Companies that work with the Department of Defense (DoD) know that it is critical to store data properly and are constantly on guard against controlled unclassified information (CUI, sometimes pronounced cooey) in their environments.
Organizations that are a part of the DoD supply chain are frequently referred to as the Defense Industrial Base (DIB). Many of these companies have sensitive DoD data within their enterprise networks. Large defense contractors have mostly addressed the storage of DoD data by creating large enterprise networks purpose-built for their defense work. However, small- and medium-sized businesses (SMBs) who are members of the DIB often struggle to identify CUI in their environments. If an organization has CUI, it must be protected using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework. To accurately define their technical boundary, legal counsel, CFOs, and CISOs are clamoring to classify their data as CUI or not-CUI.
What is CUI?
CUI is not classified data but is sensitive enough that the U.S. government feels organizations should control this information as its release could threaten national security. In the past, CUI appeared under an assortment of other names including For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LSU). The U.S. government, realizing that these monikers alone did not dictate proper safeguarding, established CUI and, with it, a set of safeguards or security controls for protecting it from improper dissemination.
The Office of the Undersecretary of Defense for Information Security (OUSD I&S) maintains a website that provides policy guidance for the identification and protection of CUI which includes the standards for safeguarding, storing, destroying, transmitting and transporting CUI. The CUI Registry is the government’s online repository for guidance regarding CUI policy and practices. Registry categories cover a wide range of topics including critical infrastructure, defense, export control, financial, immigration, intelligence, law enforcement, legal, nuclear, patent and privacy.
Examples of CUI
Here are three examples of CUI data types in the DoD context:
- Defense Critical Infrastructure Information (DCRIT): Information about the critical infrastructure crucial for defense. An example of DCRIT is a map of a military base or the blueprint of a defense facility. The map is not classified, but it is sensitive because it could be useful to adversaries.
- Export controlled information: Information that is controlled due to its potential implications on national security if exported. An example of export-controlled information is the design of innovative technology. The technology itself is not classified, however, it is controlled because if it were shared with other countries, it could harm national security.
- Pre-decisional budget or policy information: Information related to budget or policy still under consideration. A proposed federal or state budget or policy is an example of this type of data. The policy is not classified; however, it also is not finalized and has not been shared with the public.
Identifying CUI
Any organization that conducts business with the U.S. government may have CUI. However, here are four questions to make that determination:
Does the organization have a U.S. federal contract, or is a supplier on a U.S. federal contract?
If yes, then the organization likely has CUI. At the minimum, the organization has Federal Contract Information (FCI), which is information not intended for public release. FCI is provided by or generated for the federal government under a contract to develop or deliver a product or service. CUI and FCI both include information created or collected by or for the government.
Does the organization have any contracts with the Defense Federal Acquisition Regulations Supplement (DFARS) clause for CUI (DFARS Clause 252.204-7012 or 252.204-7020) in it?
If yes, then it likely has FCI and CUI. Clause 7012 specifies requirements for the protection of CUI per NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers. Clause 7020 describes the DoD assessment requirements for information systems that contain CUI.
Can procurement readily contact the organization’s Contracting Officer Representative (COR)?
Contracting officers are responsible for including the necessary clauses in contracts to ensure the protection of CUI. If a company is working on a new contract with the U.S. government, one of these clauses may end up in its next engagement. The organization’s procurement team will want to be aware of this when submitting bids.
It is important to be aware that while contracting officers play a key role in managing CUI, they may or may not be subject matter experts on CUI-related regulations. Therefore, organizations with federal contracts must have a strong relationship with their COR to ensure that both sides are fully aware of the type of information the contract may involve.
Is the organization a subcontractor within the DoD supply chain?
Under the subcontractor flowdown requirements, prime contractors are responsible for ensuring that all teammates, including subcontractors and suppliers, meet applicable security requirements. If subcontractors handle CUI, they will be subject to the same controls as the prime, including the full set of NIST 800-171 controls.
Using our earlier example regarding DCRIT information, a fictional prime contractor is responsible for the construction of an airplane hangar on a military base, with an extensive list of security requirements including physical, logical and biometric controls. The prime has subcontracted the installation of the HVAC systems, requiring them to access the engineering diagrams. In this instance, the prime and the subcontractor would both be responsible for meeting the NIST 800-171 controls.
The Defense Industrial Base (DIB) refers to the network of organizations and facilities that provide the DoD with materials, products and services. This includes a diverse range of entities such as small- and medium-sized businesses, university laboratories and research centers and large multinational corporations. The DIB is responsible for a variety of functions, from the projection of complex military platforms such as aircraft carriers and highly specialized services like intelligence analysis. Any company or organization that is a part of the DIB will need to identify whether it is holding CUI, and if it is – it will need to protect it accordingly.
To learn more about our government security and compliance solutions, contact us.