48% vs 9%? The DoD's CUI Numbers Don't Add Up

A

All right, folks, it is February of 2026 and oh, SpaghettiOs, the undersecretary for Intelligence and Security is in trouble again for their terrible oversight of the DoD's controlled unclassified information program. Back in 2023, the DoD inspector general released an absolutely blistering report that showed that nearly 50, 50% of CUI documents weren't even marked at all. So then why does the DoD CUI website have a chart that says that only 9% of CUI documents were unmarked in 2023? Huh? Riddle me that. The math ain't mathing and that's how you get the Inspector General all up in your business. Maybe this time around the IG report will change things and CUI marking will improve. That's what we're going to talk about today. Jason, contrary to popular belief, and I know this is hard for a lot of people to believe, controlled unclassified information in the Department of Defense isn't over marked. It is systemically under marked. They don't mark controlled and classified information when they should. And that's very surprising to a lot of people because most people think that they are overmark that data. We did a whole podcast back in 2023 covering that entire IG report that came out. Definitely go back and watch it. I know I had to. I struggled to get through that podcast and maintain my professionalism based off of the findings. It's really bad. And now here we are again and apparently things have not improved at all.

B

If your supply chains having problems with with their CMMC implementation, I feel bad for you, son. The dibs got 99 problems and their customer appropriately marking CUI is causing more than one. Right? The inability to properly mark cui. The ability to contain CUI is the key to this entire thing, Right? The key to controlling cost, the key to controlling flow downs, the key to making sure the data is protected.

A

Yep.

B

And the source of it is the person that you're serving that wants the data protected. This is a good one, guys.

A

Yeah, yeah, definitely, definitely. So this isn't necessarily good news for everybody, but it is clarifying information. So, you know, maybe add a little bit of something something to your cup of coffee for this episode. Anyways, let's get to the key takeaways up for front three things to know. The recommendations address the problem of overly restricting CUI when it is marked, but not the bigger problem in my opinion, of actually under marking the data. So this will help like Congress for, you know, data that is purposely perhaps being restricted so that it won't be shared rather than the problem that industry has where the data isn't marked at all when it should be. So I don't necessarily think that the IG addresses the biggest problem for industry, even though they are very focused on one of the two problems that they uncovered in their analysis here. The second one, and this is very, very important, the CMMC program and the CUI program are different programs run by different offices. They are closely related, but they are owned by different offices and they have no ability to correct each other's problems. So a lot of people blame CUI on cmmc and that's not how it works inside the Pentagon. We'll clarify that in a little bit. But very important to remember, you got to know which office to yell at if we want this to actually improve. Brings me to my last takeaway. This is the most attention that the CUI marking problem has had in years since that last IG report. I'm not sure how much that this management advisory is going to actually fix the problem unless people bring it up. So we're going to go through, talk about what it says, who's responsible for what, who didn't do what they were supposed to do back in 2023. Maybe we can stop yelling at the CMMC program office, go yell at the correct office and maybe that'll move things along.

B

So you said one thing that really registered there was that now all of a sudden it's being brought up right? Like now there were rumblings before, but I can say in my travels, what I'm hearing now is it's more so a problem because now people are trying to figure out what's going on with my supply chain. These people in my supply chain have to have cmmc. They're getting this stuff that says that it's cui. It's cui, but it's not appropriately marked. It just says CUI and like bold, you know, aerial text at the top of the, the email. And now what that does, unfortunately, those three letters hold a lot of weight and they hold a big price tag. Right. And so like that's an issue with supply chain, supply chain readiness and getting ready for everything that CMMC has to roll out.

A

Yeah, absolutely. All right, so let's get into the details here. First things first, the CMMC program and the CUI program are different things. Very, very important that people understand this. Back in 2010, Executive Order 13556 directed the creation of the federal Controlled Unclassified Information Program. Six years later, long story, the federal CUI regulation was Codified via rulemaking. Our favorite thing at 32 CFR section 2002. Part of what that did was direct agencies to establish their own CUI programs internally in accordance with the regulation. In March of 2020, a decade after the executive order, DoD Instruction 5248 established the DoD's CUI program. And it did two big things, among others. First, it assigned the Undersecretary of Defense for Intelligence and Security, which we'll call INS, as the senior DoD official responsible for implementation of of CUI policy. They are the ones in charge of the DoD CUI program. The other thing that the instruction did was it outlined all of the requirements for designating cui, marking it, handling it, decontrolling it in accordance with the Executive Order and the overall 32 CFR 2002 CUI regulation. So the Undersecretary for Acquisition and Sustainment is responsible for all of your DFARs, Cybersecurity Clauses, 7012-7008-7025-7021 done episodes on all of these. They're responsible for a lot of other things, but as far as we're concerned, that's what ANS is responsible for. The DoD CIO is responsible for the CMMC program, which verifies if you have complied with those clauses outside of those two things, a completely different office ins, the Undersecretary for Intelligence and Security is responsible for the CUI program. So how the program is run, whether DoD components and your upstream customers are correctly marking, correctly designating, correctly handling all those things, is a responsibility of a completely different office of people than ans, than the people in charge of cmmc. So even though the CUI is what triggers your responsibility in accordance with your contract clauses, which may trigger the need for verification that you've complied with those contract clauses, the precursor to all of that belongs to a completely different set of people. They don't get out much. They don't go do webinars, they don't go do conferences, they don't go on the AB Town Hall. They have nothing to do with CMMC or DFARS7012. The programs are different. So when we yell about CUI problems, of which there are many that need to be yelled about, yelling at the CMMC office doesn't necessarily get us where we want to go.

B

So I understand this correctly. Three verticals here, right? One responsible for all things cui, all things to do, whether it's marked appropriately, xyz. The other vertical, responsible for making sure that when that Data is placed in the contracts that it is appropriately labeled so that the third vertical that verifies the people that perform on the contracts that create or protect the cui. Right. Like, am I understanding this right?

A

Yeah, you got it. Yeah.

B

Obviously they all should be talking to each other, right? And all of this should be working.

A

They all share a break room, they all park in the same parking lot. You would think they would all talk to each other.

B

Do you think that the common coffee talk is like, hey, this is how we're doing. These are some of the common issues that we're seeing. Hey, we're getting a lot of emails saying that. They're just getting emails from people that say, this is cui. And bold aerial text at the top of the email, real email. That's why I keep calling it back. That's called a callback. Right, so here we go. I don't understand how there are these disconnects if they share the same break room.

A

Apparently. Apparently the DoD inspector general doesn't understand how that's possible either. So let's get into how this management advisory even came about. Right? This isn't a new audit of DoD's oversight of the CMMC program like it was in 2023. This isn't even a follow up to that report. They weren't even looking at the CUI program or the marking issue. They were doing something completely different. So this is a management advisory, Right? This is not an audit report. Management advisories are designed of the DoD IG's own volition to inform officials of, quote, urgent issues or risks identified during an ongoing review that allow for immediate corrective action. So we were looking at something different. We found a problem and we're making you aware of it right now before anybody asks us to go do a full blown audit which could take like a year to complete. So the DoD IG says this management advisory identifies concerns related to DoD components marking of controlled unclassified information. We identified these concerns during the evaluation of DoD policy and oversight reports related to using non DoD controlled electronic messaging systems to conduct official business in December of 2025. The translation, while we were looking into that little signal gate problem that you guys might remember, the CUI mismarking issue was so bad we couldn't ignore it, and now we're giving you a memo to correct it.

B

Wait, so we saw the drip in the water and then we tried to investigate where the drip was coming from, and we realized that there was a whole reservoir that was leaking.

A

Absolutely, absolutely. Yeah. So they.

B

And so for reference. The DoD IG is another vertical. Definitely doesn't share the same break room or this would have been uncovered sooner maybe.

A

But yeah, they were just going about their business, doing an audit like they were directed to by Congress of a completely different issue. And they were like, man, this CUI issue should be fixed. What the heck is going on here? So let's look at their findings from this management advisory. Right, so they say DoD organizations frequently did not correctly mark CUI documents with the required designation indicator block. And when they did, the organizations may have unintentionally restricted dissemination by defaulting to the limited dissemination controls of federal employees or contractors only, or federal employees only, rather than using no limited dissemination control at all. So the IG looked at the mismarking stats on the DoD IG website or on the DoD's. On the INS website. Excuse me. Right. So they are like looking through all these documents during their audit and they're like, man, a lot of this stuff should be marked and a lot of the stuff that is marked shouldn't be restricted with these dissemination controls. So they went to the INS website who publishes statistics by year of mismarking errors. Like they actually keep track of this. And the IG says, although these statistics suggest that DoD personnel and organizations have minor deficiencies in either understanding how to properly mark or in marking CUI documents, the sample from the DoD IG indicates that the issue is more pervasive. So remember, the IG did an analysis of the CUI program in 2023. The INS website says that in 2023 only 9% of DOD documents were unmarked. That's really weird to the IG because in 2023 their report showed that 48% of DOD documents were unmarked. So what's going on here, INS?

B

So INS comes out on a website out in public and says, hey, this is the progress we're doing. Here are the metrics to show these measures that we put digits.

A

Mismarking, baby.

B

You always evaluate success. Right. Of programs by metrics. How metrics? Performance. Right here, the single digit, we're doing good, we're almost eliminating it. And then the people come in and they really start digging and they're like, not so fast. These numbers are as cute, right? From what you're reporting.

A

Yeah, I mean the, the IG basically is looking at something completely unrelated.

B

And you publicly self attested that this is what your percentage is. And then we came in and investigated just a little bit more, found out that the numbers were slightly off. The irony, I haven't seen this before.

A

Right the irony, right? Yeah. So the DoD IG is looking at something unrelated. They go, man, this data not marked correctly. They go, let's look at what they're tracking on in 2023. INS says they were 9% of documents were, were unmarked. That's a problem because that's not what the IG found in 2023. They found 50% of the documents were unmarked in 2023. And that got the IG curious about how this problem has been handled since their last report.

B

So, you know, obviously we want also UI to be marked appropriately. Right. But you can see the root cause of these direct ones where they are certainly like more restricted in the markings that the markings are. They're under marked.

A

Right.

B

Like so. So the release isn't going out to the public because essentially the person that's marking them, like, I, I don't even know if this is exactly where it needs to go, but if I just limit it to federal people only, I can probably justify that better than if I just eat this out into the universe.

A

Right.

B

Everybody can see it.

A

Yeah. So let's talk about this 2023 report. Because they're like, well, your stats aren't right based off of what we found in the report. So let's revisit our recommendations to the undersecretary in 2023 and see if they follow it up. Maybe it's just a data entry error on the website. So they say, as a reminder, in 2023, the IG concluded an audit that showed that DoD component personnel did not consistently apply required markings to documents containing cui. They did not find that they were overmarking the data. They found that they were systemically under marking the data. Remember they said that 48% of the documents did not have any marking whatsoever. That audit made eight recommendations to the Undersecretary of Defense for Intelligence and Security. And as of this management advisory, seven of them are still open. They didn't do anything. As a quick reminder, you can watch the podcast, but the IG told INS, Develop and implement a DoD wide solution for automatically marking the data that was unresolved. Revise DoD instruction 5248 to track and enforce CUI training. Apparently not resolved. Remind the DoD component heads that training is available for their workforce. Apparently that's not resolved. Require DoD components to actually sample CUI documents, test whether they're marked correctly, and report discrepancies accurately. You know, for that whole website that you're tracking mismark statistics on, apparently that's not resolved. They told them to do that three years ago. They want them to coordinate with the National Archives and Records Administration. They're the ones in charge of the entire federal CUI program, and clarify what's going on with these limited dissemination controls so they aren't being misused. Apparently that's not resolved because it's exactly the issue that got the IG's attention in an unrelated audit. They want them to revise duty guidance to reflect any changes made to the usage of those limited. Limited dissemination controls. Guess that's not done. They wanted them to develop and implement a process to identify systemic discrepancies with the implementation of the CUI program and give guidance for how to fix it. Apparently we didn't do that. And they wanted to require DoD components to identify discrepancies within their CUI programs and develop corrections for fixing it. And apparently that wasn't done either. So all of that stuff that we found in that 2023 IG report, apparently INS just didn't do any of it.

B

Wait, wait, wait, wait, wait, wait, wait. You say they didn't do any of it, but a status of resolved but still open. You have to break down what that means to me. Right? Like, like, sure.

A

So when the IG says that something is resolved but open, it means that the office that they gave the recommendation to said, here's our plan for fixing it, but they haven't provided evidence that it was fixed. So something is resolved if they say, here's what we did to fix it and here's the proof. If they say, here's what we're going to do to fix it, do you agree that that's the right method? They go, sure, but you have improved.

B

Yet they've presented the plan to. To the ig, but they haven't enacted the plan. Right?

A

Yeah. So as of 2023, they had a plan for fixing all this stuff, but they never provided the evidence that it was done by the time the audit report was released. And now that the DoD IG is following up three years later, they go, oh, I guess they never actually fixed any of the stuff they said they were going to fix.

B

Yeah. Develop and implement a DoD wide solution for automatically populating documents and emails with required marking. Unresolved.

A

Yeah.

B

Surprise of the year.

A

So that's what they said. That's what they said in 2023. And they go, okay, well, your stats are wrong and apparently you didn't do any of the things that we told you to do three years ago. So let's look under the covers a little bit more and see how bad this problem actually is. So as far as additional evidence goes, the IG says in addition, we compiled CUI documents that stakeholders provided during four previous DoD evaluations to assess which CUI documents were missing the required designation block indicator and for those that are correctly marked, which limited dissemination control was used. As a quick reminder, limited dissemination controls would be things like, I have marked cui. There's no inherent restrictions on who can see it. If you're an authorized user with a lawful purpose, you can see the data unless it's marked as federal only or no foreign or things like that. These are additional restrictions on controlled data that would limit their dissemination. Anyways, the IG goes on to say, Based on our review of four other completely different audits not related to CUI, we found that DoD organizations may unnecessarily restrict the dissemination of CUI documents. According to the IG, of the 40 different types of CUI documents that they analyzed, 70% had no designation indicator, block, or were marked with the legacy indicator for official use only. Guys, it's been 16 years since executive order 13556 and since we got rid of fouo, 70% of the documents aren't marked at all. But then they go on to say of the 30% that were marked correctly, every document included a limited, a limited dissemination restriction, every one of them. And 66% of the time that limited dissemination control was Fedcon or Fed only. So they don't mark the data 70% of the time. And then when they do mark the data, they overly restrict it.

B

Technically, they do mark the data 70% of the time. And it would have been appropriately 2010, right? Like, so if this was 2009-20, you know, if we were still singing the Thong Song from Cisco, like, that's kind of. This would be appropriately marked, right? But you can't teach an old dog new tricks. Maybe that's some just for habit, right? Just the copy paste.

A

That wasn't even, that wasn't even a problem. They identified 2023. People are just reverting back to fouo.

B

The crazy part is this isn't just a single study. Now you have four sample sizes, right? So you have four previous audits and you got the sample sizes, and you're looking.

A

Well, technically you have five because you got, you got the audit that triggered this. And then they looked at four additional ones in 2023, and that's still not done. So they're like, none of this has been fixed. Like, none of this has been fixed whatsoever. Right. And there's plenty of evidence based off of just, just the IG's, like initial pass through this stuff. Right? So then they go into why this happened, like why did this actually happen? They give four reasons. They say, we found that the use of restrictive limited dissemination controls may have occurred in part because INS and its supporting organizations provided conflicting and insufficient guidance and training regarding the selection of an appropriate ldc, which may not have happened if you did what they told you to do back in 2023. Second, INS also provided conflicting and insufficient CUI training and guidance regarding the appropriateness of using no limited dissemination control whatsoever, which also would have been fixed if you did what they told you to do back in 2023. Third, INS CUI training aids on the program website and duty mandatory CUI training courses are unclear about whether the limited dissemination control line in the marking block can be left blank at all. Something that would have gotten fixed, you guessed it, if you did what you were supposed to do three years ago. And lastly, conflicting and insufficient guidance and training on the implications of limited dissemination control choice and a lack of emphasis on using these LDCs by exemption may cause DoD components to unintentionally restrict documents with FedCon or Fed only as the default marking. Which would explain why when data is marked, they seem to default to this limited dissemination, this overly restrictive additional marking on top of it. Because the training is bad, the information guides on the website that the people inside the DoD are using are conflicting or, or incorrect. Exactly what they told you in 2023 to fix.

B

It doesn't even feel like that. You have to move mountains in order to implement a lot of these things in which they had to implement. And the worst part about it is, is when you look at the eight recommendations that were made as a part of the audit report back then, the two that remain unresolved have no direct correlation. That's obviously the automatic labeling and stuff would remediate this. But all the rest of them just indicate that they kind of tie to this and it indicates that they submitted a plan, just did not follow through with the plan.

A

And then what ends up happening is, regardless of your position on signal gate, what ends up happening is there's too much gray area to know did somebody actually do something wrong? Did they do something on accident? Did they do something on purpose? You can't tell because INS didn't do what they were supposed to do. So nobody's got the right training, nobody's got the right tools, nobody's got the right flowchart for figuring out what's going on. And then when something bad happens or something bad is narrowly missed, like sensitive information getting leaked onto freaking signal, right? Everybody goes, whose fault is this? It's nobody's fault because INS didn't do their job well.

B

It's just the compounding issues, right? Like one issue spurns another issue, it spurns another issue and it's just the result of just again, systemic problem.

A

To say nothing of the fact that when the 70% of data is unmarked and then flows out to industry and everybody goes, is this CUI or not? Turn around and they go, we don't know. We guess it's CUI because of this same issue. So like I said at the top, a lot of these issues for why this is happening focus on the use of overly restricted designations when the data is marked. But it doesn't, it doesn't really talk about why the data is unmarked 70% of the time, which I feel like is an oversight here in the, in the, in the IG report.

B

70 is an insane number.

A

It's a crazy number. And I totally.

B

That's not, that's a margin of error number. That's not like a plus 3 or 4% for like the old school. That's 70%.

A

Yeah. All right, so let's get to their recommendations. They make five recommendations, two of them are closed, three of them, your favorite, are resolved but remain open. Right? So the good news is is that the INS office agrees with all of the recommendations. They don't fight the findings, they don't disagree. They're like, yep, you're right. And here's our plan for meeting your recommendations to fix the problem. That's good news. So first, the IG says you need to correct the frequently asked questions training aid on the DoD CUI program website. Apparently they have done that. Good job.

B

Okay.

A

Second, they say you got a bunch of updates to guidance and training documents to clarify the implications of using limited dissemination controls like fedcon or Fed Only. And what that means when you mark it that way, can it be shared outside of the executive branch? Can you just not have one of those at all? When you mark cui, what's the default when you do mark cui, there's a bunch of training and stuff that we got to fix here so that people aren't unwittingly or purposely abusing these dissemination controls, right? So they say you need to Update duty instruction 5248. You need to update the process of pre publication review. You need to update the mandatory dud CUI training course. All of those things have a plan for being fixed so they're considered resolved, but they haven't actually been fixed yet, so they're still open. That's exactly what we did back in 2023. We had a plan for all eight things that INS was supposed to do, and they never did it. So I'm not very confident that they're actually going to do those changes, which might not fix the problem.

B

What. What is required for 5248 to get updated? Is that like an entire.

A

That's. That's a.

B

Or is it just like an update and it goes through a desk and then somebody signs it in? Or is it like.

A

Sure, it has to go through, like, 12 different desks?

B

Because now, because there's so many, like, 7 degrees of bacon where 5248 impacts it now you have to see where that's impacted and see what that is. And then if that's a change to

A

that, then you would think that since you're the underserved. Yeah. You're the undersecretary that holds the conch shell in charge of the CUI program, you can update the instruction and be like, hey, listen up, everybody. The rules have changed. Here's the clarification. Make sure you know what's going on or else. And that would be it. There is no reason to prevent them because they own the instruction. They own.

B

Yeah. The updating to the mandatory CUI training is going to be highly dependent on 5248 getting updated. Right. So, like, that has to happen first. So that's like another, like, in line with that happening. So what the reason I was saying is, is that you can't concurrently work on all these, obviously, because the foundation of it is 5248 and has to go there. Yeah, I'm. I'm on your side.

A

Apparently they got a plan. Apparently they got a plan, but they also had a plan three years ago and they didn't do anything. So the last recommendation that they made was they said that other applicable INS training aids on the CUI website should also be updated. Apparently, any of the training aids on the website have been updated accordingly. So those are closed. Any of the actual meaningful changes to the DoD instruction or the training that everybody has to go through when they're doing these markings, maybe that'll happen. They got a nice sounding plan, but, you know, we've heard that one before. All right, let's get to some closing thoughts here. The recommendations from the IG address a Real problem. Right. This is a systemic problem. It's been a systemic problem. It's the exact same problem that they found in their 2023 report. If, if anything, it might be worse now than it was in 2023. Especially because it's the same problem and it didn't get fixed at all. It's not great. Right. So they are addressing a real problem. But their recommendations, although they are good in my opinion, only address the issue of limited dissemination control. Once the data is marked, they don't say anything in the recommendations about the 70% of the information that wasn't marked at all. What are we doing about that?

B

It's just showing up randomly. I think that that's what we're going to uncover especially and understand again, different verticals. But as CMMC requirements start rolling out and people start flowing those requirements down, it's going to be a pop up. It's like, you know, you fill the water in the pool, pool's got a bunch of holes and then all of a sudden you just start seeing it spring out that that's what's going to happen. It's the conversations that I have on a daily basis.

A

Yeah. So just anybody out there, if you are thinking about cmmc, hesitating on CMMC because you're expecting there to be a lot of clarity around whether you have CUI or not, do not expect that clarity to show up anytime soon. A lot of the reason why the primes default to saying everybody is going to have to get Level two because we don't know if you're going to have CUI or not is because when they turn around and talk to their DoD customers, their DoD customers don't know because of issues like this. Because the training from INS and the oversight from INS is basically non existent. So they don't have an authoritative place to go and say is it or is it not? So there's a lot of reasons why the primes would require everybody to be level two, but this is a big reason way, way upstream as a precursor to why people will be asked for CMMC level 2. Even though the primes can't necessarily tell you exactly why, it's because of issues like this. Ultimately I don't think this is going to fix the problem. I don't think this management advisory is going to fix the problem. Yelling at the CMMC PMO for issues that are clearly years long, the responsibility of the INS office also will not fix the problem. So what do you guys think out there? Do you think that this management advisory is going to be the straw that breaks the camel's back. Ins is going to wake up and smell the coffee. Congress is going to finally get the attention and be like, why the heck is this taking so long to fix? NARA is going to wake up and be like, what the heck is going on inside of the Dodge? Do you think this is going to fix it? Do you think it's going to stay the same? Do you think it's going to get worse? Are we going to revisit this episode in three years when something else bad happens and we find out that these recommendations were left open? I don't know. What do you think, Jason?

B

I. I'm hoping that what happens is. Unfortunately what I think is, is next year we're going to have a conversation like this where some of these things are still resolved but open, but progress is made. And maybe it's not made into a level that allows for that recommendation to be closed. Right. Maybe instead of 70% leaking out, we're down to 22%. But the acceptable threshold is like 5 or 6%. Whatever the acceptable margin for error it is. I think this is a 100% accurate. It's nice now to have like a report that backs up some of the things that I actually see in the field. Yeah.

A

In geometry, it takes two points on a graph to draw a line. Now we've got the second point in this issue and that line is not trending in the right direction, everybody. So we'll revisit this as soon as there's a follow up on it. And yeah, hopefully one day it gets fixed, but it ain't happening anytime soon. And on that happy note, like, and subscribe and we'll see you next week.

B

See you next week.