Covered Defense Information (CDI) is the Department of Defense’s umbrella term for unclassified information that still requires protection when handled by defense contractors. The formal definition comes from DFARS 252.204-7012, which says CDI includes “unclassified controlled technical information or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls” and is either provided by DoD in the contract or generated/handled during contract performance. In other words, CDI is not a single “label,” but a collection of controlled unclassified information types that fall under DoD contract safeguarding rules.
The first major type of CDI is Controlled Technical Information (CTI)—often the most common CDI category for engineering teams. CTI is defined as technical information with military or space application that is subject to controls on access, use, reproduction, modification, or dissemination. Practically, CTI includes things like design drawings, specifications, test data, technical manuals, engineering models, and certain software or source code that reveal defense-relevant technical details. CTI is also tied closely to DoD distribution statement and marking practices, which help determine who can receive the information and under what conditions.
The second major CDI bucket is “other information described in the CUI Registry”—meaning CDI extends beyond technical engineering data. Under federal and DoD policy, Controlled Unclassified Information (CUI) includes categories like privacy data, procurement-sensitive information, law enforcement data, critical infrastructure information, and security-related information, so long as those categories are designated as controlled and require dissemination safeguards. What makes this “CDI” (instead of just “CUI” in the abstract) is that the information is connected to contract performance—either DoD provides it to you under the contract, or you generate it while performing the work. The key operational takeaway is that CDI can include both DoD-marked CUI and contractor-developed CUI created during performance.
A third type of CDI you’ll often encounter in practice is export-controlled technical data, which frequently overlaps with CTI but is important enough to treat as its own safeguarding “mode.” Export-controlled information includes technical data regulated under export-control rules and is commonly marked in connection with CTI and other CUI categories. DoD guidance for marking and distributing technical information also explicitly calls out export-control markings and handling considerations. From a compliance standpoint, the presence of CDI on contractor systems generally triggers DFARS “adequate security” obligations, which DFARS ties to implementing security controls like those in NIST SP 800-171 for protecting CUI/CDI in non-federal systems.
While CDI is centered on information that is specifically controlled (CTI or CUI requiring safeguarding or dissemination limits), contractors will also encounter Federal Contract Information (FCI), a related but broader category used in federal contracting and CMMC scoping. FCI generally refers to information provided by or generated for the Government under a contract that is not intended for public release, such as routine project communications, schedules, and contract administrative details. Importantly, FCI does not automatically qualify as CDI, because it is not necessarily covered by the CUI Registry or subject to special dissemination controls. However, FCI can become CDI if it also contains CTI or CUI (for example, controlled technical details, sensitive procurement information, or privacy data) tied to contract performance. In practice, the safest approach is to treat FCI as contract-sensitive and protect it appropriately—but recognize that CDI is the subset that triggers DFARS 252.204-7012 safeguarding requirements and NIST SP 800-171 control expectations.
Understanding data classification drives security architecture decisions. If you’re required to adhere to CMMC 2.0, you must implement data discovery processes to identify and classify information assets, establish appropriate handling procedures, and deploy security controls proportional to data sensitivity. For defense contractors, mastering these data classifications isn’t just about compliance—it’s about building sustainable security practices that protect both your organization and national security interests.
