Covered Defense Information
Also known as: CDI
Covered Defense Information (CDI) is the subset of CUI that DoD specifically requires contractors to protect under DFARS 252.204-7012. It includes unclassified controlled technical information and other information that requires safeguarding when in support of a DoD contract.
Related terms
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.
- DFARS 252.204-7012
DFARS 252.204-7012 is the DoD acquisition clause that requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 and report cyber incidents within 72 hours. It is the contractual hook that has made NIST 800-171 mandatory across the defense industrial base since 2017.
- Controlled Technical Information
Controlled Technical Information (CTI) is technical data or computer software with military or space application that has been marked with one of the DoD distribution statements (B through F). It is a specific category of CUI and a specific category of Covered Defense Information under DFARS 252.204-7012.