Most defense contractors who handle Controlled Technical Information know it only as "the drawings" or "the TDP." They receive a technical data package from a prime or a DoD program office, move it into their CAD system or shared drive, and get to work. The compliance question never comes up until a CMMC assessment puts it directly on the table.
CTI is not a special subcategory that applies to a narrow slice of the defense supply chain. It is the baseline data type for most DoD contracts involving any form of engineering, manufacturing, testing, or technical support. If your work produces or consumes technical information with military or space application, CTI applies to you. And because CTI is a category of Controlled Unclassified Information, it triggers the full 110-requirement obligation under NIST SP 800-171 and CMMC Level 2.
What Is Controlled Technical Information
The authoritative definition comes directly from DFARS 252.204-7012: CTI is "technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination." The definition explicitly excludes information that is lawfully publicly available without restrictions.
"Technical information" under DFARS means technical data or computer software as defined in DFARS 252.227-7013 (Rights in Technical Data). That clause covers a wide range of materials: research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog item identifications, data sets, studies, analyses, and related information.
In practice, CTI encompasses the full range of documented technical knowledge that flows through the defense supply chain to enable design, manufacturing, testing, sustainment, and modification of defense systems. That is a broad category. The narrower question is which CTI is subject to distribution controls and therefore becomes CUI.
CTI vs. Other CUI Categories
CUI contains over 100 designated categories across areas like privacy, export control, procurement, and intelligence. CTI is specifically the Defense category for technical information with military or space application. It does not overlap with export-controlled CUI (ITAR and EAR data carry their own separate CUI categories), though a single document may carry more than one CUI designation if multiple categories apply.
The most important distinction is between CTI and ordinary technical information. Not all technical information is CTI. A commercial product specification with no military application is not CTI. A drawing for a widget sold to commercial and government customers alike may not be CTI if the government has released it publicly. The military or space application and the presence of distribution controls are both required for CTI status.
Distribution Statements: The Mechanism That Makes CTI into CUI
The link between CTI and the CUI framework runs through DoD Instruction 5230.24, which governs how DoD personnel assign distribution statements to technical documents. Under DoDI 5230.24, technical information marked with Distribution Statements B through F is, by definition, CTI and therefore CUI.
Distribution Statement A means approved for public release. Information marked Statement A is not controlled and is not CTI. Statements B through F restrict access to progressively narrower audiences, and any document carrying one of those statements is subject to the full NIST SP 800-171 safeguarding obligation.
| Statement | Authorized Audience | Common Reason |
|---|---|---|
| B | U.S. Government agencies only | Foreign government information; potential export control concern |
| C | U.S. Government agencies and their contractors | Administrative or operational use; limited commercial value |
| D | DoD and U.S. DoD contractors only | Direct military application; controlled by DoD program office |
| E | DoD components only | Proprietary business information; highest restriction short of F |
| F | Only as directed by the controlling DoD office | Requires specific authorization for each release; most restrictive |
Because these distribution statements are themselves dissemination controls established under federal regulation, any technical document bearing a B-through-F statement qualifies as CUI under 32 CFR Part 2002, which defines CUI as information subject to controls established by law, regulation, or government-wide policy. The distribution statement is the control. The control makes the information CUI.
This is not a theoretical interpretation. The DoD has confirmed it directly in its FAQ on DFARS Subpart 204.73: all CTI marked with B-through-F distribution statements is CUI and must be treated as such, including carrying both CUI and distribution statement markings on the document.
Where CTI Hides in Contractor Environments
One of the most significant scoping challenges in a CMMC assessment is locating all the places CTI actually lives in the organization's environment. Contractors typically know where their formal project files are stored. What they underestimate is how far CTI spreads beyond those locations during normal business operations.
Common CTI locations that get missed
Technical data packages arrive as email attachments and are often saved locally or forwarded internally before anyone applies consistent handling practices. Engineers download drawings to personal workstations for offline access. Project managers create summary documents that incorporate controlled specifications. Test data generated by the contractor itself may constitute CTI if it relates to a controlled DoD system and was developed under contract.
Backup systems replicate whatever is on the primary systems, including CTI. Cloud sync tools, if in use, may copy controlled documents to environments that do not meet the FedRAMP Moderate requirement. USB drives used to transfer data between engineering systems carry CTI outside any controlled perimeter. Legacy project archives from completed contracts still contain CTI and remain subject to handling requirements until the information is formally decontrolled or destroyed.
| Location | Why It Matters |
|---|---|
| Engineer workstations | Primary working copies. Often the first place CTI lands after receipt. Must be within the assessed boundary. |
| Shared drives and file servers | Central storage. Scope is clear, but access controls must reflect the actual CUI access requirement and be documented. |
| Email systems | CTI frequently arrives via email. The email system is in scope. Standard commercial email (Gmail, M365 Business) does not meet FedRAMP Moderate. |
| CAD and PLM systems | Drawing management tools and product lifecycle systems often hold the largest volume of CTI in a manufacturing environment. In-scope by default. |
| Backup and recovery systems | Any backup that captures CTI-bearing systems is in scope. Offsite backup services must meet the same safeguarding requirements as primary storage. |
| Portable media | USB drives, external hard drives, and optical media used to transfer CTI must be tracked, encrypted, and sanitized or destroyed when no longer needed. |
| Completed contract archives | CTI from past contracts remains CUI until formally decontrolled. If you retain it, you must protect it. |
Thorough CTI discovery is a prerequisite for accurate SSP system boundary documentation. Assessors will ask to see your asset inventory and will probe whether every location where CTI resides is reflected in the boundary. Finding CTI locations during an assessment that were not in the SSP is a significant finding.
Marking CTI: What Contractors Are and Are Not Responsible For
The DoD's CUI program places the initial marking responsibility on the government originator, not the contractor. The requiring activity, meaning the DoD program office or agency component responsible for the contract, is responsible for identifying CTI and marking documents with both the appropriate distribution statement and the CUI designation indicator before providing them to contractors.
This creates a practical problem: contractors regularly receive documents that contain CTI but arrive without proper markings. The absence of a CUI or distribution statement marking does not eliminate the protection obligation. Under DoDI 5200.48, if a contractor receives unlabeled information that reasonably qualifies as CTI based on its content, the contractor should protect it as CTI and notify the originating DoD party of the unmarked CUI so they can apply the correct markings.
One important constraint applies: contractors should not independently apply CUI markings to documents they did not originate. Applying the CUI//SP-CTI banner to a document requires the DoD's designation indicator, which only the originating DoD authority can provide. The right approach is to treat the information as CTI, protect it accordingly, and request proper marking guidance from the contracting officer or program office.
Contractors who generate technical information under contract may create CTI in the course of performance. Drawings, test reports, analyses, and technical manuals developed specifically for a DoD program using program funding may qualify as CTI if they carry military or space application and the contract specifies distribution restrictions. The Statement of Work will typically address this. The DD Form 254 (Contract Security Classification Specification) is another location where CTI handling requirements for contractor-generated data appear.
CTI and Your CMMC Level 2 Obligation
CTI is a CUI Specified category, meaning specific handling requirements apply that go beyond the generic CUI Basic baseline. For defense contractors, the governing authority is DFARS 252.204-7012, which requires implementation of all 110 NIST SP 800-171 security requirements for any covered contractor information system, defined as a system that processes, stores, or transmits covered defense information.
Covered defense information under DFARS 7012 is explicitly defined to include "unclassified controlled technical information." CTI is by name within the scope of DFARS 7012. This means CTI was a NIST SP 800-171 compliance trigger before CMMC existed. CMMC adds independent verification on top of an obligation that has applied since December 2017.
The 110 requirements apply in full
There is no reduced requirement set for CTI relative to other CUI categories. The same 110 NIST SP 800-171 requirements that apply to a contractor handling export-controlled CUI or procurement-sensitive CUI apply to a contractor handling only CTI. The assessment scope, the documentation requirements, and the certification timeline are identical.
Under the current CMMC implementation schedule, CMMC requirements began appearing in applicable DoD solicitations in November 2025. Phase 2 begins November 2026, at which point C3PAO assessment requirements become the default for new CUI contracts. Contractors in the pipeline for 2026 and 2027 contracts need to have their assessments planned and documented now.
CTI scope affects your SPRS score
Your SPRS score reflects your self-assessed implementation of all 110 NIST SP 800-171 requirements across the boundary defined in your SSP. If your SSP boundary does not accurately reflect all systems where CTI resides, your assessment scope is wrong, and your SPRS score does not reflect your actual posture. C3PAO assessors will compare your asset inventory against your boundary definition. Gaps between the two create findings that affect your score and may require remediation before certification can proceed.
Documenting CTI in Your System Security Plan
Your SSP must describe the types of CUI your organization handles and how each type is protected. CTI should be explicitly identified in the SSP, including which CUI category applies (CTI), the governing authority (DFARS 252.204-7012), and the distribution statement designations that appear on the documents in your environment.
The SSP system boundary section must identify every system that stores, processes, or transmits CTI. This includes servers, workstations, email infrastructure, backup systems, and any portable media used to transport CTI. If a system touches CTI, it is in scope and must appear in the boundary. The level of specificity assessors expect goes beyond "our file server" to include system names, IP addresses or locations, and the role each system plays in the CTI flow.
CUI inventory and data flow
Many assessors ask for a CUI data flow diagram during the assessment. This is a visual representation of how CTI enters your environment, where it is stored, how it moves between systems, and how it exits (whether transmitted to the government, archived, or destroyed). Building and maintaining a CUI data flow diagram is not explicitly required by NIST SP 800-171, but it is the most effective way to demonstrate that your boundary definition is accurate and complete.
The data flow also drives your access control documentation. NIST SP 800-171 requirement AC.L2-3.1.3 requires controlling the flow of CUI in accordance with approved authorizations. Documenting how CTI flows tells you where access controls must exist and what those controls need to restrict.
Disposal and decontrol
CTI must be destroyed or returned in accordance with contract terms and DoDI 5200.48 when it is no longer needed for contract performance. For digital media, destruction must render the information unreadable, indecipherable, and irrecoverable under NIST SP 800-88 methods. Printing CTI and placing it in the trash is a handling violation regardless of whether the underlying contract is still active. Your SSP should address your retention and destruction procedures for CTI, and your records should document when and how CTI was disposed of.
Frequently Asked Questions
Possibly. The question is not whether you do engineering work, but whether the technical information you receive to execute your scope carries military or space application and is subject to distribution controls. If a prime sends you a drawing marked Distribution Statement D to manufacture a component, that drawing is CTI and your systems that store it are in scope. The manufacturing activity itself does not determine CTI status. The nature of the information does.
Treat the information as CTI and protect it accordingly. Missing markings do not eliminate the protection obligation if the information reasonably qualifies as CTI based on its content. Notify your contracting officer or the originating DoD program office that you have received what appears to be unmarked CTI and request proper marking guidance. Do not independently apply CUI markings to documents you did not originate.
Not in standard commercial versions. DFARS 252.204-7012 requires that cloud services used to store, process, or transmit covered defense information, which includes CTI, meet security requirements equivalent to FedRAMP Moderate. Standard Microsoft 365 Business and Google Workspace do not meet this standard. Microsoft 365 Government Community Cloud (GCC) or GCC High, depending on your program's requirements, are the appropriate replacements. Using non-compliant cloud storage for CTI is a direct contract violation.
CTI is a CUI Specified category. The distinction between CUI Basic and CUI Specified does not indicate different levels of protection. It indicates whether the governing law or regulation specifies handling requirements beyond the baseline CUI Basic standard in 32 CFR 2002. For CTI, specific handling requirements are defined by DFARS 252.204-7012 and DoDI 5230.24, making it Specified. The banner marking is always CUI//SP-CTI.
Yes, until it is formally decontrolled by the originating DoD authority or disposed of in accordance with your contract terms and DoDI 5200.48. CTI does not lose its designation when a contract ends. If you retain technical data from a completed contract that carries a B-through-F distribution statement, it is still CTI and must be protected accordingly. Your options are to return it to the government, destroy it per NIST SP 800-88, or obtain formal decontrol authorization.
Yes. DFARS 252.204-7012 flows down through every tier of the supply chain where covered defense information, including CTI, is present. If a second-tier subcontractor receives CTI from a first-tier sub who received it from a prime, the second-tier sub carries the same NIST SP 800-171 obligation as the prime. The flow-down applies at every tier where CTI is handled, with no tier exemptions.
CTI in your environment.
1TEN organizes the documentation.
Define your CUI boundary, document every CTI data flow, and build the SSP your C3PAO assessor needs to verify protection of controlled technical information — inside an air-gapped compliance platform built for the DIB.
Request a Demo