Here’s a question that comes up constantly in defense circles, on military training exams, and in contractor compliance meetings.
“What DOD instruction implements the DOD CUI Program?”
The short answer is DoDI 5200.48.
But if that’s all you needed, you probably wouldn’t be reading this. The real question most people have is: what does that actually mean, why does it matter, and what do I actually have to do because of it?
Let’s walk through the whole thing — from where this all started, to exactly what the instruction requires, to what happens when someone gets it wrong.
Quick Reference Facts
| Detail | Information |
| Instruction That Implements DoD CUI Program | DoDI 5200.48, Controlled Unclassified Information |
| Full Official Title | “Controlled Unclassified Information (CUI)” |
| Published Date | March 6, 2020 |
| Approved By | For Intelligence and Security, under the Secretary of Defense (USD I&S) |
| Governing Authority | Executive Order 13556 (signed November 2010) |
| Federal Regulation | 32 CFR Part 2002 |
| Technical Standard for Contractors | NIST Special Publication 800-171 |
| Contract Clause That Enforces It | DFARS 252.204-7012 |
| Who It Applies To | All DoD components, military services, defense agencies, contractors |
| CUI Marking Requirement | “CUI” on top and bottom of every page |
| Required Training | Annual CUI training for all who handle it |
| Destruction Standard | NIST SP 800-88 Revision 1 |
| Related Compliance Framework | CMMC (Cybersecurity Maturity Model Certification) Level 2 |
| Who Oversees It | Under Secretary of Defense for Intelligence and Security |
| Registry for CUI Categories | National Archives CUI Registry |
First — What Is CUI and Why Should Anyone Care?
Before jumping into the instruction itself, let’s talk about what CUI actually is.
CUI stands for Controlled Unclassified Information.
It’s not classified. That’s important. No “TOP SECRET” stamp was applied.
But it’s also not just random unimportant paperwork. CUI is information that needs protection because laws, regulations, or government policies say it does.
Think about what kinds of things fall under that umbrella. Engineering blueprints for a military aircraft. A soldier’s personal health records. Details of a new weapon system contract. Tax information. Details about a law enforcement investigation. Export-controlled technical data.
None of that is secret in the traditional sense. But all of it could cause real harm if it fell into the wrong hands.
Before 2010, every agency in the federal government handled this kind of information differently. The Army had one system. The Navy had another. The FBI had its own labels. The result was a confusing mess of inconsistent markings that made information sharing slow, risky, and frustrating.
Something had to change.
See also “Ahref Traffic Checker: The Complete Guide to Understanding and Using It in 2026“
The Executive Order That Started Everything
In November 2010, President Obama signed Executive Order 13556.
That order said: enough with the chaos. The entire executive branch needs one consistent system for handling sensitive but unclassified information. One set of rules. One set of markings. One standard everyone follows.
The order created the CUI program and placed the National Archives and Records Administration (NARA) in charge of overseeing it across the federal government. NARA published federal regulations under 32 CFR Part 2002 to turn the executive order into binding rules.
But the Department of Defense is massive. It has millions of employees, thousands of contractors, multiple branches, dozens of agencies, and an enormous flow of sensitive information every single day.
The DoD needed its own implementation — something tailored to how defense operations actually work.
That’s where DoDI 5200.48 comes in.
DoDI 5200.48: The Instruction That Makes It Real Inside the DoD
On March 6, 2020 — almost ten years after the executive order — the Under Secretary of Defense for Intelligence and Security signed DoDI 5200.48 into effect.
This instruction didn’t replace the federal rules. It was built on top of them.
Think of it like this: the executive order is the national blueprint. The federal regulations are the construction code. DoDI 5200.48 is the specific plan for the DoD building — covering everything from how the rooms are arranged to who holds the keys.
The instruction establishes an official DoD policy for CUI. It assigns responsibilities to specific people and offices. It provides step-by-step procedures for everything from identifying CUI to marking it, protecting it, sharing it, and eventually destroying it.
Every military department falls under it. Every defense agency falls under it. And critically — every contractor who touches DoD information and handles CUI falls under it too.
What the Instruction Actually Requires: Breaking It Down
DoDI 5200.48 covers a lot of ground. Here’s what it actually demands in plain terms.
Identifying CUI
Not every document is CUI. The instruction requires that someone with authority — a designated original classifier or an authorized holder — makes a decision about whether specific information meets the definition of CUI.
The CUI Registry, maintained by the National Archives, lists all the approved categories and subcategories. If the information fits a category in that registry and falls under a law or regulation requiring protection, it’s CUI. If it doesn’t, it shouldn’t be marked as CUI — over-marking is a violation too.
Marking CUI
Once information is identified as CUI, it has to be labeled correctly.
The instruction requires “CUI” on the top and bottom of every page. No exceptions. There also needs to be a CUI Designation Indicator — a special box in the bottom right corner of the cover page. That box identifies who marked the document as CUI and why.
Portion markings — small labels on individual paragraphs or sections — are sometimes required too, depending on the type of CUI.
Getting the markings wrong is one of the most common compliance failures in DoD audits.
Safeguarding CUI
The instruction requires protection in three areas: physical, electronic, and administrative.
For physical protection, CUI that isn’t being actively used needs to go somewhere secure. Locked rooms. Locked cabinets. Restricted areas. You don’t leave it sitting on a desk where anyone walking by could read it.
For electronic protection, systems that store or process CUI must meet specific security standards. For contractors and other non-federal organizations, this means following NIST Special Publication 800-171 — a detailed set of 110 security requirements covering everything from access controls to incident response to system monitoring.
For administrative protection, the instruction requires training. Everyone who handles CUI needs to understand the rules. Annual training is mandatory, not optional.
Sharing CUI
CUI can be shared — but only in the right ways and only with the right people.
Before CUI goes to a foreign government or international organization, specific release requirements must be met. Before it goes to another agency, dissemination controls must be respected. Before it goes to a contractor, the contract must include the right clauses.
The instruction lays out exactly what those requirements look like.
Destroying CUI
When CUI reaches the end of its lifecycle — when it’s no longer needed — it can’t just go in the trash.
The instruction requires that CUI be destroyed in a way that makes it completely unreadable, impossible to piece back together, and unrecoverable. The specific standard for electronic media comes from NIST SP 800-88 Revision 1. For paper documents, methods like cross-cut shredding or burning are acceptable.
Simply deleting a file or throwing papers in a recycling bin doesn’t cut it.
The People Responsible: Who Owns This?
DoDI 5200.48 doesn’t just set rules — it assigns them to specific roles.
At the head is the Under Secretary of Defense for Security and Intelligence.This office sets the overall CUI policy and makes sure the DoD Information Security Program runs properly.
DoD Component Heads — the secretaries of military departments, directors of defense agencies, and heads of DoD field activities — are responsible for carrying the policy out inside their own organizations. They can’t delegate that responsibility away.
CUI Managers in each organization handle the day-to-day implementation. They train people, answer questions, run self-inspections, and make sure the program functions on the ground.
Authorized Holders — anyone who actually touches CUI, whether they work for the government or a contractor — carry personal responsibility for handling it correctly. Every person who receives, creates, or uses CUI is an authorized holder and must follow the rules.
How It Connects to NIST 800-171 and CMMC
Here’s where things get critical for contractors.
DoDI 5200.48 defines the DoD’s rules. NIST SP 800-171 defines the technical security controls that non-federal organizations — including defense contractors — must put in place to protect CUI on their systems.
NIST lists 110 specific security requirements. Multi-factor authentication. Encryption of data in transit and at rest. System access controls. Vulnerability scanning. Incident response planning. Each one exists to protect CUI from breaches, leaks, and unauthorized access.
The CMMC program — the Cybersecurity Maturity Model Certification — takes this further. Under CMMC 2.0, contractors who handle CUI must achieve Level 2 certification. That means a third-party assessor comes in and verifies the contractor actually meets NIST 800-171 requirements — not just claims on a piece of paper.
DoDI 5200.48 is the policy foundation. NIST 800-171 is the technical roadmap. CMMC is the verification mechanism. They work together as a system.
If a contractor loses a CUI data file because they didn’t have proper access controls, they’ve violated all three.
What Happens When Things Go Wrong
CUI violations are not taken lightly.
The instruction defines a CUI incident as any unauthorized access, use, disclosure, modification, or destruction of CUI — including mistakes that weren’t intentional. Over-marking something as CUI when it isn’t, also counts as a violation.
When an incident happens, it must be reported through the appropriate channels immediately. The DoD takes the reporting requirement seriously.
For contractors, the consequences can include loss of contracts, suspension from future contracting, and potential legal liability depending on the severity.
For government employees, violations can lead to disciplinary action. In cases involving willful mishandling of information that causes national security harm, criminal penalties become possible.
The most common violations seen in practice: wrong or missing page markings, storing CUI on personal devices, emailing CUI through unencrypted channels, and failing to complete required training.
The Answer to the Exam Question
If you’re taking a DoD information security training exam right now, here’s the clean answer:
The DOD instruction that implements the DOD CUI Program is DoDI 5200.48, Controlled Unclassified Information.
The other answer choices that typically appear alongside it — DoDI 5200.01, DoDI 5200.39, and DoDI 5205.08 — cover different things entirely. DoDI 5200.01 handles classified information security and sensitive compartmented information. DoDI 5200.39 deals with critical program information in research and development. DoDI 5205.08 covers access to classified cryptographic information.
None of those are the CUI program instructions. Only DoDI 5200.48 is.
Final Words
DoDI 5200.48 is not just a bureaucratic document sitting in a filing cabinet somewhere.
It shapes how millions of people handle sensitive information every single day — from the soldier protecting personnel records to the defense engineer working on classified system blueprints to the IT administrator securing contractor networks.
The rules exist for a reason. Real information leaks cause real harm. Adversaries actively look for gaps. Every piece of sensitive information that slips through the wrong hands is a potential problem for national security, personal privacy, or mission integrity.
Understanding DoDI 5200.48 isn’t just about passing a training exam. It’s about knowing your responsibility — and taking it seriously.
FAQs
1. What DOD instruction implements the DOD CUI Program?
DoDI 5200.48, officially titled “Controlled Unclassified Information (CUI),” is the instruction that implements the DOD CUI Program. It was published on March 6, 2020, and establishes policy, assigns responsibilities, and sets procedures for all CUI handling within the Department of Defense.
2. What does CUI stand for?
CUI stands for Controlled Unclassified Information. It refers to information that isn’t classified but still requires protection or controlled distribution because a law, regulation, or government policy says it does.
3. When was DoDI 5200.48 published?
It was published and became effective on March 6, 2020. It was approved by the Under Secretary of Defense for Intelligence and Security.
4. What executive order created the CUI program?
Executive Order 13556, signed by President Obama in November 2010, established the government-wide CUI program. The order called for a single, consistent approach to handling sensitive unclassified information across all federal agencies.
5. Does DoDI 5200.48 apply to contractors?
Yes. The instruction applies to all DoD components, military services, defense agencies, defense field activities, and any contractors or third parties who handle DoD CUI. Contractors are also subject to DFARS 252.204-7012 and must meet NIST SP 800-171 security requirements.
6. What is the required marking for CUI documents?
All CUI documents must display the word “CUI” on the top and bottom of every page. They must also include a CUI Designation Indicator box in the bottom right of the cover page, showing who marked the document and why.
7. How must CUI be destroyed when no longer needed?
CUI must be destroyed so that it cannot be read, reconstructed, or recovered. Electronic media must follow NIST SP 800-88 Revision 1 standards. Paper documents can be destroyed through cross-cut shredding, burning, or other approved methods.
8. What is the difference between DoDI 5200.48 and DoDI 5200.01?
DoDI 5200.01 covers the DoD Information Security Program and the protection of Sensitive Compartmented Information — it deals with classified information. DoDI 5200.48 specifically governs Controlled Unclassified Information, which is not classified but still requires protection.
9. What is NIST SP 800-171 and how does it relate to DoDI 5200.48?
NIST SP 800-171 is a technical standard published by the National Institute of Standards and Technology. It lists 110 specific cybersecurity controls that non-federal organizations — including defense contractors — must implement to protect CUI on their systems. DoDI 5200.48 sets the policy; NIST 800-171 provides the technical requirements for protecting CUI electronically.
10. Is training required under DoDI 5200.48?
Yes. Annual CUI training is mandatory for all personnel who handle CUI. Training records must be maintained and made available during audits or assessments.
11. What is a CUI incident?
A CUI incident is any unauthorized access, use, disclosure, modification, or destruction of CUI — including unintentional errors. Incorrectly marking something as CUI when it isn’t also qualifies as a violation. Incidents must be reported through proper channels immediately.
12. How does the CMMC relate to CUI and what is it?
CMMC stands for Cybersecurity Maturity Model Certification. Under CMMC 2.0, defense contractors who handle CUI must achieve Level 2 certification, verified by a third-party assessment organization. CMMC guarantees that the NIST 800-171 measures necessary to safeguard CUI are actually implemented by contractors.
13. Who oversees the DoD CUI program?
The Under Secretary of Defense for Intelligence and Security (USD I&S) oversees the DoD CUI program and the DoD Information Security Program. DoD Component Heads are responsible for implementing it within their organizations.
14. Can CUI be shared with foreign governments?
CUI can be shared internationally, but only when specific release and disclosure requirements are met. Section 3.9 of DoDI 5200.48 covers the rules for releasing CUI to foreign entities, other government agencies, and the public. All releases must comply with applicable laws and DoD policies.
15. What are the most common CUI violations?
The most frequently observed violations include missing or incorrect page markings, storing CUI on personal or unauthorized devices, sending CUI through unencrypted email, and failure to complete required annual training. These violations can trigger contract penalties, disciplinary action, or in severe cases, legal consequences.
Explore more, learn more, and think deeper with Theory Magazine.
