What is CDI (Covered Defense Information)?
Covered Defense Information (CDI) refers to unclassified information that requires protection due to its relevance to military operations and defense-related activities. CDI is a subset of Controlled Unclassified Information (CUI) tied to defense contracts and activities. It includes CDI data such as technical drawings, software code, and specifications. If compromised, these could indirectly harm national security.
CDI is governed by the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. The clause mandates safeguarding CDI and reporting cyber incidents. Contractors handling CDI must comply with strict security controls to protect this sensitive category of information.
DFARS Clause 252.204-7012: The Backbone of CDI Security
DFARS Clause 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is a critical regulation for contractors working with the Department of Defense (DoD). This clause is required in all contracts except those solely for acquiring Commercial Off-The-Shelf (COTS) items. It also must be included in subcontracts where performance will involve CDI or operationally critical support.
According to DFARS Clause 252.204-7012, CDI includes unclassified Controlled Technical Information (CTI) or other information as described in the CUI Registry. The DoD must either mark or identify this information in the contract and provide it, or it must be collected, developed, received, transmitted, used, or stored by the contractor during contract performance.
Operationally critical support refers to supplies or services deemed essential by the government for airlift, sealift, intermodal transportation services, or logistical support vital to the mobilization, deployment, or sustainment of the Armed Forces during contingency operations.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
CDI Security Measures: What Contractors Need to Know
CDI protection is a legal obligation for defense contractors and subcontractors. DFARS Clause 252.204-7012 requires implementing security measures outlined in NIST SP 800-171, “Protecting CUI in Nonfederal Information Systems and Organizations.” This standard sets forth security controls that contractors must implement to safeguard CDI, including:
- Access Control: Limiting access to CDI to authorized personnel.
- Encryption: Protecting CDI during transmission and storage using strong encryption methods.
- Incident Response: Establishing procedures for detecting, reporting, and responding to CDI security incidents.
- Auditing and Accountability: Maintaining logs of activities involving CDI to ensure accountability and detect potential breaches.
- Physical Security: Restricting and monitoring physical access to CDI.
CDI Violation: Consequences and Reporting Requirements
A CDI violation occurs when unauthorized access, disclosure, or use of Covered Defense Information occurs. Violations can result from cyberattacks, insider threats, or insufficient security practices. The consequences of a CDI violation are severe, including the loss of sensitive information, national security risks, contract termination, legal action, and reputational damage.
Contractors and subcontractors must report cyber incidents that affect CDI or their ability to perform operationally critical support. Reports must be submitted to the DoD via the Defense Industrial Base Network (DIBNet) using an Incident Collection Form (ICF). If malicious software is discovered concerning a reported incident, it must be submitted to the DoD Cyber Crime Center (DC3).
In cases where the DoD elects to conduct a damage assessment, the Contracting Officer will request media and damage assessment information from the contractor to evaluate the impact of the breach.
Safeguarding Covered Defense Information: Roles and Responsibilities
The DoD requiring activity identifies and marks CDI, following procedures outlined in DoDM 5200.01 Vol 4, “DoD Information Security Program: Controlled Unclassified Information (CUI).” The requiring activity determines the appropriate markings and documents CDI requirements in the Statement of Work (SOW), specifying how contractors must mark CDI developed during contract performance.
DFARS clause 252.204-7012 applies to subcontractors when their performance involves operationally critical support or CDI. The prime contractor is responsible for ensuring subcontractors comply with the clause, and if a subcontractor refuses, CDI should not be handled by that subcontractor.
CUI vs CDI: Understanding the Difference
CDI is often confused with CUI, but they are distinct. CDI (federal) is specifically related to defense contracts and requires protection under DFARS Clause 252.204-7012. In contrast, CUI is a broader category that includes any unclassified information requiring safeguarding or dissemination controls per federal regulations. CUI can encompass various data types, including Personally Identifiable Information (PII) and proprietary business information.
For defense contractors, understanding the difference between CDI and CUI is crucial for compliance and protecting sensitive information. Proper classification and protection of both CDI and CUI are essential for safeguarding national security.
Final Word
Covered Defense Information (CDI) is a critical aspect of the U.S. defense sector’s information security. Contractors and subcontractors handling CDI must comply with DFARS Clause 252.204-7012 and NIST SP 800-171. By implementing robust security measures and adhering to regulatory requirements, organizations can protect CDI, avoid violations, and contribute to national security.
Understanding the nuances between CDI and CUI and the responsibilities outlined in defense contracts is vital for maintaining compliance and safeguarding sensitive information.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days