If your organization handles Controlled Unclassified Information (CUI) under DoD contracts, one of the most common questions is: how do you handle derivative works of CUI — such as drawings, subassemblies, specifications, and reports derived from CUI data?
Proper handling of derivative CUI is required for compliance with DFARS 252.204-7012, NIST SP 800-171, and the Cybersecurity Maturity Model Certification (CMMC) 2.0 Final Rule (32 CFR Part 170).
This FAQ explains what contractors must do to correctly mark, protect, and manage derivative works of CUI — with direct citations from official DoD source documents.
What is a derivative work of CUI?
A derivative work is any new document, file, model, drawing, subassembly, or data product created from or containing Controlled Unclassified Information (CUI). If the derivative material contains CUI content, it inherits the CUI designation.
What does the DoD require for marking derivative works?
The Department of Defense Instruction (DoDI) 5200.48, Controlled Unclassified Information (CUI), states:
“When creating derivative documents that include CUI, DoD personnel and contractors will ensure the new material is marked appropriately...” (DoDI 5200.48, §3.2.c.(2)).
How must derivative works be protected?
DoDI 5200.48 requires that CUI, including in derivative works, be safeguarded per NIST SP 800-171 when on non-federal systems:
“Safeguarding requirements for CUI resident on contractor networks are established in contractual vehicles and are based on the security requirements in NIST SP 800-171.” (DoDI 5200.48, §3.3).
The CMMC Final Rule reinforces this:
“Contractors handling CUI will be required to meet the CMMC requirement specified in the contract... Contractors must describe in a System Security Plan how the requirements are met or plan to be met.” (32 CFR Part 170, 89 FR 83093).
Can I remove the CUI marking from a derivative work?
No. Per DoDI 5200.48, CUI remains controlled until formally decontrolled:
“CUI is decontrolled only when authorized by a designated official or decontrol authority.” (DoDI 5200.48, §3.6).
Where can I find more information?
