Redstone Government Consulting Blog | Cybersecurity (2)

Due to the recent Russian invasion in Ukraine, there has been a significant increase in cyber-attacks reported across the world. While the U.S. Government has concerns related to attacks on U.S. companies including banks, power companies, fuel suppliers, they are also concerned with defense contractors. President Biden has issued multiple warnings to companies including defense contractors about looming cyber-attacks.

What is CUI, CDI and CTI?

CUI is Controlled Unclassified Information and encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). CUI requires the safeguarding or dissemination of controls pursuant to applicable laws, regulations, and government-wide policies.

• Covered Defense Information (CDI) is unclassified controlled technical information or other information described in the Controlled Unclassified Information (CUI) Registry found here.
• Controlled Technical Information (CTI) is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. It does not include information that is lawfully publicly available without restrictions.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is still in the process of working with DoD stakeholders and industry to finalize the development of the Cybersecurity Maturity Model Certification (CMMC). A stated on the OUSD(A&S) website: “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” On March 13, 2020, Under Secretary of Defense Ellen Lord issued a statement on misleading cybersecurity certification information. She stated, “some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.” This is not a factual statement as “[t]he requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized.”

Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped.  They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification.  In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor.