A CUI Conundrum: What to Do With Improperly Marked CUIs

In the world of Federal government contracting, clarity is king. Contracts, regulations, and security manuals are designed to create a clear set of rules. But what happens when a contractor receives information from the government that isn’t marked as Controlled Unclassified Information (CUI) but clearly seems to fit the definition as described by the National Archives CUI Registry? This scenario creates a significant dilemma: protect the data and potentially incur costs outside the contract’s scope, or follow the contract to the letter and risk a security incident with potential national security impacts?

This isn’t just a theoretical debate. How a contractor responds has serious implications for contract compliance, cybersecurity, and national security. There are two competing schools of thought on this issue, with a time-tested legal doctrine—the Christian Doctrine—offering a third, powerful perspective.

Alternative 1: The “Inherent Nature” Approach

This recommendation posits that the obligation to protect certain information comes directly from the law and associated regulations themselves, not from a specific contract. Proponents argue that if information meets the definition of a category protected by a law or regulation covered by the CUI program, the contractor must protect it as CUI, regardless of government markings.

• The Justification: This approach’s foundation lies in regulations that exist independently of any government contract. For example, the International Traffic in Arms Regulations (ITAR), found in 22 CFR Parts 120-130, and the Export Administration Regulations (EAR) in 15 CFR Chapter VII, Subchapter C, impose direct legal obligations on any entity handling export-controlled items or data. These export control categories are now under the CUI umbrella. Therefore, information that qualifies as ITAR or EAR data is CUI by its very nature. ITAR and EAR are not the only regulations that exist outside the CUI program that have implications for what materials are CUI. Executive Order 13556, which established the CUI program, was designed to standardize the handling of information that various laws already required to be protected. The law, in this view, creates the primary obligation, and the contract merely acknowledges it either explicitly or implicitly.

Alternative 2: The “Contract Is King” Argument

This recommendation asserts that a contractor’s responsibility is dictated solely by the government through the contract. If the information isn’t identified as CUI in the contract’s instructions, it should not be treated as CUI, especially if it’s generated by the contractor and never delivered to the government.

• The Justification: This perspective is strongly supported by key defense regulations. The Department of Defense Instruction (DoDI) 5200.48 places the onus on the government to identify and mark CUI it provides to contractors. Even more compelling is the language in DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This crucial clause requires contractors to implement the security controls of NIST SP 800-171rev. 2 (and now revision 3) to protect “Covered Defense Information” (CDI). The clause explicitly defines CDI as information that the contract marks or otherwise identifies as needing protection. From this perspective, the contract acts as the sole trigger for the contractor’s safeguarding obligations. If it isn’t identified in the contract, it isn’t CDI, and the stringent safeguarding requirements of DFARS -7012 do not apply.

A Third Way: Applying the Christian Doctrine

We have a conflict between the direct mandate of law and the explicit text of a contract. This is where a landmark legal principle, the Christian Doctrine, becomes incredibly relevant.

Stemming from the 1963 case G. L. Christian and Associates v. United States, the doctrine holds that certain federal procurement clauses are so critical to public policy that they are considered part of a federal contract by operation of law, even if they have been mistakenly omitted.

• The Justification: The argument for applying this doctrine to unmarked CUI is compelling. The entire CUI framework, codified in federal regulations like 32 CFR Part 2002, exists to protect sensitive information vital to national security. This is undeniably a matter of “significant and deeply ingrained public policy” per the Christian Doctrine. If the government provides a contractor with data that is clearly CUI (for example, technical drawings of a military vehicle) but fails to include the proper CUI clauses or markings in the contract, the Christian Doctrine suggests the contractor’s obligation to protect that data remains. The government’s administrative error doesn’t negate the underlying public policy of protecting the information. The safeguarding requirements flowing from DFARS 252.204-7012 and FAR 52.204-21 are not just contractual terms; they are instruments of national security policy that arguably cannot be waived by accidental omission.

The Recommended Path Forward

Navigating these competing arguments requires a practical, risk-based approach. While the “Contract is King” argument holds textual water, ignoring the inherent nature of sensitive data is a gamble no responsible contractor should take.

Here’s a prudent course of action:

1. Identify and Inquire: If you receive or generate information that walks and talks like CUI, don’t ignore it. The first and most critical step is to notify your Contracting Officer (CO) or Contracting Officer’s Representative (COR) in writing. State your concern clearly: “This data appears to meet the definition of CUI//[Specify Category], but was not marked as such in the contract. Please provide guidance.”
2. Safeguard in the Interim: While you await a formal response from the government, the safest course of action is to protect the information as if it were CUI. Apply the necessary security controls. The risk of over-protecting data is minimal (slight administrative overhead), while the risk of under-protecting it is massive (security breaches, potential ITAR violations, loss of government trust, debarment from government contracting).
3. Document Everything: Keep a meticulous record of all communications with the government regarding the data in question. If the CO directs you not to treat the information as CUI, you have a documented instruction that can shield you from liability.

Ultimately, the Christian Doctrine provides a powerful legal backstop, suggesting that the duty to protect sensitive information is a fundamental public policy that transcends contractual oversights. For contractors on the front lines, the best strategy is clear: when in doubt, protect and ask. This approach fulfills your role as a trusted partner in defending national security interests, protecting both your organization and the information you’ve been entrusted with.