CUI (NIST 800-171) is getting some teeth!

Reading Time: 2 minutes

On December 17th 2018 a memorandum from the Assistant Secretary of Defense was released entitled “Strengthening Contract Requirements Language for Cybersecurity in the Defense Industrial Base” that reminds acquisition personnel that it “is critical that efforts to identify, track, and safeguard DoD controlled unclassified information are addressed, and assessed, as part of the procurement process.

In the memorandum, Mr. Fahey continues, “I strongly encourage DoD program managers and requiring activities to incorporate the attached sample requirements language, as appropriate, when risk to their programs and technologies warrant it.”

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting requires contractors to, among other things, adhere to the requirements outlined in NIST SP 800-171 (r1) (r2 is due out soon). It is critical for acquisition personnel, contractors and their subcontractors to remember that the DFARS flow down (when Covered Defense Information (“CDI”) is present) and that they too need to be compliant.

On November 6th 2018, the Director, Defense Pricing and Contracting (DPC) released Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.


As the intensity around CUI grows, concerns over the audit process and potential penalties are top of mind for many organizations – failure to demonstrate compliance fundamentally puts contract awards and renewals in jeopardy. In the most severe cases, non-compliance could possibly lead to contract termination, breach of contract and criminal fraud but will in the very least ‘score’ a contractor or subcontractor lower in the acquisition process.

To achieve and maintain compliancy, many organizations are leveraging NIST SP 800-53 (r4) and ISO/IEC 27001 frameworks that readily map controls to the 14 NIST SP 800-171 control families:

  •  Access Control
  •  Audit and Accountability
  •  Awareness and Training
  •  Configuration Management
  •  Identification and Authentication
  •  Incident Response
  •  Maintenance
  •  Media Protection
  •  Physical Protection
  •  Personnel Security
  •  Risk Assessment
  •  Security Assessment
  •  System and Communications Protection
  •  System and Information Integrity

It is expected that the Inspector General will identify a list of contractors, then work with their contracting agencies to determine if they are compliant with onsite visits.

Boldon James Classifier can assist organizations in applying and managing CUI marking requirements to meet NIST standards and guidelines. The Classifier suite of products can apply user-driven and automated classification markings over a market-leading range of applications by applying relevant CUI markings. In addition to applying the visual markings required for CUI, Classifier applies persistent file metadata ensuring that it remains securely in the DNA of the document or file. Classifier also drives the rules that govern the dissemination, protection and storage of the regulated data. Boldon James Classifier Reporting suite enables organizations to demonstrate their compliance and readiness to adhere with government contract mandates involving the handling of CUI data. Get in touch today to find out more.