Championing Unclassified Controlled Information
Many federal government contractors have been mandated to report their Controlled Unclassified Information (CUI) protections from government contracting officers or prime contractors. But what is the CUI program and how does it affect business management?
The security function of the CUI program
The CUI program standardizes how the government handles information that requires protection under laws, regulations, or government policies, but is not considered classified. This information, if compiled by adversaries, would meet the threshold of being classified information.
America’s adversaries have sophisticated strategies for accessing government information, no matter how insignificant that information may seem. The Island-Hopping strategy is commonly deployed as soon as the awarding of government contracts is publicly announced. A company and/or employees of that company are monitored while waiting for emails to another company, which leads to another path of monitoring, and the chain continues until access to a desired company is achieved. A highly sought after company is a small contractor on a critical agency contract who has hackable systems with valuable CUI.
CUI program clarity function
Prior to the CUI program, federal agencies often used ad hoc agency-specific policies, procedures, and markings to manage this information. This patchwork approach has led agencies to label and process information inconsistently, implement unclear or unnecessarily restrictive release policies, and create barriers to information sharing. Federal government contractors performing contracts for multiple agencies were overwhelmed with complex and sometimes conflicting information protection requirements, making contract compliance nearly impossible.
CUI contractual clauses
The federal government has a hierarchy of procurement regulations. The main authority is the Federal Acquisition Regulations (FAR). Each agency then implements the FAR clauses in its own regulations by adding additional language that best describes its own contractual needs.
FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems is the Federal clause requiring that systems owned or operated by a contractor that process, store, or transmit CUI must implement NIST 800-171 Protected Unclassified Information in Nonfederal Systems and Organizations 110 controls.
Examples of agency-specific acquisition regulations are Homeland Security Acquisition Regulations Clause 3052.204-70, Security Requirements for Unclassified Information Technology Resources and Defense Federal Acquisition Regulations Supplemental 252.204.2017: Safeguarding Covered Defense Information and Cyber Incident Reporting.
The CUI Champion
The implementation of NIST 800-171 extends far beyond the traditional IT ownership of the system administrator. Contract managers, human resources and facility security officers also have responsibilities. It is this interweaving between several functions that makes an enterprise CUI manager necessary. The CUI Manager oversees the living enterprise’s NIST 800-171 policies, procedures, plans, and training that the C-suite CUI Champion has signed and funded. NIST 800-171 requires a signed resourcing plan.
The Department of Defense (DoD), after years of contractors losing information, has created three types of NIST 800-171 validations under the CMMC (Cybersecurity Maturity Model Certification) program. CMMC’s goal is to require C-suite frameworks to self-certify, be certified by a CMMC third-party certification body, or be assessed by the Defense Industrial Base Cybersecurity Assessment Center of the government.
The US Department of Homeland Security said it was monitoring the CMMC program and had just implemented new clauses for proof of computer security certifications. They look at DoD experiments with third-party certification before adopting a similar program.
CUI champions who plan and budget at the corporate level and appoint a manager are now essential for growth in the federal contract space. To avoid misinformed purchases of cloud, software, physical locations, and hiring risky employees, the business needs a champion to assess and create standards that fit their business. The costs of NIST 800-171 requirements become a major consideration when developing competitive proposals, and the champion can manage these costs.
Below is an example of the champion’s organizational relationship with the business. If you have questions about what qualifies someone for the CUI Champion role or the organizational relationship, please consult with an advisor as soon as possible. Evidence of CUI management backup is an ongoing DoD and DHS requirement, and other agencies will soon follow.