Controlled Technical Information (CTI) is really at the heart of what DoD wants/needs to have protected as a part of many ongoing DoD Cybersecurity efforts, including CMMC. But what really is CTI? The DoD FAQ has an explanation.
Q26: What is Controlled Technical Information (CTI)?
A26: Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
The definition of CTI here is robust, but the second sentence probably requires some translation. This is saying that CTI, when marked with distribution statements B, C, D, E, or F from 5230.24, is CUI. This is corroborated by NARA’s CUI categories definitions, of which CTI is one, which has the same stipulation derived from the same source. The exception to this, distribution statement A, is the marking for technical information explicitly cleared for public dissemination.
Distribution Statement A. Approved for public release: distribution is unlimited.
If it is cleared for the public, and thus not truly controlled, then it is, inherently, not CUI. The following Q&A says this more clearly.
Q27: If a Contract document (i.e., DD Form 1423-1) mandates the use of a Distribution Statement (B-F) on a contractor generated document for submission to the government but does not use the term CUI, should the contractor understand the document to be CUI and protect/control accordingly? Is it correct to say that any document with a Distribution Statement B-F is CUI?
A27: CUI, as defined by 32 CFR 2002, CUI, is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. Because Distribution Statements B-F as set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents, are in fact ‘dissemination controls’, this information is – by definition – CUI.
The crux of both this question and the last is simple. All CTI marked with the B-F distribution statements are CUI by their very nature as Controlled Technical Information, should be treated as such, and marked with both CUI and CTI distribution statements.
As always the DoD FAQ we use here is the DoD Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76 and PGI Subpart 239.76. It can be found here in its entirety and is recommended reading for all DIB cybersecurity professionals. It was most recently updated in June of 2024, and is published by the DoD CIO.
Comments