Controlled Unclassified Information (CUI) is information requires special handling, protection and dissemination controls even though it isn’t classified information. These security controls protect the data’s integrity and privacy, and are essential practices for contractors handling this type of information. Possible consequences of failing to protect CUI include fines, losing the opportunity to win new Department of Defense (DoD) contracts and loss of current contracts. These penalties can occur when a contractor fails to show proof of compliance during independent third party audits from the likes of customers, the Defense Contracting Management Agency (DCMA) and eventually Cybersecurity Maturity Model Certification (CMMC), which have requirements that continue to evolve. Contractors who say they are compliant, but haven’t fully implemented NIST SP 800-171 requirements may not in compliance with DFARS 252.204-7012, which regulates the treatment of CUI by contractors.
Schedule a free consultation with our cybersecurity experts if you need to be DFARS 252.204-7012, 7019 and 7020 compliant. Avoid fines or the loss of contract by implementing all the NIST 800-171 controls. Call Beryllium InfoSec Collaborative today at 763-546-8354 or contract us online.
The DoD released DoD Instruction (DoDI) 5200.48 on March 6, 2020, which includes the requirements for DoD contractors for CUI in section 5.3. This section describes the following activities with respect to CUI:
The DoD must identify whether any information it provides to contractors is CUI through the contracting vehicle. It must also mark these documents, media or other material in accordance with DoD Instruction 5200.48.
Any contract, grant or other legal agreement between the DOD and non-DOD entity must specify the dissemination controls and other measures needed to protect CUI related to the contract. This requirement applies to CUI that the DoD provides to the contractor and CUI that the contractor generates to meet the terms of the contract.
DoD contractors must monitor their aggregation and compilation of CUI based on its potential for generating classified information. This requirement is pursuant to existing security guidance on the accumulation of unclassified information. DoD contracts must require contractors to report the potential classification of the CUI they handle to a DoD representative.
DOD personnel and contractors must unclassify information for review and approval prior to release according to required contract provisions. These regions must be in accordance with DoDI 5230.09 and standard DoD component processes.
The disposition of CUI must be in accordance with the appropriate disposition authority. This requirement applies whether the DoD provides the CUI to the contractor or the contractor generates it, as specified by Sections 1220 to 1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C.
CUI is an umbrella term that includes both Covered Defense Information (CDI) and Control Technical Information (CTI). These markings all apply to unclassified information that requires specific protection in and out of a government information system. CUI, CDI and CTI are relatively new, although similar markings have existed for decades. Markings previously used to identify this type of information include For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive but Unclassified (SBU) and Unclassified Controlled Technical Information (UCTI). The CUI marking now encompasses all of these terms.
The CUI program was originally developed for agencies within the executive branch of the US federal government. Each of these agencies initially used their own set of rules, markings and classifications to manage and control this information before the current CUI program was implemented, which greatly simplified this process.
CTI is technical information with a military or space application, and must be marked with a distribution statement in accordance with DoDI 5230.24 (Distribution Statements on Technical Documents). This information requires the same level of protection as any other CUI content, although it does have specific requirements for marking and tracking. The controlling DOD office is generally responsible for determining when information is CTI and appropriately marking it before allowing contractors access to it. In a case where the contractor develops unclassified CTI during the course of working on the contract, the contractor must work with its contracting officer to complete the steps required for properly protecting this information. These steps include completing appropriate forms such as distribution and work statements for each piece of content.
Hundreds of laws and regulations specify the required procedures for controlling CUI. DoD contractors should begin their education on this topic by reviewing the government’s marking guidance to ensure they properly identify CUI. The best way to determine the requirements for a specific type of CUI is to search the CUI Registry, which contains a complete list of the CUI categories. This document contains 24 categories and 83 sub categories, each of which is defined as CUI Basic or CUI Specified.
CUI Basic specifies the baseline controls for handling and disseminating CUI. The National Archives and Records Administration (NARA) issued the Final Rule on November 14, 2016, which describes CUI Basic. The Federal Information Systems Modernization Act (FISMA) requires CUI Basic to be protected at FISMA’s Moderate level. It may be marked as either CUI or Controlled. Agencies can’t increase the external impact of CUI Basic above this level without an agreement with the external agency or contracting organization operating an information system on their behalf.
CUI Specified is a CUI subset that places more restrictive controls on the handling and control of CUI. The underlying authority maintains the controls for handling CUI Specified content, but only the designating agency may apply limited dissemination controls to any CUI content. Common categories for the CUI Specified subsets include the following:
CUI agreements may take a variety of specific forms, including contracts, grants, information-sharing agreements, licenses and memoranda of agreement. It’s essential for contractors to understand the data they may create and its implication before entering any agreement to perform work for the government. In particular, contractors need to know the requirements for protecting the data they’ll be creating and handling, along with the costs of that protection.
Contractors who are new to working for the DoD often wonder why they’re required to protect CUI. The short answer is that many malicious actors such as countries, companies and individuals have incentives to obtain this information, which can harm national security. The rate of corporate and state espionage is at an all-time high, so these incidents make headlines regularly. Basic hacking also occurs routinely, resulting in compromise of sensitive information.
CUI doesn't exist only on government systems, as it can be found on many IT infrastructures across the entire Defense Industrial Base (DIB). Many of these infrastructures aren’t up to the task of properly managing the CUI that the government has entrusted them with, and government investigations have identified the lack of security as a primary factor in many security breaches. The CUI/DFARS 7012 programs were thus established to standardize security controls across the DIB, improving the protection information security for both government and commercial infrastructures.
Contractors need to properly identify and classify data already on their systems before they propose a government contract. This practice helps contractors ensure they have allowed enough profit margin in their calculations to implement the controls in their information systems that will be needed to protect CUI to the required standards. The introduction of a new DFARS rule is in the process of establishing a new form of accuracy that will provide a numerical score indicating the contractor's compliance when protecting CUI. This score will help determine if the contractor will be able to win new DoD contracts. (Learn more about the DFARS Interim Rule & Supplier Performance Risk System (SPRS) Score here).
Contractors need to know if they have CUI data on their information systems due to the strong requirements for protecting this type of data. The DoD routinely includes a DFARS 7012 clause in its contract, but that doesn't mean the contractor actually has this information. However, in many cases, the contractor does have CUI due to its broad definition, which includes information that the contractor stores, processes, or transmits on behalf of the government as part of fulfilling a contract. In practice, all DoD contractors with a DFARS 7012 clause in their contract should expect to have some CUI in their infrastructure.
Common types of CUI include data about information systems' vulnerabilities. Personally Identifiable Information (PII) is another type of CUI, provided the government owns the data. Assume for this example that the contract is to process benefits for government customers, requiring them to maintain PII on those customers. In this case, the PII would qualify as CUI. CUI also includes technical information, research data, drawings, specifications, standards, process sheets and reports. Information on specific parts or materials such as orders, identification numbers and analyses are also CTI. Additional forms of CTI include executable and source code for software. This explanation should make clear that any technical work that results in the creation or transmission of information potentially qualifies as CTI.
DFARS 252.204-7012 provides lane markers that specify the types of controls needed to protect CUI/CDI content. These include an on-premises data center for all of a contractor's internal IT systems. A cloud service provider (CSP) can also meet this requirement, which includes Amazon Web Services (AWS), Microsoft Azure and Office 365. A hybrid or private cloud solution that uses both on-premises and CSP solutions can also fulfill the requirements of DFARS 252.204-7012.
All of these solutions require the contractor to address the 110 security controls, along with the practice objectives, in NIST SP 800-171, which requires a Plan of Actions and Milestones (POAM) and a System Security Plan (SSP). Contractors that serve the DIB historically used local data centers to manage their data. At that time, a local data center was considered to be more physically secure than one in a remote location.
The physical proximity of a local data center may provide a false sense of security since modern infrastructure requires multiple layers of physical and logical security with greater responsibilities of administrators to maintain firewalls and software patches. Enterprises typically have the staff and training needed to maintain the security of an on-premise data center to meet the needs of government contracts in controlling data. However, smaller contractors are typically unable to afford the capital expenditure needed to replace hardware that doesn't meet the needs of CUI. Contractors should also review the operational expenses of maintaining a data center that meets the increasing needs of CUI for each new contract.
MSSPs are a good option for organizations of all sizes, since it allows them to offload the responsibility for administration and physical security of the infrastructure storing and processing CUI, onto the provider. Compliance with CUI requirements may also be more affordable with a MSSPs since it eliminates the need for the capital investment in hardware and physical security of the system containing CUI. Regardless of the type of infrastructure contractors use, they still need to ensure that their operating environment is certified for FISMA’s Moderate level. Furthermore, they must protect that environment with the 110 security controls in NIST SP 800-171.
The decision to protect CUI with an on-premises data center or MSSP should be part of a contractor's overall strategy when proposing a DoD contract, whether it's as a prime contractor or subcontractor. The requirements of DFARS 7012 and NIST SP 800-171 should ensure that the contractor understands both the short-term capital costs and long-term operational expenses of its proposed strategy for ensuring the security of CUI.
Make CUICK TRAC part of your strategy for protecting CUI. Schedule your free consultation today to learn more about how you can become DFARS 252.204-7012, 7019 and 7020 compliant. You can reach us at 763-546-8354 or by contacting us online.