April 5, 2022

Last Updated on June 17, 2024

One of the biggest sticking points for orgs in the US defense industrial base (DIB) and others that need to comply with the NIST 800-171 cybersecurity standard is identifying and marking their controlled unclassified information (CUI). Why the perpetual struggle? Why do so many firms—and even the government—find CUI confusing? What are some potential solutions?

CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, dug into the critical issue of identifying CUI on a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.

Reason 1: Vague contract details

Even when you’re talking to experts about whether a particular data type is CUI or not, the answer is often “probably” or “it depends.” Context dependencies and other ambiguities enter in. How to inject some clarity?

“Back when DIBCAC was starting to do DFARS 7012 compliance assessments against NIST 800-171, one of the things that was identified very heavily as an issue is that contracts are not identifying what CUI is, or that you have CUI,” Caleb relates. “DIBCAC was going out to organizations that said, ‘Yes, you can come assess us.’ And then getting in there and asking, ‘Where’s your CUI flow to?’ And they’d say, “’Well, we don’t think we actually have any CUI.’”

That could either make for a very short audit, or a very complicated audit.

“It starts from the top, with the government and acquisitions,” states Caleb. “Identifying CUI is something that’s supposed to happen at a contract level. So, from the acquisition point of view, they’re saying, ‘This is the contract, this is the project that you’re going to be working on. We know that there’s controlled technical information within the scope of this project. And here’s how you’re going to be handling it.’”

Reason 2: Pushing risk down the food chain

But historically, contract clauses that direct the implementation of CUI protections have too often been “thrown into contracts” as a “CYA” effort.

“’We don’t know if there’s CUI there, but we’re going to make sure that you protect it if it is there,’” portrays Caleb. “The primes do the same thing. They throw all the clauses into an agreement form. Then they say, ‘If you are handling covered defense information within the balance of this subcontract that we’re giving you, then you have to apply all of these clauses here.’”

At that point, it’s basically risk management for the government and/or the prime. They’re pushing the risk down onto the subcontractor and putting the onus on them to figure it out.

“The government seems to be catching up, but they are not all the way there yet,” Kyle observes. “Like the Navy or Marines… They are just, like, ‘We don’t know what CUI is. We’re going to make everything CUI.’ Then it becomes an issue for the primes and the subs.”

If the government entities are still learning what CUI is, it’s understandable that SMB subcontractors in the DIB would be confused.

Kyle notes that some contracts are much clearer than others about what CUI is involved in contract execution (e.g., engineering drawings, test results). In some cases, the contract officer might not even know what CUI is involved. It can take perseverance to get definitive answers.

Reason 3: “Better safe than sorry”

With so much uncertainty across the board about CUI, what should you do if you’re not sure? Is the default “treat it as CUI to be on the safe side”?

One option is to go to the prime or DoD first, especially in the case of data that you’re receiving from upstream. If you can’t get a definitive answer, dive into the CUI Registry online. This is a definitive source of CUI information for all government agencies, not just DoD.

But at the end of the day, as Caleb resignedly advocates, “I think it’s better safe than sorry typically for this scenario.”

What’s next?

To hear this CMMC 2.0 podcast all the way through, Click here.
Want expert guidance on how to identify CUI? This blog post overviews the topic and shares best practices: DIB Orgs: Can You Identify CUI?