Special Programs – CUI, JCP, ITAR, Others

Understanding Special Requirements for Government Contracting: CUI, JCP, and ITAR

When working with government contracts, you’ll often need to manage certain types of sensitive information, like Federal Contract Information (FCI), Controlled Unclassified Information (CUI) both previously mentioned, Joint Certification Program (JCP) information, and information governed by International Traffic in Arms Regulations (ITAR). Each of these “special programs” comes with specific requirements, particularly around how this information is shared and safeguarded. Additionally, when handling federal information, both companies and individuals must be aware of all regulations and requirements; not just the stated ones.

Here’s a quick look at what each program entails:

  1. Controlled Unclassified Information (CUI)
    This is unclassified yet sensitive information that requires protection. For contractors, CUI has cybersecurity requirements as laid out in DFARS 252.204-7012 and DoD Instruction 5200.48. Here’s what’s required:
  • Training: Initial and annual training with testing to confirm understanding.
  • Sharing Purpose: A clear, lawful governmental purpose must be established before sharing CUI.
  • Encryption: Determine if encryption is needed when sending CUI electronically.
  • Cybersecurity: Active, updated System Security Plan, SPRS entry and Plan of Action (POA) if required.
  1. Joint Certification Program (JCP)
    JCP relates to handling DoD technical information. Requirements include:
  • Recipient Registration: The recipient company of the data must be registered in the JCP, which requires an active CAGE code (you can get one by registering with SAM.gov).
  • Data Transfer: Information must be transferred securely between designated Data Custodians.
  • Encryption: Encryption is mandatory when sending data.
  • Appendix 5 Notice: Additional notice requirements apply to these transfers.
  1. International Traffic in Arms Regulations (ITAR)
    ITAR controls the export of items/services listed on the U.S. Munitions List (USML), with requirements such as:
  • Registration: Companies must be actively registered with the Directorate of Defense Trade Controls (DDTC). Holding, storing or using ITAR material if the registration has lapsed, is a reportable violation.
  • Person Restrictions: Information should only be shared from one U.S. person to another without a license or other official authorization.
  • Person Definition: The definition of Person applies both to businesses and to individuals.
  • Encryption: Encryption compliant with FIPS 140-2 is also required to protect data in transit.

Each of these programs has unique requirements, especially around training, registration, and encryption. Being aware of these will help ensure that your information-sharing practices meet federal standards and keep you compliant.