Why Do We Need a CUI Program?
Over the last decade, there has been a dramatic convergence of hostile criminals operating online, rapid technological advancement, increasing digital government-industry communications, insider threats and other persisting threats of espionage to government and industry. News outlets are full of stories about information being stolen from private citizens, corporations and governments around the world attributed to external and internal bad actors. From a government perspective, these threats will remain an ongoing concern. These threats fuel U.S. Government efforts to lock down and protect sensitive government information. Industry must ensure they are accountable for sensitive U.S. Government information they are charged to work with. This U.S. Government interest is showing no signs of diminishing as expressed by the new and expanding regulations appearing across government. Industry leaders that want to do business with the U.S. Government will have to comply with these regulations to assist in protecting sensitive assets now and into the future.
What is CUI?
First and foremost, the CUI Program is about doing what’s right, due care, and good business practices. When followed, you will not only be protecting CUI, but also your sensitive company information and that of your customers. CUI replaces and standardizes previously used labels such as Sensitive But Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc. The specific definition can be found at the National Archives and Records Administration (NARA) https://www.archives.gov/cui/about. CUI is information the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the U.S. Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Executive Order 13556 “Controlled Unclassified Information” established the CUI program, which is a system that standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view. In short – this is the US Government-wide approach to creating a uniform program on handling sensitive government information.
In 2015 and 2016, the US Government implemented significant policy changes that impact DoD Government contractors with how they protect their own internal networks and compete for DoD contracts. The US Government response resulted in a change to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The National Institute of Standards and Technology (NIST), Special Publication 800-171 (NIST SP800-171) was published in June 2015 and has been made a rule for the DFARS in May 2016.[i]
According to the rule, NIST SP 800-171 “defines the requirements necessary to protect CUI Basic on non-Federal information systems” and agencies “must use NIST SP800-171 when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems.” The rule confirms that contractors handling CUI will be required to comply with standards outlined in NIST SP800-171. The requirements for Executive branch agency became effective in November 2016 by publication in the Federal Register https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information
According to the NARA Executive Agent the rule is to be adopted for the Federal Acquisition Regulations (FAR), one year from the Implementing Directive (32 CFR 2002).
There are 14 control families specified in the NIST SP800-171, Protecting CUI in Nonfederal Information Systems and Organizations.
|Access Control||Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).|
|Awareness and Training||Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems.|
|Audit and Accountability||Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.|
|Configuration Management||(i) Establish and maintain baseline configurations; and (ii) establish and enforce security configuration settings for information technology products.|
|Identification and Authentication||Identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.|
|Incident Response||Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.|
|Maintenance||(i) Perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.|
|Media Protection||Protect information system media, both paper and digital.|
|Personnel Security||Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions.|
|Physical Protection||Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals and protect the environment of facilities|
|Risk Assessment||Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.|
|Security Assessment||Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application and monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.|
|System and Communications Protection||Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.|
|System and Information Integrity||Identify, report, and correct information and information system flaws in a timely manner.|
How Do I Assess Compliance?
There are tools and technologies that can assist in measuring and monitoring compliance, but the first step is typically an assessment by a subject matter expert to evaluate current policies and procedures of an organization against the NIST SP800-171 control standards. This assessment will identify control families that are met, partially met, and not met by current practices. The process toward full compliance will include:
- Determine overall capabilities against the NIST SP800-171
- Assess gaps in achieving compliance
- Document a Plan of Action and Milestones (POAM)
- Develop and Implement mitigation strategies
- Test system with remediation(s) in place
- Fully employ remediated system and document performance
- Enhance training and awareness to keep staff informed of requirements
- Document all in a Systems Security Plan
- Ensure artifacts/evidence of compliance are available and documented for each control
- Ensure compliance with reporting guidance for reporting incidents
What if I Can’t Comply?
Bottom line: If you are not demonstrably compliant with evidence and artifacts, you may not be able to compete for federal government contracts. Remember the deadline is December 31, 2017!
All is not lost. Most small to medium-size businesses have basic access controls and physical security protections in place. Many other controls are practiced, but not well documented or applied consistently. In many instances, compliance is simply an exercise in cleaning house and getting documentation in order. In other cases however, particularly with companies never having experience with compliance mandates, the work can be extensive requiring months of work and tens of thousands of dollars to bring systems up to NIST SP-800-171 security standards. Regardless of where you are in the process, there is no more time to waste.
The DFARS 252.204-7012 states, “the contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” Don’t treat this lightly, CUI government regulations have the force and effect of law.
The burden is on the contractor to ensure that they meet legal and contractual obligations for handling CUI. Failure to comply may result in contract challenges, protests, and loss of award, as well as debarment, suspension and ineligibility for future government contracts. Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties.
You are not alone in this endeavor and Zofia Consulting, LLC is here to help you. Please contact us and let us help you navigate the best solution for your company to get you compliant quickly and efficiently.
Mark Tanner is a senior advisor for Zofia Consulting and a senior executive with a wide range of experience in law enforcement, intelligence, and business. As a Special Agent of the Federal Bureau of Investigation (FBI) he led criminal and counterterrorism programs, including Southwest Border Initiatives in Arizona and the Foreign Terrorist Tracking Task Force (FTTTF) established after 9/11. He established FBI’s Office of the Chief Information Officer (CIO) while serving as the deputy CIO where he was responsible for enterprise architecture and was the accrediting authority for FBI systems. Following a 23-year career with the FBI has held director and executive level positions in small, medium, and large companies.
Mark manages security related areas such as continuity of operations and information security, including audits and compliance with NIST Special Publications 800-53 security and privacy controls, as well as 800-171 for Controlled Unclassified Information (CUI). He also serves as Co-Chair of the FBI’s InfraGard, Cyber Security Special Interest Group (Cyber SIG) for the National Capital Region Members Alliance.
Mark Tanner holds an accounting degree from East Carolina University and is a Certified Protection Professional (CPP). Federal Computer Week magazine recognized and highlighted Mr. Tanner as one of the ten “new IT leaders” in the federal government, and he was a finalist for the Citigroup Smith Barney CIO of the Year Award.
You can contact Mark directly at firstname.lastname@example.org
[i] Contractors may hear about the CUI compliance mandate by a couple different monikers – “DFARS Compliance”; “7012 Compliance”; “NIST SP800-171 Compliance” and more. These terms all reference the same CUI compliance mandate.
This work by Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.