DFARS CDI Registry & Explanation
What is DFARS CDI?
Defense Federal Acquisition Regulation Supplement (DFARS) Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information. DFARS imposes a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on information security standards developed by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, titled “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The most common DFARS safeguarding rule and clauses for which a defense contractor will be expected to demonstrate compliance are as follows:
- DFARS 252.204.7008 – Compliance with Safeguarding Covered Defense Information Controls
- DFARS 252.204.7009 – Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
- DFARS 252.204.7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
Is there a definitive source that defines Covered Defense Information (CDI)? Is this the CDI Registry?
Yes, the National Archives website provides this complete CDI Registry that clarifies and further describes the complete scope of Covered Defense Information.
What is included in the definition of Covered Defense Information (CDI)? Does this include Controlled Unclassified Information (CUI)?
Covered Defense Information is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:
Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or 2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
What is "Operationally Critical Support"?
Operationally Critical Support is defined as "Supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.” The contract will include notification of when the contractor will provide operationally critical support. The DoD identifies three types of operationally critical support. Examples include but are not limited to the following:
- Operationally critical support for mobilization, which is addressed under (ii) and (iii).
- Operationally critical support for distribution includes but is not limited to:
- Airlift, sealift, aeromedical, and intermodal transportation services and their associated material handling and ground handling labor or stevedore services.
- U.S. railroad, truck, barge, ferry, and bus services provided by passenger and freight carriers and their associated material handling and ground handling labor services.
- Third party logistics (3PL) services provided by non‐equipment owned brokers and freight‐forwarders.
- Transportation Protection Services for arms, ammunition, and explosives (AA&E) and courier materiel.
- Transportation and packaging of hazardous material.
- Information technology systems and network providers essential to the command, control operation, and security of contingency transportation mission functions delineated in “a” through “e”.
- Operationally critical support for sustainment includes but is not limited to:
- Local acquisition of Liquid Logistics (water, fuel‐all types); Cl l, Fresh Fruits and Vegetables; Local meat/bread products, and bottled gases (e.g., helium, oxygen, acetylene).
- Supply chain for rare earth metals.
- Procurement and Product Support for critical weapons systems identified by the requiring activity, such as the F‐22 and F‐35.
- The prime contractors and subcontractors for critical weapons systems in development and sustainment that are fielded to the AOR.
- Contractor Logistics (maintenance and supply) Support. Examples include Unmanned Aerial Systems maintenance, (aviation) training command maintenance support, or performance based logistics/performance based arrangements.
- Depot‐level maintenance for critical items, particularly in Public‐Private Partnerships.
- Information technology systems and network providers essential to the command, control operation, and security of contingency supply and maintenance mission functions delineated in “a” through “f”.
What is Unclassified Controlled Technical Information (CTI)?
Controlled technical information is defined as technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.