What is CUI, CDI and CTI?
CUI is Controlled Unclassified Information and encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). CUI requires the safeguarding or dissemination of controls pursuant to applicable laws, regulations, and government-wide policies.
- Covered Defense Information (CDI) is unclassified controlled technical information or other information described in the Controlled Unclassified Information (CUI) Registry found here.
- Controlled Technical Information (CTI) is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. It does not include information that is lawfully publicly available without restrictions.
Why Should a Contractor be Concerned with CUI?
Contracting Officers are required to include the DFARS clauses 252.204-7008 and 252.204-7012, in all solicitations and contracts starting in GFY 2025, including those using FAR part 12 procedures for the acquisition of commercial items. The only exception is solicitations and contracts for the sole acquisition of Commercially Available Off the Shelf (COTS) Items. Even though the requirement is not likely to hit most contractors until 2025, efforts have to be undertaken now to be prepared.
What is the DFARS Clause?
DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require contractors to implement the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, to safeguard DoD’s covered defense information that is processed, stored, or transmitted on the contractor's internal unclassified information system(s) or network(s).
Level of Compliance Requirement in Contracts
This is an evolving area and DoD is slowly rolling out the Cybersecurity Maturity Model Certification (CMMC). The plan is for DoD to begin specifying a level of CMMC compliance requirements in some new contracts beginning in 2021 with full implementation expected by September 30, 2025. There are five levels of CMMC certification, and the certification is valid for 3 years. The CMMC has different levels of cyber security maturity that can be required of a government contractor. Each level requires more controls than the previous one. One is the lowest and five is the highest. The contracting officer is required to identify the information the contractor will have to control and the CMMC compliance level required.
Difference Between NIST and CMMC
DFARS 252.204-7012 requires contractors with DoD contracts to comply with NIST SP 800-171 through a self-assessment process. CMMC is the process being used to certify the maturity level of a contractor’s compliance with cyber security requirements. CMMC will require third party verification and audit who can take advantage of NIST initiatives that the contractor has in process.
What are the Contractor’s Responsibilities?
Contractors must implement the security requirements addressed in the NIST Special Publication (SP) 800-171 when the clause is included in the solicitation/contract. If the contractor will vary from the security requirements in NIST SP 800-171 that are in effect at the time a solicitation is issued the contractor must submit a written explanation to the Contracting Officer as to why a particular security requirement is not applicable or whether there is an equally effective security measure to achieve equivalent protection.
Additionally, if a cyber incident is discovered, the contractor must conduct a timely review for evidence of compromise of covered defense information and report the cyber incident to the DoD. The contractor is also required to flow the clauses to subcontracts (excluding subcontracts for COTS). The contractor should require subcontractors to notify them when submitting a request to vary from the NIST SP 800-171 security requirement to the contracting officer or if the subcontractor reported an incident to the DoD. The subcontract incident report number (assigned by DOD) should be provided to the higher-tier contractors as soon as possible. The contractor must also determine if information it will provide to the subcontractor is controlled unclassified information and requires protection.
NIST SP 800-171 vs. SP 800-172A
NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI) is being put in place to provide an assessment process for determining contractor compliance with SP 800-171.
Draft Publication Available for Comment
NIST has published a draft Special Publication proposed Rules SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI) dated April 27, 2021.
The publication includes assessment procedures that may be used in following the requirements in NIST SP 800-172. The assessment procedures can be tailored to the contractor’s needs whether they are conducted as self-assessment, independent third-party assessment or government sponsored assessment. Each security requirement includes an objective, and then provides procedures to facilitate understanding the requirement and obtaining evidence through examination, interviewing and testing. The contractor can determine if a security requirement has been satisfied by applying the procedures. There is no expectation that all the assessment procedures are required, however, it is a starting point for developing security assessment plans and risk-based decisions to determine compliance with the CUI enhanced security requirements.
NIST is providing procedures to use on a voluntary basis, and they are not intended to contradict mandatory standards and guidelines under statutory authority. We highly recommend contractors consider having the representative that handles CUI information review the draft assessment and procedures and provide comments/recommendations to NIST to enhance the process. Although there is a short time period to provide comments, the assessment/procedures are still available for contractors to apply as they see fit, to ensure they meet the security requirements.
Comments Requested
Now is your chance to provide comments to improve the process – comments are due by June 11, 2021. NIST is seeking feedback on the assessment procedures from public and private sectors by June 11, 2021. You can access the draft publication and provide comments here.
Redstone GCI can assist in the evaluation and determination of the various cybersecurity clauses and requirements that are applicable in the evolving government contracting lifecycle. Additionally, we are available to assist contractor’s in assessing their current policies and practices to ensure they meet the DFAR cyber security requirements. Redstone GCI works with contractors throughout the U.S. and internationally with understanding the Government’s expectations in applying FAR requirements.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting