CMMC DoD CUI

How Must Derivative Works of CUI Be Handled?

Lawrence Cruciana Jun 11, 2025 9:19:19 AM

If your organization handles Controlled Unclassified Information (CUI) under DoD contracts, one of the most common questions is: how do you handle derivative works of CUI — such as drawings, subassemblies, specifications, and reports derived from CUI data?

Proper handling of derivative CUI is required for compliance with DFARS 252.204-7012, NIST SP 800-171, and the Cybersecurity Maturity Model Certification (CMMC) 2.0 Final Rule (32 CFR Part 170).

This FAQ explains what contractors must do to correctly mark, protect, and manage derivative works of CUI — with direct citations from official DoD source documents.

What is a derivative work of CUI?

A derivative work is any new document, file, model, drawing, subassembly, or data product created from or containing Controlled Unclassified Information (CUI). If the derivative material contains CUI content, it inherits the CUI designation.

What does the DoD require for marking derivative works?

The Department of Defense Instruction (DoDI) 5200.48, Controlled Unclassified Information (CUI), states:

“When creating derivative documents that include CUI, DoD personnel and contractors will ensure the new material is marked appropriately...” (DoDI 5200.48, §3.2.c.(2)).

How must derivative works be protected?

DoDI 5200.48 requires that CUI, including in derivative works, be safeguarded per NIST SP 800-171 when on non-federal systems:

“Safeguarding requirements for CUI resident on contractor networks are established in contractual vehicles and are based on the security requirements in NIST SP 800-171.” (DoDI 5200.48, §3.3).

The CMMC Final Rule reinforces this:

“Contractors handling CUI will be required to meet the CMMC requirement specified in the contract... Contractors must describe in a System Security Plan how the requirements are met or plan to be met.” (32 CFR Part 170, 89 FR 83093).

Can I remove the CUI marking from a derivative work?

No. Per DoDI 5200.48, CUI remains controlled until formally decontrolled:

“CUI is decontrolled only when authorized by a designated official or decontrol authority.” (DoDI 5200.48, §3.6).

Where can I find more information?

• DoDI 5200.48

• NIST SP 800-171

• CMMC Final Rule (32 CFR Part 170)

CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture.

CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.

How Must Derivative Works of CUI Be Handled?

It's Time to Achieve CMMC Compliance and Strengthen Your Security

Get In Touch

How Must Derivative Works of CUI Be Handled?

What is a derivative work of CUI?

What does the DoD require for marking derivative works?

How must derivative works be protected?

Can I remove the CUI marking from a derivative work?

Similar Blog Posts

Planning Your Path to CMMC Compliance

Why You Should Enlist an MSP for CMMC Compliance

What are Microsoft High GCC and O365 GCC?

It's Time to Achieve CMMC Compliance and Strengthen Your Security

Get In Touch