?
No. Federal Contract Information is a separate designation defined in FAR 52.204-21: non-public information provided by or generated for the Government under a contract to develop or deliver a product or service, excluding information the Government makes public and simple transactional information such as payment processing. FCI carries 15 basic safeguarding requirements and is the information basis for CMMC Level 1. For the full FCI vs CUI comparison, see our FCI vs CUI explained guide.
Did the July 2026 CMMC Phase II suspension remove my DFARS 7012 obligations?
No. The July 13, 2026 suspension paused the transition to Phase II third-party assessment requirements and held later milestones in abeyance pending a 60-day review. It did not alter the substantive obligation to protect FCI and CUI, and it did not change DFARS 252.204-7012. Phase I self-assessment requirements remain in force.
Who has authority to decide whether information is CUI?
An authorized holder may designate CUI consistently with 32 CFR Part 2002 and the CUI Registry, and the designating agency controls the official designation and decontrol framework. When the evidence in front of you conflicts, seek written clarification through the contract chain rather than recording an internal judgment call nowhere.

What should you do next if you are still unsure?

If you take one thing from this page, make it this: CDI vs CUI is not a question about what your files look like. It is a question about what your evidence shows.

So work the evidence, in this order:

  1. Pull the contract and every modification, and find whether 252.204-7012 is actually there.
  2. Identify the CUI category and its authority. Not “it seems sensitive.” The Registry entry.
  3. Trace the information — how it entered or was created, where it rests, who touches it.
  4. Map the systems and subcontractors, then categorize assets under 32 CFR 170.19.
  5. Ask, in writing, for anything you cannot resolve. Use the template above.
  6. Write down the decision and the date.

Do that, and the next expensive CMMC decision stops being a guess. You will know what you have, what your contract requires, and which of the open questions is actually blocking you. Then, and only then, go find help — and go find the right kind of help.


Related reading


Disclosure. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

This page is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The applicable solicitation, contract, or valid flow-down states your required CMMC Status, and your CUI handling drives your scope — a checklist does not.