“We take the engine and we control the world.” Curtis ~ Snowpiercer

Formerly known as “For Official Use Only” (FOUO) information, Controlled Unclassified Information (CUI) is gaining increased emphasis in the government contracting world. CUI is not classified information, rather it is government created or owned information that nonetheless requires safeguarding or dissemination controls.

Because there are fewer controls safeguarding CUI than there are for classified information, CUI is the path of least resistance for adversaries. In fact, loss of CUI is the one of the most significant risks to national security, directly impacting the effectiveness of our troops. If bad actors can take the engine, they can control our world.

If your site, or any you manage or supply holds a federal contract, then that site likely has CUI. And that CUI needs to be continually monitored, audited and protected—the same way all government data needs to be audited and protected in order to provide network security and good “cyber hygiene” as required by NIST, CMMC and DFARS regulations.

David Lewis, DCMA director – “Protecting this information will now be a regular part of the contract administration process – just as we ensure other (Federal Acquisition Regulation), DFARS and contract requirement are met.”

Controlling the flow of CUI can be effortless or not. Your choice.

How your organization handles CUI is critically important to our national security and obtaining and maintaining government contracts. Yet monitoring and securing this information to ensure server and network security can be a cumbersome, time-consuming manual process  that is subject to human error. Chances are, investing resources in that process, while required, is not the most vital part of your organization’s mission.

As much of a distraction the day-to-day management of CUI is, it is nonetheless necessary if you want government contracts. The Defense Contract Management Agency (DCMA) will be ensuring contractor compliance to NIST standards, reviewing individual contractors. If a contractor is found non-compliant in any area, it will be reflected on their scorecard and made available to defense agencies. The goal of their oversight is to help defense buyers make fully-informed, risk-aware decisions when entering into contracts. Fortunately there is a way to monitor and secure CUI without all the headaches of a manual effort.

The best approach is to handle CUI the way most DoD agencies do—use a SaaS automation solution like ConfigOS to classify data and continually scan, remediate, and harden your systems. In accordance with NIST’s Security Technical Implementation Guide (STIG) requirements, ConfigOS automates the labor-intensive job of hardening software and protecting data, reducing more than a week’s worth of work to just an hour. With continuous scanning and STIG compliance handled by automation, your people can remain focused on your organizational mission.

Protect the engine with Steelcloud.

With a massive data breach happening in 2020, the need is greater than ever to keep bad actors away from government-owned networks and servers. If we leave a door open, they will enter. So it’s important to keep policies simple, use automation to streamline the classification process, and continually scan your policies to keep pace with the ever-changing security environments.

The CUI Registry has numerous resources for you to consult if you need more information. Or you can contact Steelcloud with your questions about CUI and using automation to streamline your efforts. Either way, the time to protect the engine has arrived. Contact Steelcloud to harden that data like steel.