Even some US Department of Defense (DoD) contract officers balk at identifying controlled unclassified information (CUI), and not all contracts are clear about what CUI is involved in a project. Taking a “better safe than sorry” approach, the DoD and prime contractors may push requirements to protect CUI down on subcontractors that don’t actually handle CUI.
On a recent episode of The Virtual CISO Podcast, CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, frankly discussed the problems defense suppliers face with CUI—including how to dispute contract requirements if you don’t think you have CUI.
The $100,000 question
As Caleb points out, if you have CUI and you’re setting up an enclave to protect it, including some data that “might” be CUI to be on the safe side is not the end of the world. But if you don’t actually have CUI and you needlessly incur the significant effort and expense to implement mandated CUI protections… that’s a major business issue.
If you think you might only have federal contract information (FCI) and not CUI, is there a conclusive way to get guidance on that? What can you do to “push back” if your contract includes CUI clauses but isn’t definitive about whether you will receive, store and/or transmit CUI?
Your first line of defense should be your contracting officer and the associated contract office. But what Caleb and Kyle have observed is that often the contract officer is unable to make a logical determination on whether specific data is or is not CUI. So, they go the safest route, which is to “call it CUI.”
“This is one of the things that people bring up all the time,” relates Caleb. “’We don’t know what our CUI is.’ So, they just stand right at the fence looking in at CMMC and saying, ‘No, I’m not going to approach that until the DoD starts properly marking the CUI that they send to me.’”
The official dispute process
Analogously, many orgs in the defense industrial base (DIB) have a DFARS 7012 and/or other clauses in their contracts pertaining to CUI that they don’t think need to be there.
Title 32 of the Code of Federal Regulations (32 CFR) spells out the official dispute process for dealing with data that you feel is improperly marked CUI, or if you have a contract clause requiring you to protect CUI when you don’t believe you have any. But what happens then?
“The general consensus on that is you’re probably going to end up with someone in contracting,” Caleb reports. “And they’re probably just going to say that it is CUI and here’s your clause.”
Make a “friendly inquiry”
Kyle points out a different possibility: “I also see there is a consensus among the primes or subs. They’re like, ‘Yeah, we don’t really want to challenge it because then they might not like us and we’ll be black-marked.’ But you just have to follow up and see… It will make it a lot easier in the future. Just make a friendly inquiry and say, ‘Hey, we don’t think this is CUI. Can you actually look into it?’”
To hear the complete podcast with Caleb and Kyle, Click here.
Not sure what your government contract says about CUI? Then you should definitely read this blog post: DIB Orgs: What You Don’t Know about the CUI Requirements in Your Contract Can Hurt You