Skip to main content
background

Covered Defense Information (CDI)

Covered Defense Information (CDI) is the DFARS term for unclassified information that requires safeguarding or dissemination controls as specified in the contract, including Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and other categories identified by the contracting activity. CDI is the specific trigger in DFARS 252.204-7012 that activates NIST SP 800-171 compliance requirements and flows down cybersecurity obligations to subcontractors.

  • glossary
  • What Is Covered Defense Information?

What Is Covered Defense Information?

Covered Defense Information is defined in DFARS clause 252.204-7012 as unclassified controlled technical information or other information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is either marked or otherwise identified in the contract, or provided to the contractor by or on behalf of DoD in support of the performance of the contract. CDI serves as the operative term in DFARS that determines whether a contractor must implement NIST SP 800-171 security requirements.

CDI, CUI, and CTI: How They Relate

CDI is the broadest DFARS-specific category. CUI (Controlled Unclassified Information) is the government-wide category established by Executive Order 13556 and administered by NARA. CTI (Controlled Technical Information) is a specific CUI subcategory covering military/space technical data. In practice, CDI often encompasses CUI and CTI when those information types appear in a DoD contract context. The key point for contractors is that if a contract includes DFARS 252.204-7012 and identifies CDI, the full set of NIST SP 800-171 requirements applies.

How CDI Is Identified in Contracts

CDI can be identified through contract markings that specify which deliverables or data contain controlled information, the DD Form 254 (Contract Security Classification Specification) when applicable, statements of work that reference CUI categories or handling requirements, and contractor guidance documents provided by the contracting officer. Contractors should proactively ask contracting officers to clarify which information qualifies as CDI when the contract language is ambiguous, as this determination directly affects the scope of their cybersecurity obligations.

CDI and CMMC Compliance

The presence of CDI in a contract is what drives the requirement for CMMC Level 2 certification. Contracts that involve only Federal Contract Information (FCI) require CMMC Level 1. Contracts involving CDI (which includes CUI) require Level 2. This distinction makes CDI identification a critical first step in CMMC compliance planning — contractors must understand whether their contracts involve CDI to determine which CMMC level applies and how to scope their assessment boundary.