Get Started
All

SIPOC for Dual-Use & Export-Controlled Data 

SHARE
SHARE
SHARE

If you’re unsure whether a dataset should be marked as Controlled Unclassified Information (CUI), there’s a simple yet powerful tool that can help: SIPOC

SIPOC stands for Suppliers, Inputs, Processes, Outputs, and Customers. Originally used in quality and process improvement, SIPOC is also incredibly effective for navigating the CUI determination process, especially when the data lifecycle involves the DoD. 

 Too often, organizations try to label data as CUI based solely on the file or a single activity. But CUI is contextual; its designation depends on the data’s purpose, its source, and its contractual and handling requirements 

image

How SIPOC Helps You Spot CUI 

SIPOC helps teams break down the lifecycle of a dataset, offering logic and traceability when determining whether CUI is involved. 

  • Supplier – Who provided the data? (e.g., federal government client, DoD, aerospace and defense prime contractor) 
  • Input – What was shared? (e.g., technical data, product or program specifications, technical and functional requirements, instructions) 
  • Process – How is it used? (e.g., governance and compliance review the data, engineering enhances the data, subcontractor analyzes the data) 
  • Output – What’s produced? (e.g., reports, derivative work containing the supplied input (CUI?)) 
  • Customer – Who receives the final result? (e.g., DoD, DHS, NASA, prime, receiving modified data that retains the identity of the supplied input, a product or service in fulfillment of the contract) 

 

Version A

When all arrows point back to the DoD, DFARS 7012, or a CUI Registry category, you’ve got your answer. 

Example SIPOC: DoD Dataset Under Contract 

SIPOC Element Details 
Supplier DoD program office or prime contractor (via DD254 or DFARS 252.204-7012, including flowdown) 
Input Engineering data, technical drawings, or performance requirements marked or intended as CUI 
Process Reviewed, analyzed, or enhanced by subcontractor personnel in support of the contract 
Output Reports, modifications, or derivative works containing original DoD data 
Customer DoD or prime contractor receiving modified or derived data for contract fulfillment 

 Using SIPOC during discovery helps eliminate assumptions and might just save hours of backtracking during CMMC assessments or audit prep. 

 When Data Isn’t CUI, Even with DFARS 7012 

Let’s flip the scenario. Just because DFARS 252.204-7012 appears in a contract doesn’t mean all data exchanged under that contract is CUI. 

 This is where SIPOC becomes even more valuable, especially with COTS (Commercial Off-The-Shelf) products and related documentation. 

Not all data under DFARS 7012 requires NIST 800-171 implementation or a CMMC Level 2 certification. Context and intent matter. 

 If the data is publicly available, not marked as sensitive, and supports a COTS product, it may not be CUI, even if 7012 is present. 

Example SIPOC: COTS Dataset, Not CUI  

SIPOC Element Details 
Supplier Commercial vendor (e.g., ruggedized laptops, the Commando 3000 Shower Head) 
Input Publicly available specs, warranty info, user manuals 
Process Publicly available specs, warranty info, and user manuals 
Output Standard documentation, compatibility checklists 
Customer DoD personnel evaluate the product; no sensitive modifications 

Even with DFARS 7012, if the data isn’t tied to Covered Defense Information (CDI) or marked/documented as CUI, it doesn’t require CUI-level protections

This distinction is critical for manufacturers and resellers supporting the DoD without handling sensitive data. SIPOC provides a way to document the logic behind your determination. 

SIPOC for Dual-Use & Export-Controlled Data 

Now it gets more complex. Some data isn’t just CUI; it may also fall under Export-Controlled Technical Information (ECTI) via ITAR or EAR. Even if you’re focused on CMMC, SIPOC can help expose when a dataset: 

  • Is CUI under the DoD Registry (e.g., “Export Control” category) 
  • Is subject to ITAR or EAR controls 
  • Requires a Technology Control Plan (TCP) 

Example SIPOC: Dual-Use / Export-Controlled Data 

SIPOC Element Details 
Supplier  DoD or prime contractor; may also originate from internal R&D for defense and commercial applications 
Input  Technical data (e.g., CAD models, material specs, propulsion schematics) used in defense systems with commercial viability — flagged for ITAR/EAR and CUI 
Process  Reviewed, modified, or integrated by defense contractor personnel; subject to access restrictions (e.g., U.S. Persons only) and export compliance checks 
Output Engineering changes, design improvements, testing results — which remain export-controlled and CUI-designated   
Customer  DoD customer, foreign military sales (with approval), or internal use within U.S. defense programs only 

This scenario surfaces multiple regulatory overlays, which SIPOC helps untangle:  

  • The data is CUI per the DoD CUI Registry 
  • It’s export-controlled under ITAR or EAR 
  • It may require a TCP with appropriate safeguards 

While SIPOC doesn’t replace legal review or classification guides, it helps teams map risks and responsibilities clearly across data lifecycles

Final Thoughts 

Become friends with SIPOC. It’s a simple tool that delivers big value by helping your business units, security leads, and compliance teams make informed decisions about whether data is or isn’t CUI. 

Whether you’re dealing with DoD contracts, off-the-shelf products, or export-controlled tech, SIPOC makes it easier to classify data, defend decisions, and prepare for audits. 

Definitions 

CUI: Info requiring protection per law or policy. 

DFARS 252.204-7012: Clause requiring protection of CUI and incident reporting. 

COTS: Commercial, unmodified items; data often not CUI. 

ECTI: Export-controlled tech data often overlaps with CUI. 

ITAR: Controls defense exports under 22 CFR. 

EAR: Regulates dual-use exports under 15 CFR. 

TCP: A safeguard plan is required for export-controlled info. 

Reference Table: Regulatory Sources 

Requirement Citation / Source 
DFARS 252.204-7012 DFARS Clause 
Definition of CUI 32 CFR Part 2002 
DoD CUI Registry CUI Registry – DoD 
Definition of COTS FAR 2.101 
ITAR (Defense Articles and Services) 22 CFR Parts 120–130 
EAR (Dual-Use Controls) 15 CFR Parts 730–774 
Export-Controlled CUI Category CUI Category: Export Control 
Technology Control Plan Guidance DDTC Best Practices for TCP 

The information provided in this article does not constitute legal advice. Organizations should seek professional legal counsel to address their specific compliance obligations. 

Version A

Part of the most relevant industry groups and committees

department of defense badge
ndia partnership badge
cmmc certification badge
defense alliance badge
infragard partnership badge

Get a 30-minute demo from a
Cuick Trac product expert

You've made it this far, now let us show you why Cuick Trac will be the smartest decision you'll make this year.

Schedule a quick product tour

Learn how Cuick Trac can secure your CUI in less time, with less effort, and with more features than any other DFARS-compliant product on the market.

Get Started
logo cuicktrac light

Cuick Trac, a solution by Beryllium InfoSec, is a FedRAMP Moderate Equivalent virtual enclave, known as the Cuick Trac Managed Enclave, designed for organizations that need to comply with NIST 800-171 and CMMC 2.0, Level 2.

Youtube Linkedin Facebook-f Twitter
Guides
Featured Articles
Privacy Policy
Disclaimer

© Copyright 2025 Beryllium InfoSec. All rights reserved.

Get Started