What is CUI, CDI and CTI?
CUI is Controlled Unclassified Information and encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). CUI requires the safeguarding or dissemination of controls pursuant to applicable laws, regulations, and government-wide policies.
- Covered Defense Information (CDI) is unclassified controlled technical information or other information described in the Controlled Unclassified Information (CUI) Registry found
- Controlled Technical Information (CTI) is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. It does not include information that is lawfully publicly available without restrictions.
Why should a contractor be concerned with CUI?
Contracting Officers are required to include the DFARS clauses 252.204-7008 and 252.204-7012, in all solicitations and contracts starting in GFY 2025, including those using FAR part 12 procedures for the acquisition of commercial items. The only exception is solicitations and contracts for the sole acquisition of Commercially Available Off the Shelf (COTS) Items. Even though the requirement is not likely to hit most contractors until 2025, efforts have to be undertaken now to be prepared.
What is the DFARS clause?
DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require contractors to implement the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, to safeguard DoD’s covered defense information that is processed, stored, or transmitted on the contractor's internal unclassified information system(s) or network(s).
Level of Compliance Requirement in Contracts
This is an evolving area and DoD is slowly rolling out the Cybersecurity Maturity Model Certification (CMMC). The plan is for DoD to begin specifying a level of CMMC compliance requirements in some new contracts beginning in 2021 with full implementation expected by September 30, 2025. There are five levels of CMMC certification, and the certification is valid for 3 years. The CMMC has different levels of cyber security maturity that can be required of a government contractor. Each level requires more controls than the previous one. One is the lowest and five is the highest. The contracting officer is required to identify the information the contractor will have to control and the CMMC compliance level required.
Difference between NIST and CMMC
DFARS 252.204-7012 requires contractors with DoD contracts to comply with NIST SP 800-171 through a self-assessment process. CMMC is the process being used to certify the maturity level of a contractor’s compliance with cyber security requirements. CMMC will require third party verification and audit who can take advantage of NIST initiatives that the contractor has in process.
What are the contractor’s responsibilities?
Contractors must implement the security requirements addressed in the NIST Special Publication (SP) 800-171 when the clause is included in the solicitation/contract. If the contractor will vary from the security requirements in NIST SP 800-171 that are in effect at the time a solicitation is issued the contractor must submit a written explanation to the Contracting Officer as to why a particular security requirement is not applicable or whether there is an equally effective security measure to achieve equivalent protection.
Additionally, if a cyber incident is discovered, the contractor must conduct a timely review for evidence of compromise of covered defense information and report the cyber incident to the DoD. The contractor is also required to flow the clauses to subcontracts (excluding subcontracts for COTS). The contractor should require subcontractors to notify them when submitting a request to vary from the NIST SP 800-171 security requirement to the contracting officer or if the subcontractor reported an incident to the DoD. The subcontract incident report number (assigned by DOD) should be provided to the higher-tier contractors as soon as possible. The contractor must also determine if information it will provide to the subcontractor is controlled unclassified information and requires protection.
NIST SP 800-171 vs. SP 800-172A
NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI) is being put in place to provide an assessment process for determining contractor compliance with SP 800-171.
Draft Publication Available for Comment
NIST has published a draft Special Publication proposed Rules SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI) dated April 27, 2021.
The publication includes assessment procedures that may be used in following the requirements in NIST SP 800-172. The assessment procedures can be tailored to the contractor’s needs whether they are conducted as self-assessment, independent third-party assessment or government sponsored assessment. Each security requirement includes an objective, and then provides procedures to facilitate understanding the requirement and obtaining evidence through examination, interviewing and testing. The contractor can determine if a security requirement has been satisfied by applying the procedures. There is no expectation that all the assessment procedures are required, however, it is a starting point for developing security assessment plans and risk-based decisions to determine compliance with the CUI enhanced security requirements.
NIST is providing procedures to use on a voluntary basis, and they are not intended to contradict mandatory standards and guidelines under statutory authority. We highly recommend contractors consider having the representative that handles CUI information review the draft assessment and procedures and provide comments/recommendations to NIST to enhance the process. Although there is a short time period to provide comments, the assessment/procedures are still available for contractors to apply as they see fit, to ensure they meet the security requirements.
Now is your chance to provide comments to improve the process – comments are due by June 11, 2021. NIST is seeking feedback on the assessment procedures from public and private sectors by June 11, 2021. You can access the draft publication and provide comments here.
Redstone GCI can assist in the evaluation and determination of the various cybersecurity clauses and requirements that are applicable in the evolving government contracting lifecycle. Additionally, we are available to assist contractor’s in assessing their current policies and practices to ensure they meet the DFAR cyber security requirements. Redstone GCI works with contractors throughout the U.S. and internationally with understanding the Government’s expectations in applying FAR requirements.