Compliance Requirements for Handling Controlled Unclassified Information (CUI)

As a government contractor, you have to stay vigilant about certain regulations so you are staying within the guidelines of the federal government. However, it’s not always an easy guidebook to follow. Some contractors are subject to additional policies if they handle certain types of information. If you are a government contractor within the Defense Industrial Base (DIB), or you handle Controlled Unclassified Information (CUI), there are certain regulations and clauses you have to follow. Here’s what you need to know about the security requirements for safeguarding CUI.

What is CUI and Why Does it Matter to Some Contractors?

Controlled Unclassified Information (CUI) is defined as unclassified information that requires safeguarding and distribution controls in accordance with law, regulation, or governmentwide policy. The protection of CUI is extremely important because it directly impacts privacy and security concerns.

The Department of Defense (DoD) wanted to standardize the protection of CUI which drove the development of the National Institute of Standards and Technology (NIST) SP 800-171. NIST SP 800-171 was published as a supplement to the DFARS, or the Defense Federal Acquisition Regulation Supplement.

To make sure you are complying, you should familiarize yourself with the notable clauses in the DFARS. Reading a legal government document can be overwhelming and just plain confusing, so we aim to make it a little more digestible. Within DFARS, NIST SP 800-171 is structured into 14 families of control measures. In this blog, I will define the purpose of each family of control measures and explain the requirements of certain DFARS clauses related to the procedures for safeguarding CUI in nonfederal information systems and organizations.

Families of Control Measures within NIST SP 800-171

NIST SP 800-171 establishes methods to meet the requirements for safeguarding covered defense information as outlined in DFARS. It specifies 110 security controls as requirements.

Requirements fall into the following 14 security categories:

1. Access control - Access control is the process of granting or denying requests to use the information and enter company facilities.
2. Awareness and Training - Awareness and training involve making system users aware of their security responsibilities and teaching them correct practices to help change their behavior.
3. Audit and Accountability - Audit and accountability controls an audit of records and activities which are conducted to assess the adequacy of system requirements and ensure compliance with established policies and operational procedures.
4. Configuration Management - Configuration management is a collection of activities focused on establishing and maintaining the integrity of information technology products and systems.
5. Identification and Authentication- Identification and authentication are the most basic cyber security controls through which the identity of a user, process, or device is verified as a prerequisite for granting access to resources in a system.
6. Incident Response - Incident response reports are used to develop standard operating procedures that can be followed in the event of an incident.
7. Maintenance - Controlled maintenance of a system deals with maintenance that is scheduled and performed in accordance with the manufacturer’s specifications.
8. Media Protection - Media protections can restrict access and make media available to authorized personnel only.
9. Personnel Security - Personnel security seeks to minimize the risk a company’s employees pose to company assets through malicious use or exploitation of their legitimate access to the company’s resources.
10. Physical Protection - Physical protection refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.
11. Risk Assessment - Risk assessment is one of the most familiar security controls which identifies and analyzes risks to a company’s operations, assets, employees, and other organizations that may result from the operation of a system.
12. Security Assessment - A security assessment is an evaluation of the management, operational, and technical security requirements of a system to measure the extent to which the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
13. System and Communication Protection - System and communications protection is put into place e to provide safeguards and address the confidentiality of information at rest and in transit.
14. System and Information Integrity - System and information integrity controls are used to guard against improper information modification or destruction and include ensuring information non-repudiation and authenticity.

DFARS Clauses Related to Safeguarding CUI

The following clauses are some to keep in mind and understand throughout the life of your contract:

DFARS Clause 252.204-7012: specifies that DoD contractors must implement the 110 requirements in NIST SP 800-171. The clause requires contractors to provide adequate security by implementing security protections for cloud computing services and other IT services and systems. It also requires cyber incidents that affect a covered contractor information system and malicious software to be reported. In order to report cyber incidents in accordance with this clause, the contractor or subcontractor must obtain or possess a DoD-approved medium assurance certificate.

DFARS Clause 252.204-7020: specifies that an assessment must be conducted to generate a Supplier Performance Risk System (SPRS) score and validate the implementation of the required security controls. The contractor provides access for the government to conduct a medium or high NIST SP 800-171 DoD Assessment. Summary level scores for all assessments are posted in the SPRS.

DFARS Clause 252.204-7021: specifies that you have to get a Cybersecurity Maturation Model Certification (CMMC) and go through that assessment process to validate the implementation of the required security controls. CMMC is a framework that measures a contractor’s cybersecurity maturity and consists of three key features, which included a tiered model, assessments, and implementation through contracts. The CMMC program is the DoD’s new way for assessing a government-wide standard. The latest version, CMMC 2.0 consists of multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Expert.” As levels increase additional controls are required. The Final Rule for CMMC 2.0 is expected to come out in March of 2023.

DFARS Clause 252.204-7019: specifies that offerors being considered for award are required to implement NIST SP 800-171 and have a current assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

You can find a more detailed description of the requirements for these clauses at acquisition.gov. These clauses are required to flow down to subcontractors only when the performance of work involves CUI.

Check Your Cybersecurity Compliance

Failure to comply with regulations specified in NIST SP 800-17 could cause serious consequences such as loss of contract, fines, and ineligibility for new contracts. If you are not sure how to meet these mandatory security requirements or have additional questions, feel free to contact our team of consultants at Winvale to answer any questions you may have. We would be happy to direct you to the right resources and make sure you are complying with the right requirements. For more information about regulations that affect your GSA Schedule contract, check out this blog.