So You Need to Know Which DoD Instruction Runs the CUI Program
Here's a scene I've seen play out more times than I can count: someone in a government contracting office gets an email with a CUI marking they don't recognize. And they panic. Because of that, they Google. They end up in a rabbit hole of outdated memos and conflicting guidance. Sound familiar?
The short answer to the question is DoDI 5200.So naturally, 48, which is the Controlled Unclassified Information (CUI) Instruction. But knowing just the number isn't enough. You need to understand what it actually does, how it works, and — real talk — where most people trip up Less friction, more output..
So let's break it down.
What Is DoDI 5200.48
DoDI 5200.It was issued on March 6, 2020, and it replaced a bunch of older, overlapping policies. Turns out, the DoD had been managing unclassified information under a patchwork of rules — FOUO, SBU, LES, and a dozen other acronyms that nobody could keep straight. Think about it: 48 is the Department of Defense instruction that implements the DoD CUI Program. This instruction was meant to unify all of that under one roof That alone is useful..
Counterintuitive, but true.
Here's what the instruction actually does:
- It establishes policy and assigns responsibilities for managing CUI across the DoD
- It aligns the DoD program with the National Archives and Records Administration's (NARA) overarching CUI framework
- It replaces the old FOUO (For Official Use Only) system with standardized CUI markings
- It applies to all DoD components, contractors, and anyone who handles DoD information
In practice, DoDI 5200.48 is the rulebook. If you're wondering whether something should be marked CUI, how to mark it, who can access it, or how to destroy it — this is where you look It's one of those things that adds up. Which is the point..
What It's Not
It's not the same as the NARA CUI rule (32 CFR Part 2002), which governs the executive branch CUI program. That rule is the foundation. DoDI 5200.48 is the DoD-specific implementation. Think of it like this: NARA sets the federal standard, and the DoD instruction adapts it for military and defense contexts It's one of those things that adds up..
Also worth knowing: DoDI 5200.Think about it: 48 doesn't cover classified information. That's a whole different beast, governed by Executive Order 13526 and a stack of other directives.
Why It Matters
Why should you care? Because if you handle DoD information — and that includes contractors, subcontractors, and anyone in the defense industrial base — you're legally required to follow this instruction.
Most people don't realize that CUI isn't optional. Now, it's not like "hey, maybe we should mark this. " It's mandatory. If you're generating or handling information that falls under a CUI category, you have to apply the markings. And if you don't? That can lead to compliance issues, contract penalties, or worse.
Here's what goes wrong when people ignore it:
- Information gets over-protected (marked CUI when it shouldn't be), which slows down legitimate sharing
- Information gets under-protected (not marked when it should be), which creates security risks
- Contractors fail audits because their CUI handling procedures don't match what the instruction requires
- People still use old markings like FOUO, which DoDI 5200.48 explicitly phases out
The cost of getting this wrong isn't just theoretical. I've seen companies lose contract awards because their CUI compliance was sloppy.
How It Works
Let me walk you through the key pieces of DoDI 5200.48 and what they actually mean in day-to-day work.
The CUI Registry
The instruction requires the DoD to maintain a CUI registry that lists all approved categories and subcategories. This isn't random. Every piece of CUI has to fit into a specific category. You can't just mark something CUI because it feels sensitive. It has to match a category defined by NARA or the DoD But it adds up..
Here's one way to look at it: "General Procurement and Acquisition Sensitive Information" is a category. Think about it: "Law Enforcement Sensitive Information" is another. If your document doesn't fit any recognized category, it isn't CUI — no matter how sensitive you think it is That's the part that actually makes a difference..
Marking Requirements
We're talking about where the rubber meets the road. On the flip side, doDI 5200. 48 lays out exactly how CUI must be marked.
- The banner "CONTROLLED UNCLASSIFIED INFORMATION" at the top and bottom of each page
- The specific category or categories in parentheses, like (PRVCY) for privacy information
- A distribution statement if applicable
- The CUI designation indicator at the bottom of the page
Honestly, this is the part most guides get wrong. Even so, they make it sound complicated when it's actually straightforward once you see an example. The instruction includes a marking guide in the appendices. Use it Easy to understand, harder to ignore. No workaround needed..
Handling and Safeguarding
The instruction specifies how CUI must be stored, transmitted, and destroyed. Some key points:
- CUI must be stored in controlled environments where access is limited to people with a legitimate need
- Email transmission of CUI requires encryption or a CUI-approved system
- Physical CUI documents must be stored in locked containers when not in use
- Destruction methods include shredding (cross-cut, not strip-cut), burning, or using approved destruction services
I know it sounds simple — but it's easy to miss the details. Practically speaking, for instance, the instruction says CUI can be shared orally, but you need to ensure the conversation can't be overheard by unauthorized people. That means no discussing CUI in open cubicles or coffee shops Surprisingly effective..
Training and Awareness
DoDI 5200.But 48 requires annual CUI training for anyone who handles CUI. This includes military personnel, civilian employees, and contractors Most people skip this — try not to..
- How to identify CUI
- Proper marking and handling procedures
- Reporting requirements for suspected CUI incidents
Real talk: most people skip through this training as fast as possible. Don't. I've seen too many incidents that could have been prevented with basic awareness Not complicated — just consistent..
Common Mistakes
After watching organizations implement CUI programs for years, here are the mistakes I see over and over.
Over-classifying information. Some people treat CUI like classified information and lock everything down. That's not how it works. CUI is meant to be shared — just with appropriate controls. If you're locking information that doesn't need to be locked, you're defeating the purpose.
Still using FOUO markings. DoDI 5200.48 explicitly says FOUO is obsolete. But I still see documents stamped "FOR OFFICIAL USE ONLY." That's a compliance gap. Update your templates.
Ignoring the difference between CUI and CUI/FEDCON. CUI/FEDCON is a subset that applies only to federal government information. Contractors sometimes miss this distinction and apply FEDCON markings when they shouldn't.
Assuming CUI rules don't apply to contractors. They do. If you're a contractor handling DoD information, you must comply with DoDI 5200.48. Your contract should specify this, but don't wait for a reminder.
Not destroying CUI properly. Throwing CUI documents in the regular trash is a violation. I've seen companies get hit with fines because their janitorial staff wasn't trained on proper destruction.
Practical Tips
What actually works? Here's what I've seen successful organizations do It's one of those things that adds up..
First, get a copy of the CUI registry and keep it handy. But bookmark the NARA CUI website. You'll reference it constantly.
Second, update your document templates. Even so, every Word document, PDF, or email template that might contain CUI should have the correct banner markings built in. Make it hard to generate a document without proper markings.
Third, create a simple one-page cheat sheet for your team. People won't read a 50-page instruction. Include the most common CUI categories they'll encounter, the marking format, and who to contact with questions. But they'll glance at a cheat sheet.
Fourth, do a CUI inventory. Practically speaking, walk through your organization and identify every system, folder, and storage location that holds CUI. You can't protect what you don't know exists Not complicated — just consistent..
Fifth, train your team on what actually matters. Don't just play a video. Day to day, hold a short session where you show real examples from your own work. People learn better when they see something relevant Simple, but easy to overlook. Worth knowing..
FAQ
Does DoDI 5200.48 replace the NARA CUI rule?
No. It implements it. NARA's rule (32 CFR Part 2002) sets government-wide standards. DoDI 5200.On the flip side, 48 adapts those standards for DoD-specific needs. You need to follow both Easy to understand, harder to ignore..
Do contractors need to follow DoDI 5200.48?
Yes. Think about it: the instruction applies to all contractors who handle DoD CUI. Day to day, your contract should include DFARS clauses that require compliance. If it doesn't, ask questions.
What's the difference between CUI and classified information?
Classified information involves national security — things like troop movements, weapons systems, intelligence sources. In real terms, cUI is unclassified information that still needs some level of protection — like privacy data, procurement details, or export-controlled technical data. Different rules, different markings, different consequences.
How do I report a potential CUI incident?
The instruction requires you to report suspected incidents to your organization's security office or CUI program manager. Also, they'll handle escalation. Don't sit on a potential breach It's one of those things that adds up..
Is FOUO still valid?
No. 48 phases out FOUO markings. Practically speaking, doDI 5200. Any new information should use CUI markings. Legacy FOUO documents are being transitioned, but stop creating new ones Which is the point..
Look, this stuff isn't exciting. But it matters. The DoD CUI program exists because unclassified information leaks were causing real damage — and the old system wasn't working. DoDI 5200.Consider this: 48 is the framework that fixes it. Learn it, follow it, and make it part of how your organization thinks about information security. You'll sleep better knowing you're not the one who caused the next breach.
