Protection of CUI requires a stable and complicated regulatory environment. Get a sense of the set of standards, requirements, and regulations around it.
Protection of Controlled Unclassified Information (CUI) in non-federal systems is an issue of paramount importance for both governmental and non-governmental organizations. This statement applies especially to the Department of Defence (DoD) and its contractors because they support the national warfighter and contribute to the development of the US defense industry. One of the latest legal updates regarding CUI protection in the defense sphere is DFARS 252.204-7021 which obligates DoD contractors to achieve the appropriate level of Cybersecurity Maturity Model Certification (CMMC) to assure adequate protection of CUI. As for now, most federal contractors are actively conducting NIST SP 800-171 assessment pursuant to DFARS 252.204-7020 and DFARS Case 2019-D041. A successful NIST SP 800-171 assessment should become the bridge to any contract award with federal agencies as well as to further CMMC certification. The compliance requirements for CUI may appear to be complicated or even confusing; however, it helps establish standardized and reliable protection of CUI residing in non-federal information systems. In this article, we will try to unscramble confusion with the CUI-related legislation and explain what all the regulations and standards aim for.
To understand the importance of CUI protection, one should first go back to 2010, when Executive Order 13556 was issued. The order established a program that aimed to standardize how the federal branch handles unclassified information, including a detailed explanation of what the CUI is and suggestions on how to protect it. Particularly, the CUI was defined as follows:
Controlled Unclassified Information (CUI) is the information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and governmental policies, excluding information that is classified under Executive Order 13526 the Atomic Energy Act.
There are many specific categories and subcategories of the CUI that the executive branch protects. A complete list of those may be found in the CUI Registry. Additionally, organizations should understand that CUI is an umbrella term encompassing Covered Defence Information (CDI) and Controlled Technical Information (CTI).
Covered Defence Information (CDI) is unclassified uncontrolled technical information or other information described in the CUI Registry.
Controlled Technical Information (CTI) involves technical information with military or space application subjected to controls of access, use, modification, reproduction, performance, display, release, disclosure, or dissemination. At the same time, technical information means technical data or computer software, including research and engineering data, engineering drawings, specifications, standards, manuals, technical reports, data sets, and computer software executable code.
Such a large amount of sensitive data demands extended requirements for handling and dissemination. For this purpose, order 13556 instructed the National Institutes of Standards and Technology (NIST) to develop a shared framework for addressing cybersecurity concerns. After extensive collaboration with the industry partners, NIST Special Publications immediately specified a set of safeguarding requirements for CUI.
To assert the complete moderate impact baseline required for CUI protection in the executive branch, NIST first introduced its Special Publication NIST SP 800-53 Recommended Security Controls for Federal Information Systems (initially published in 2005). The publication defined requirements for federal information systems and provided federal agencies and contractors with security and privacy controls, along with guidance on choosing the appropriate data protection measures for their organization’s needs. The publication had several reviews, and the last one occurred in 2020.
NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations (Sep 2020) details the CUI protection requirements and obligates federal agencies to ensure that they meet the minimum security standards necessary for adequate CUI protection.
NIST 800-53 cleared up the issue of CUI protection in the federal sphere; however, it initiated a concern about applying its requirements in non-federal systems. There were several reasons for the problem. First, the NIST SP 800-53 controls were developed initially for federal systems and did not fully address CUI concerns in non-federal organizations. Some of the publication’s controls were not applicable outside the US Government or even were too granular when applied to the contractor’s system. Finally, some baseline controls (e.g., Availability controls) appeared unnecessary for CUI protection for federal contractors.
The solution was to develop a separate standard for the protection of CUI in nonfederal organizations; hence, NIST suggested several guiding sources for protecting CUI in nonfederal organizations:
NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (Dec 2016 as amended) represents 110 recommended security controls for protecting CUI held by non-federal organizations.
NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information (Jun 2018) offers assessment procedures and a methodology, which can be employed to conduct assessments of the CUI security controls contained in NIST SP 800-171.
NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Feb 2021) provides additional recommendations for protecting CUI in non-federal systems and organizations where such data runs a higher than usual risk of unauthorized disclosure.
The implementation of NIST SP 800-171 and other related publications within the defense environment was mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). As we defined earlier in the text, the latest DFARS requirement regarding CUI protection is the CMMC certification. However, before developing CMMC, specific cybersecurity requirements within DoD were identified by the following DFRAS Clauses:
DFARS Clause 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls (Oct 2016). The clause requires implementing the security requirements specified by NIST SP 800-171. If the organization deviates from any of the NIST security requirements, it is obligated to explain why certain security requirements are not applicable. It should also provide alternative security measures to satisfy a particular requirement and achieve equivalent protection.
DFARS Clause 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Dec 2019). The Clause requires contractors to provide “adequate security” to all covered contractor information systems by implementing security protections specified by NIST SP 800-171. “Adequate security” is defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information” by the clause. The clause also obligated contractors to discover any cyber incident that affects a covered contractor information system. Discovering means conducting a review for evidence of compromise of CDI, such as identifying compromised computers, servers, specific data, user accounts, etc., and rapid (within 72 hours) reporting of cyber incidents to DoD.
The above clauses required DoD contractors to adopt NIST’s necessary cybersecurity processes and standards (especially NIST SP 800-171) and, thereby, strengthen the resilience within the defense sector. However, they did not provide specific audit or certification requirements to provide an assurance mechanism for adequate protection. The vague demands and lack of control resulted in a slow and, sometimes, unsatisfiable adoption of the above-mentioned regulations when most contractors only managed to achieve a minimal level of cybersecurity hygiene practices.
To strengthen the security of CUI, DFARS introduced more strict requirements in regards to assessment and audit (November of 2020). First, DFARS declared formal evidence of NIST 800-171 self-assessment as the primary condition for any contract award. Second, it created a special CMMC framework to finalize efforts for the standardization of CUI protection by requiring a strict audit process and third-party certification:
DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements (Nov 2020) sets specific requirements for NIST SP 800-171 assessment.The clause outlines the Basic, Medium, and High assessment levels with references to the NIST SP 800-171 DoD Assessment Methodology. Additionally, it obligates contractors to submit their assessment scores to the Supplier Performance Risk System (SPRS).
DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirement (Nov 2020). The clause introduces the CMMC by defining it as a “framework that measures a contractor’s cybersecurity maturity to include implementing cybersecurity practices and institutionalization of processes.” Built upon the NIST SP 800-171 DoD Assessment Methodology, the CMMC framework adds a scalable certification element to verify the implementation of processes and practices associated with achieving a cybersecurity maturity level. Also, it requires contractors to have and maintain a current (not older than three years) CMMC certificate at the level required for the contract. In this way, the CMMC framework provides better assurances that the appropriate levels of cybersecurity protections and processes are in place.
To amend the above DFARS clauses and make the implementation of NIST SP 800-171 Assessment Methodology and CMMC framework more coherent, DoD released an Interim Rule (or DFARS Case 2019-D041). The Interim Rule aims to provide DoD with the ability to assess a contractor’s implementation of NIST SP 800-171 security requirements and assurance that DIB contractors can adequately protect CUI in a multi-tier supply chain.
DFARS Case 2019-D041 Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (Nov 2020). The rule amends DFARS to implement DoD NIST-SP 800-171 Assessment Methodology and CMMC framework. The document describes in detail CMMC and the NIST 800-171 assessment procedures, sets timelines for CMMC/NIST SP 800-171 compliance, and even proposes an estimated number of entities expected to be certified within the next seven years. According to the rule, all DoD contractors should have a current NIST SP 800-171 assessment and the appropriate CMMC level certification before any contract award and during contract performance. Finally, it requires using the CMMC and NIST 800-171 Assessment as an unconditional item in all solicitations and contracts by September 2025.
The above standards and documents are the comprehensive framework for ensuring adequate CUI protection at the moment.
To summarize, if one understands the reasons for CUI compliance requirements, they become not complicated but necessary. Modern digital realities require safeguarding CUI residing both in federal and non-federal information systems. To ensure adequate protection of CUI and other sensitive federal information within the government information systems, NIST SP 800-53 is used. Non-federal organizations, in turn, should rely on CUI security controls represented in NIST SP 800-171 and NIST SP 800-172. Implementation of the NIST controls within the defense environment is mandated through DFARS clauses, the last of which requires a scalable CMMC certification for all DoD contractors to verify the adequate implementation of the compliance requirements for CUI.
For more information about NIST SP 800-171 assessment, CMMC model, and any other related information regarding CUI protection requirements, please contact the Planet 9 expert team. We’ll be happy to assist!