CDI is Covered Defense Information. It is a term used to identify information that requires protection under DFARS Clause 252.204-7012. In terms of the CMMC model, it is specifically “unclassified Controlled Technical Information (CTI) or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies and is:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract, OR
  • Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.”

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.

Note that Federal Contract Information (FCI) is not within the CDI definition.