For all contractors and subcontractors with US Department of Defense, the DoD has published prescriptive steps to ensure compliance with the requirements safeguarding Controlled Unclassified Information (CUI). Through the DoD Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, implementation of the controls identified in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” must be in place as of the December 31st, 2017.
The NIST publication references a registry of information categories and related subcategories maintained by the National Archives (NARA). The CUI initiative seeks the consistent application of safeguarding measures related to the dissemination of information while fostering the sharing of information and collaboration where appropriate.
The heart of the CUI program was expressed in Executive Order (EO) 13556 calling for “An open and uniform program to manage all unclassified information…” with a key component being that all CUI to be labelled with appropriate visual markings that indicate to downstream parties how the regulated data should be treated.
Organizations can position themselves for compliance by taking steps to master the principles of data classification, and implement the processes, tools and training that will enable consistent and accurate labeling as defined in their data governance policy and required by NIST SP 800-171. Through this capability, organizations can readily demonstrate that have the capacity in place to recognize and manage CUI with appropriate metadata and visual markings as defined in the NARA registry.
At this time a certification process for CUI compliance does not exist but given that the requirements are stipulated through DFARS 252.204-7012, one can reasonably expect a strict attestation scheme in the future. While compliance is on the ‘honor system’ there are risks to be considered for not adopting the safeguards up to and including the loss of a contract or participation as a subcontractor.
By adopting the framework, organizations will not only demonstrate their ability to protect regulated data but will also enhance their ability to compete for new opportunities that store, process or transmit CUI.
Additional information from NIST:
- NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 – Self-Assessment Handbook that could be useful to all DoD contractors seeking to assess their own implementation of the NIST SP 800-171 controls.
- NIST Special Publication 800-171 Rev.1 – Assessing Security Requirements for Controlled Unclassified Information. A publication intended to assist organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012