CMMC, CUI and DoD Contractors
Posted on November 18, 2019 by Brigham Slocum
As we prepare for the release of the DoD Cybersecurity Maturity Model Certification (CMMC) in January of 2020 it’s helpful to refresh our memories concerning the steps that have led to its issuance, so let’s talk about Controlled Unclassified Information (CUI)…
Per the National Archives and Records Administration (NARA), CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
Given this, unless a specific law, regulation or government-wide policy requires certain information to have safeguarding or disseminating controls, the information is not CUI. Another way of stating this is that CUI deals with information that is already required to be protected as defined by a previously set rule, i.e., the information already required protection regardless of any subsequent CUI marking.
Compliance Requirements & Guidance
The CUI program is a requirement to standardize the manner used to handle unclassified information requiring protection. Under this program, the DoD contractor is bound by several separate entities, orders, regulations, and publications. The following is a list of orders and regulations that a DoD Contractor may be bound to comply with:
Executive Order 13556 — Controlled Unclassified Information – this EO establishes an open and uniform program for the management of information requiring safeguarding and dissemination controls. Although not directly bound by this EO, since it binds government agencies, the contractor is bound secondarily since it supports those government agencies bound directly, develops information for them, and maintains their information property on contractor information systems.
Information Security Oversight Office (ISOO) National Archives and Records Administration (NARA) 32 Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information – this is the code of federal regulations which describes the executive branch’s CUI Program and establishes policy for designating, handling, and decontrolling information that qualifies as CUI.
DoD Manual (M) 5200.01 Volume 4, DoD Information Security Program: Controlled Unclassified Information (CUI) – this DoD Manual, although its name would indicate it is associated with the CFR 32 CUI program, is actually completely unrelated, but currently binding for all DoD applications. DoDM 5200.01 Vol 4 provides guidance regarding the safeguarding of FOUO information.
FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems – this clause of the Federal Acquisition Regulation (FAR) does not deal directly with CUI but treats the requirements of protecting covered contractor information systems, precisely due to the information which resides, or potentially resides, on them. All DoD contractors operating covered systems and whose contract contain this clause are bound by its requirements. It is, in a sense, the first steps to CUI and the DFARS clause, detailed below.
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting – all DoD contractors maintaining any type of Covered Defense Information (CDI) and/or who’s contracts contain this clause are bound to comply. This clause deals with the safeguarding of CUI, including CDI and Controlled Technical Information (CTI), and provides guidance regarding the necessary practices as well as incident reporting guidance. In revisions of this clause the DoD ultimately requires full NIST 800-171 compliance.
NIST SP 800-171 Rev 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – this special publication produced by NIST is the most immediate and directly binding document and regulation as applied to the DoD contractor creating, maintaining, and/or using CUI in its work. Broadly, the DoD contractor who maintains CUI is bound by the FAR and DFARS clauses, but NIST SP 800-171 provides the specific requirements and implementation guidance.
A Few Examples of CUI
In a word, all CUI requires protection, but it is beyond the scope of this blog post to detail all types of CUI. So, here we will mention a few types that the DoD contractor might commonly come into contact with.
CUI has been defined above and shall be considered as the broad information category, under which various types of sensitive information are distinguished by specific differences, yet still falling under the larger CUI umbrella. These specific CUI types, or subcategories, have been determined by ISOO/NARA and can be found at the CUI Registry.
The following does not claim to be an exhaustive list of CUI types, but aims to provide detail regarding a few common examples. Additionally, neither this article nor the list below addresses Classified material and its safeguarding requirements.
Controlled Technical Information (CTI) – “Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information must meet certain criteria for dissemination per distribution statements set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
Covered Defense Information (CDI) – “Covered defense information” means unclassified controlled technical information or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
For Official Use Only (FOUO) – FOUO is a designation applied to unclassified information to identify material which may not be appropriate for public release. To be considered FOUO, this type of information must be exempt from mandatory release to the public under the Freedom of Information Act (FOIA). The FOIA specifies 9 categories of information which can be withheld from release if requested by a member of the public. More details can be found in Section 5-2 of Army Regulation (AR) 380-5 and in DoDM 5200.01 Vol 4.
FOUO is not technically a category of CUI, but is a DoD designation per DoDM 5200.01 vol 4. Although the DoD document and program is called DoD Information Security Program: Controlled Unclassified Information (CUI), this is a completely separate and unrelated policy and program as compared to the Executive CUI program as promulgated via 32 CFR. With that said, the DoD is currently in the process of updating the DoDM 5200.01 Vol 4 to align with the 32 CFR CUI program, but until that time, when dealing with any DoD materials, Manual 5200.01 Vol 4 should be followed; specifically meaning the use of FOUO marking, handling and safeguarding procedures.
NATO (North American Treaty Organization) – NATO information is information that has been generated by or for NATO, or member nation national information that has been released into the NATO security system. The protection of this information is controlled under the NATO security regulations, and access within NATO is determined by the holder, unless restrictions are specified by the originator at the time of release to NATO. More information regarding NATO information can be found in this NATO Security Indoctrination.
(1) NATO Restricted: This security classification is applied to information the unauthorized disclosure of which would be disadvantageous to the interests of NATO. (NOTE: Although the security safeguards for NATO RESTRICTED material are similar to those of FOR OFFICIAL USE ONLY, OFFICIAL USE ONLY, or SENSITIVE, BUT UNCLASSIFIED information, “NATO RESTRICTED” is a security classification.)
(2) NATO Unclassified (NU): This marking is applied to official information that is the property of NATO, but does not meet the criteria for classification. Access to the information by non-NATO entities is permitted when such access would not be detrimental to NATO. In this regard, it is similar to U.S. Government official information that must be reviewed prior to public release.
Personally Identifiable Information (PII) – as defined in OMB Memorandum M-07-1616, PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or link-able to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. For more information please see OMB M-07-1616, Safeguarding Against and Responding to the Breach of Personally Identifiable Information and NIST SP 800-122, Guide to Protecting the Confidentiality of PII.
Personally Identifiable Financial Information (PIFI) aka Nonpublic Personal Information (NPI) – PIFI/NPI is any information that financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.” NPI is: any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application); any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or, any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report). NPI does not include information that you have a reasonable basis to believe is lawfully made “publicly available.” In other words, information is not NPI when you have taken steps to determine: that the information is generally made lawfully available to the public; and that the individual can direct that it not be made public and has not done so. For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be “publicly available.”
So Who Determines What Is and What Is Not CUI?
What are the responsibilities associated with the determination and categorization of information as CUI, in other words, who has the responsibility and what does one do when guidance is required?
“The DoD requiring activity is responsible for identifying covered defense information (CDI) in accordance with DoD procedures for identification and protection of controlled unclassified information found in DoDM 5200.01 Vol 4, DoD Information Security Program: Controlled Unclassified Information (CUI). The requiring activity is also responsible for determining the appropriate marking for the CDI in accordance with the procedures for applying distribution statements on technical documents found in DoDM 5200.01 Vol 4 and DoDI 5230.24, Distribution Statements on Technical Documents. The requiring activity must document in the Statement of Work that CDI is required for performance of the contract, and specify requirements for the contractor to mark the CDI developed in the performance of the contract” (Safeguarding Covered Defense Information – The Basics).
“The controlling DoD office (defined in DoDI 5230.24), in most cases the requiring activity, is responsible to: 1) Determine whether the relevant technical information to be furnished by the Government and/or developed by the contractor contains unclassified CTI. The requiring activity must notify the procuring contracting officer (PCO) when a potential contractor will be required to develop and/or handle unclassified CTI. 2) Review all unclassified CTI to be provided to the contractor to verify that all document distribution statements are valid and that all documents that should be marked are properly marked with the correct statement prior to their being provided to the contractor” (Safeguarding Unclassified Controlled Technical Information (CTI) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73).
The above guidance, for both CDI and CTI, clearly designate the GCA, CO, or representative, as the determining party regarding CUI. If a contractor will be dealing with CUI in the course of duties, this must be clearly stated in the contract documents. Additionally, guidance regarding what qualifies for CUI categorization must be provided in things such as program/contract SCGs and/or DD254s.
Per DoDM 5200.01 Vol 4, “It is the responsibility of the document’s originator to determine at origination whether the information may qualify for FOUO status and to ensure markings are applied as required. Further details on the types of information that may qualify for the specified exemptions and FOUO status can be found in Chapter 3 of DoD Manual 5400.07 (Reference (p)).”
The above statement would seem to indicate that the document originator has complete control to categorize something as FOUO. However, this is clearly not the case, since the guidance above clearly indicates that CUI requires categorization at the GCA/CO level. Additionally, DoDM 5200.01 further states, “When CUI is to be provided to or generated by DoD contractors, the controls and protective measures to be applied shall be described in the pertinent contract documents (e.g., contract clause; statement of work; or DD Form 254, “Department of Defense Contract Security Classification Specification”).
“The originator of a document is responsible for determining at origination whether the information may qualify for CUI status, and if so, for applying the appropriate CUI markings. However, this responsibility does not preclude competent authority (e.g., officials higher in chain of command; functional experts) from modifying the marking(s) applied or originally applying additional markings. In such cases, the originator shall be notified of the changes. Additionally, Freedom of Information Act Officers (individuals expert in section 552 of title 5, United States Code (U.S.C.) (also known as “The Freedom of Information Act” and hereinafter referred to as “FOIA” (Reference (h))) can be consulted for advice or training on the proper application of FOIA exemptions,” (DoDM 5200.01 Vol 4).
In other words, when contractors are creating and/or updating a document and there is consideration that either FOUO and/or CUI markings need to be applied, proper consultation should be made with the necessary authority, always referencing program guidance, program documents, and SCG’s prior to any application.
What Does CUI Have To Do With CMMC?
The theft of hundreds of billions of dollars of intellectual property (IP) due to malicious cyber activity threatens the U.S. economy and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Moreover, the Center for Strategic and International Studies estimates that the cost of cybercrime worldwide is approximately $600 billion. The majority of this IP theft is directly attributable to poor cybersecurity maturity and ineffective implementation of controls necessary to protect sensitive data (CMMC Draft v0.6).
Enter CMMC, DoD’s solution to the ever-growing threat to the US economy and national security. CMMC is intended to bolster the cybersecurity foundation and resilience of the Defense Industrial Base (DIB). CMMC is a DoD certification process that measures a DIB sector company’s ability to protect Federal Contract Information (FCI) and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices. CMMC also adds a certification element to verify implementation of cybersecurity requirements. CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.
How Does CMMC Affect Me?
As we detailed above, FAR, DFARS, and NIST SP 800-171 are existing requirements for many DoD contractors. However, up until the release of CMMC, there has been no requirement for a third-party audit to ensure compliance. For NIST 800-171, contractors are required to self-attest. There have been cases where fines have been levied for false attestation, however, the distinction remains. As CMMC looms, the DoD has assured the DIB that two things will be true: 1) It will be a requirement present in all RFPs for anyone doing business with the DoD, and 2) It will require third party audits and certifications.
That said, the best way to prepare for CMMC is to ensure compliance with NIST 800-171A. Mike Gordon, CISO for Lockheed Martin, has stated, “use NIST 800-171 as the baseline while CMMC has not been released yet.”
NIST 800-171 compliance can be a costly and burdensome task not to mention the time to understand and prepare for the coming CMMC process. Please do not delay and risk your future contracts. Take the first step to compliance and let the experts at Blue Mantle Technology assess your current NIST implementation and fill any gaps that exist so you can be prepared when the CMMC auditor knocks on your door.