CUI Protection Requirements for DoD Contractors

CUI protection requirements are built on a complicated regulatory basis. Get a sense of standards, requirements, and regulations around CUI Updated on September 12, 2024 Protection of Controlled Unclassified Information (CUI) in non-federal systems is an issue of paramount importance for both governmental and non-governmental organizations. This statement applies especially to the Department of Defence (DoD) and its contractors because they support the national warfighter and contribute to the development of the US defense industry. One of the latest legal updates regarding CUI protection in the defense sphere is DFARS 252.204-7021, which obligates DoD contractors to achieve the appropriate level of Cybersecurity Maturity Model Certification (CMMC) to ensure adequate CUI protection. As for now, most federal contractors are actively conducting NIST SP 800-171 assessment pursuant to DFARS 252.204-7020 and DFARS Case 2019-D041. A successful NIST SP 800-171 assessment should become the bridge to any contract award with federal agencies as well as to further CMMC certification. The compliance requirements for CUI may appear to be complicated or even confusing; however, they help establish standardized and reliable protection of CUI residing in non-federal information systems. In this article, we will try to unscramble confusion with the CUI-related legislation and explain what all the regulations and requirements around CUI aim for.

What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified. Simply put, CUI is data that is created or possessed by, on behalf of the US federal government, which is not classified but is required to be protected by law, regulation, or policy. The executive branch protects many specific categories and subcategories of the CUI. A complete list of those may be found in the CUI Registry. In general, CUI is an umbrella term encompassing:

• Personally Identifiable Information (PII)
• Sensitive Personally Identifiable Information (SPII)
• Proprietary Business Information (PBI), or currently known within the U.S. Environmental Protection Agency (EPA) as Confidential Business Information (CBI)
• Unclassified Controlled Technical Information (UCTI)
• Sensitive but Unclassified (SBU)
• For Official Use Only (FOUO)
• Law Enforcement Sensitive (LES)

Such a large amount of sensitive data demands extended requirements for handling and dissemination. Let’s see the main CUI protection requirements below.

The Importance of CUI Protection

Protecting CUI is vital for national security, as it often involves sensitive government and defense-related data, which, if exposed, can disrupt national critical operations. Proper CUI protection and compliance practices not only help prevent CUI breaches but also keep a competitive advantage in the defense environment. Maintaining the confidentiality of CUI builds trust with federal agencies and partners and raises chances for contract awards while avoiding financial losses. Protecting CUI is crucial for keeping sensitive government and defense data secure. A breach could expose important operations, putting national security at risk. Plus, staying compliant with regulations like NIST SP 800-171 and DFARS helps avoid legal trouble and protects your reputation. Safeguarding CUI also means preventing data breaches that could leak valuable business information, like trade secrets. By securing CUI, you maintain trust with federal agencies and partners while protecting your organization from financial loss and staying competitive in the market. To understand the importance of CUI protection, one should first go back to 2010, when Executive Order 13556 was issued. The order established a program that aimed to standardize how the federal branch handles unclassified information, including a detailed explanation of what the CUI is and suggestions on how to protect it. Thus, as stated in the order,

• The Controlled Unclassified Information (CUI) is the information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and governmental policies, excluding information that is classified under Executive Order 13526 the Atomic Energy Act.

Order 13556 instructed the National Institutes of Standards and Technology (NIST) to develop a shared framework for addressing cybersecurity concerns. After extensive collaboration with the industry partners, NIST Special Publications immediately specified a set of safeguarding requirements for CUI.

NIST Contribution to CUI Protection

To assert the complete moderate impact baseline required for CUI protection in the executive branch, NIST first introduced its Special Publication NIST SP 800-53Recommended Security Controls for Federal Information Systems (initially published in 2005). The publication defined requirements for federal information systems and provided federal agencies and contractors with security and privacy controls, along with guidance on choosing the appropriate data protection measures for their organization’s needs. The publication had several reviews, and the last one occurred in 2020. Thus,

• NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations details the CUI protection requirements and obligates federal agencies to ensure that they meet the minimum security standards necessary for adequate CUI protection.

NIST 800-53 cleared up the issue of CUI protection in the federal sphere; however, it initiated a concern about applying its requirements in non-federal systems. There were several reasons for the problem. First, the NIST SP 800-53 controls were developed initially for federal systems and did not fully address CUI concerns in the non-federal dimension. Second, some of the publication’s controls were not applicable outside the US Government or even were too granular when applied to the contractor’s system. Finally, some baseline controls (e.g., Availability controls) appeared unnecessary for CUI protection for federal contractors. The solution was to develop a separate standard for the protection of CUI in nonfederal organizations. For this purpose, NIST suggested several guiding sources for protecting CUI in nonfederal organizations:

• NIST SP 800-171 (Rev. 3) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations represents 110 recommended security controls for protecting CUI held by non-federal organizations.

Get more valuable insights about the recent NIST 800-171 updates.

• NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information offers assessment procedures and a methodology that can be employed to conduct assessments of the CUI security controls contained in NIST SP 800-171.
• NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 provides additional recommendations for protecting CUI in non-federal systems and organizations where such data runs a higher than usual risk of unauthorized disclosure.

Compliance Requirements for CUI Protection

NIST SP 800-171 establishes methods to meet the requirements for safeguarding covered defense information as outlined in DFARS. It specifies 110 security controls as requirements, divided into 17 security categories. Here’s a summary of the 17 security categories Access Control: Managing who has access to sensitive information, including CUI and is crucial to minimize the risk of unauthorized access. Implement role-based access control (RBAC) to ensure that only authorized personnel can access specific information. Awareness and Training: Regularly train your personnel on CUI security best practices. Rise awareness of emerging threats, such as phishing and social engineering, to ensure users are equipped to recognize and prevent security incidents and minimize the possibility of human error. Audit and Accountability: Monitor all system activities related to CUI. Always utilize audit log tools to trace breaches back to their source and take corrective actions promptly. Configuration Management: Control changes to system hardware and software. This would help prevent system vulnerabilities that can pose a risk to CUI. Identification and Authentication: Verify user, process, or device identities before granting access to CUI and other valuable assets. Enforce multi-factor authentication (MFA) to minimize hackers’ attempts to compromise credentials. Incident Response: Regularly test and update the incident response plan to ensure your business can respond quickly, minimizing damage and recovering from incidents more efficiently. Maintenance: Regularly patch and update your system to ensure it remains secure against new vulnerabilities. Media Protection: Safeguard physical media like hard drives and USBs from unauthorized access. Encrypt data on removable media and establish strict handling procedures to add an extra layer of security to your CUI. Risk Assessment: Identifying and analyzing potential risks is fundamental to proactive security management. By conducting regular risk assessments, organizations can anticipate vulnerabilities and prioritize their mitigation efforts, enhancing overall resilience against threats. System and Communications Protection: Protect CUI at rest and in transit by providing encryption and firewalls are key safeguards. Use network segmentation to prevent attackers from moving laterally within the environment. System and Information Integrity: Employ real-time monitoring tools and integrity checks to quickly detect and respond to suspicious activity, ensuring data remains trustworthy. Planning. Develop, document, and disseminate to organizational personnel the policies and procedures needed to satisfy the security requirements for the protection of CUI. System and Service Acquisition. Apply systems security engineering principles at all stages of product development to design trustworthy, secure, and resilient systems and reduce the susceptibility of organizations to disruptions, hazards, and threats. Supply Chain Risk Management. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services that touch CUI. Each category in NIST SP 800-171 addresses a critical aspect of cybersecurity, collectively working to protect sensitive defense-related information from a wide range of potential threats.

DFARS Cybersecurity Regulation

The implementation of NIST SP 800-171 and other related publications within the defense environment was mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). As we defined earlier in the text, the latest DFARS requirement regarding CUI protection is the CMMC certification. However, before developing CMMC, specific cybersecurity requirements within the DoD were identified by:

• DFARS Clause 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls (Oct 2016). The clause requires implementing the security requirements specified by NIST SP 800-171. If the organization deviates from any of the NIST security requirements, it is obligated to explain why certain security requirements are not applicable. It should also provide alternative security measures to satisfy a particular requirement and achieve equivalent protection.
• DFARS Clause 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Dec 2019). The Clause requires contractors to provide “adequate security” to all covered contractor information systems by implementing security protections specified by NIST SP 800-171. “Adequate security” is defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information” by the clause. The clause also obligated contractors to discover any cyber incident that affects a covered contractor information system. Discovering means conducting a review for evidence of compromise of CDI, such as identifying compromised computers, servers, specific data, user accounts, etc., and rapid (within 72 hours) reporting of cyber incidents to DoD.

The above clauses required DoD contractors to adopt NIST’s necessary cybersecurity processes and standards (especially NIST SP 800-171) and, thereby, strengthen the resilience within the defense sector. However, they did not provide specific audit or certification requirements to provide an assurance mechanism for adequate protection. The vague demands and lack of control resulted in a slow and, sometimes, unsatisfiable adoption of the above-mentioned regulations when most contractors only managed to achieve a minimal level of cybersecurity hygiene practices. To strengthen the security of CUI, DFARS introduced more strict requirements in regard to assessment and audit (November 2020). First, DFARS declared formal evidence of NIST 800-171 self-assessment as the primary condition for any contract award. Second, it created a special CMMC framework to finalize efforts for the standardization of CUI protection by requiring a strict audit process and third-party certification:

• DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements (Nov 2020) sets specific requirements for the NIST SP 800-171 assessment. The clause outlines the Basic, Medium, and High assessment levels with references to the NIST SP 800-171 DoD Assessment Methodology. Additionally, it obligates contractors to submit their assessment scores to the Supplier Performance Risk System (SPRS).

CMMC Framework to Protect CUI

Cybersecurity Maturity Model Certification (CMMC) is the security framework mandated by the DoD to evaluate and enhance the state of cybersecurity within the Defense Industrial Base (DIB) sector. The framework is intended to become a verification mechanism ensuring that DIB organizations possess appropriate cybersecurity practices and processes to protect data within their environments. Thus, CMMC regulates the implementation of cybersecurity across the DIB sector. Any organization that holds DoD contracts or acts as a subcontractor should prepare for obtaining CMMC certification.

• DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirement (Nov 2020). The clause introduces the CMMC by defining it as a “framework that measures a contractor’s cybersecurity maturity to include implementing cybersecurity practices and institutionalization of processes.” Built upon the NIST SP 800-171 DoD Assessment Methodology, the CMMC framework adds a scalable certification element to verify the implementation of processes and practices associated with achieving a cybersecurity maturity level. Also, it requires contractors to have and maintain a current (not older than three years) CMMC certificate at the level required for the contract. In this way, the CMMC framework provides better assurances that the appropriate levels of cybersecurity protections and processes are in place.

To amend the above DFARS clauses and make the implementation of NIST SP 800-171 Assessment Methodology and CMMC framework more coherent, DoD released an Interim Rule (or DFARS Case 2019-D041). The Interim Rule aims to provide DoD with the ability to assess a contractor's implementation of NIST SP 800-171 security requirements and assurance that DIB contractors can adequately protect CUI in a multi-tier supply chain.

• DFARS Case 2019-D041 Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (Nov 2020). The rule amends DFARS to implement DoD NIST-SP 800-171 Assessment Methodology and CMMC framework. The document describes in detail CMMC and the NIST 800-171 assessment procedures, sets timelines for CMMC/NIST SP 800-171 compliance, and even proposes an estimated number of entities expected to be certified within the next seven years. According to the rule, all DoD contractors should have a current NIST SP 800-171 assessment and the appropriate CMMC level certification before any contract award and during contract performance. Finally, it requires using the CMMC and NIST 800-171 Assessment as an unconditional item in all solicitations and contracts by 2025.
• According to the rule, all DoD contractors should:
  • Obtain and maintain a valid CMMC certification or self-assessment at the required level or higher.
  • Ensure this certification remains valid throughout the contract.
  • Use only authorized systems for storing, processing, or transmitting CUI.
  • Report any security issues or changes in the status of your CMMC certification or self-assessment within 72 hours to the contracting officer.
  • Annually, or when changes occur, reaffirm continuous compliance with security requirements.
  • Ensure subcontractors and suppliers also complete and maintain their compliance certification annually or when updates occur.
• The proposed clause adds a new section that requires reporting: (1) the unique identifiers assigned by the DoD for each system listed in SPRS, (2) the outcomes of the contractor's self-assessments in SPRS, and (3) any modifications to the set of unique identifiers.

Conclusion

To summarize, if one understands the reasons for CUI compliance requirements, they become not complicated but necessary. Modern digital realities require safeguarding CUI residing both in federal and non-federal information systems. To ensure adequate protection of CUI and other sensitive federal information within the government information systems, NIST SP 800-53 is used. Non-federal organizations, in turn, should rely on CUI security controls represented in NIST SP 800-171 and NIST SP 800-172. Implementation of the NIST controls within the defense environment is mandated through DFARS clauses, the last of which requires a scalable CMMC certification for all DoD contractors to verify the adequate implementation of the compliance requirements for CUI. For more information about the NIST SP 800-171 assessment, CMMC model, and any other related information regarding CUI protection requirements, please contact the Planet 9 expert team. We’ll be happy to assist.