Get the FYI on CUI to take the worry out of classified unclassified information.
The Department of Defense (DoD) is getting closer to finalizing details on the process for contractors to obtain a CMMC certification ahead of the formal program launch in May 2023. CMMC requires contractors, system integrators, and others in the defense industrial base (DIB) to secure their networks according to established controls and checklists, then demonstrate that security.
According to CMMC director Stacy Bostjanick, CMMC certified contractors could “garner a higher profit margin,” or their network security strength could be part of the “criteria” for a “sole source selection evaluation.”
You need to worry about everything that processes CUI, could process CUI, and anything that stands between that system and the internet/physical user or threat. That’s about as simple as I can put it without going into speech mode. So, let me be clear: an attempt to get you to practice good cyber hygiene is not about profit; instead, it is an effort to protect controlled unclassified information (CUI). And chances are good; if you are a government contractor, you handle, store or protect CUI.
What is CUI?
CUI is the term used to cover a category of data that isn’t classified but still needs protection. This can be any personally identifiable information, proprietary business information, “For Official Use Only” information, legal information, and more. In other words, it’s data that others can act on and use to wind their way into government systems. NIST SP 800-172 provides a set of enhanced security protocols for protecting the “confidentiality, integrity, and availability of CUI in nonfederal systems and organizations from the persistent threat when the CUI is associated with a critical program or high-value asset.”
The DoD estimates over $600B in critical information is exfiltrated from official networks each year. Therefore, the protection of CUI is not the government acting out of an abundance of caution. Instead it’s the government’s goal to protect our national assets and to thwart increasingly sophisticated cyberattacks and data breaches that impact their systems, the defense industrial base (DIB), and the privacy of those with whom they do business.
Where does CUI originate?
You may have noticed “CUI” in the banner and footer to indicate the document contains controlled unclassified information on documents, emails, and other media.
The Defense Counterintelligence and Security Agency (DCSA) indicates that “anyone can create CUI as long as it is generated for, or on behalf of, an Executive Branch agency under a contract, and it falls into one of the over one hundred DOD CUI categories. CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government wide policies. It can be a piece of note paper or even an conversation.
The best answer is “it depends,” do you use an in-house network only or do you utilize the “cloud (other people’s computers), do you have remote employees, do you allow WIFI access to the corporate environment, do you allow users to access all email via their phones, do employees get issued laptops or do they bring in their own device. It’s messy and really depends on the nature of your environment.
At the end of the day, you, as their partner, are helping them protect and handle data correctly.
NIST SP 800-171 reduces the controls contractors need to implement to harden their systems, become CMMC compliant, and protect CUI. Agencies are required to use NIST SP 800-171 for all nonfederal information systems. Its use will also be incorporated into the CUI FAR clause. This grounds technology protections in an existing standard (moderate confidentiality) that most agencies were already applying, and most contractors were already required to meet and provides much-desired clarity and streamlining for contractors, via NIST SP 800-171, as we see increased cyber threats.
Is FIPS 140-2 still required?
For CMMC and FedRAMP requirements, the Federal Information Processing Standard 140-2 (FIPS 140-2) crypto requirements are still required to meet mandates. FIPS is a cryptography standard that non-military U.S. federal agencies, government contractors, and service providers must comply with to work with any federal government entities that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information like CUI.
What about the DFARS 7020 NIST 800-171 DoD assessment requirement?
Defense Federal Acquisition Regulation Supplement 7020 (DFARS 7020 ) requires contractors to provide access to their facilities, systems, and personnel any time the DoD is renewing or conducting a medium or high assessment. It is a set of restrictions for the origination of raw materials intended to protect the US defense industry from the vulnerabilities of being overly dependent on foreign sources of supply. Contracting professionals are expected to be aware of these requirements.
How to simplify CMMC certification and take control of CUI.
As you can see, CMMC certification isn’t just one thing, and it comes in many flavors, depending on the amount of CUI you handle, whether you meet cryptography standards, and what level of DFARS assessment you require. And CUI requirements are essential to meeting CMMC requirements and complying with the NIST SP 800-171 controls and checklists that secure your system against attack.
SteelCloud is a leader in CMMC and the many flavors of compliance. Our ConfigOS is used by most of the DoD and 8 of the Top 10 system integrators to automate compliance with NIST SP 800-171. SteelCloud’s ConfigOS software reduces the time, cost, and effort it takes to harden around an application stack. It makes meeting CMMC compliance much more manageable. If managing your compliance efforts are using too many resources, taking too much time, or haven’t even gotten off the ground yet, contact us and get the FYI on CUI.
