Last Updated on March 14, 2022
The purpose of the US Department of Defense (DoD)’s evolving security guidance around NIST 800-171 and CMMC 2.0 is to protect controlled unclassified information (CUI) wherever it resides in government and contractors’ systems. For US defense industrial base (DIB) orgs, knowing what CUI you handle, where it’s stored, and what people and systems have access to it is vital to your entire security and compliance program.
If you have a breach of CUI, this is likely to impact your contract massively in the short term, as well as possibly reduce the odds that you’ll win future contracts. But if you don’t know what CUI you have, how do you know what you need to protect?
To shed light on all key aspects of “continuous compliance” with the DoD’s cyber mandates, we invited Andrea Willis, Senior Product Manager at Exostar, to join a recent episode of The Virtual CISO Podcast. The show is hosted by John Verry, Pivot Point Security’s CISO and Managing Partner.
Questions about CUI are rampant
Both Andrea and John field many questions about CUI. The widespread confusion is understandable.
“I got on a call the other day with an organization that was interviewing vendors,” John relates. “They had sent beforehand a long list of, ‘Is this CUI? Is this CUI?’ Our team members on the phone included a guy who led the NIST 800-171 and CMMC compliance programs for a Fortune 500 company with six divisions. And we also had a former DIBCAC auditor that’s now on our team. And it was like, ‘Well, it depends…’ Or, ‘We’d have to see this, we’d have to see that.’”
“There’s a lot of complexity to [identifying CUI],” acknowledges John. “And, unfortunately, the agencies and primes are not great yet at properly and optimally labeling everything. This is a big challenge for a lot of people.”
Why you need to know what CUI you have
Identifying your CUI and doing something like a “data flow diagram” with your different types of CUI is an essential preliminary step in your NIST 800-171 and CMMC compliance efforts.
John explains: “If you can’t determine what CUI you store, process and/or transit, then you fundamentally can’t produce a System Security Plan (SSP). If you don’t know what CUI you have, how can you know what people, what systems, what applications, what network segments, what geographic locations are integral to your CUI enclave’s scope, and by extension your SSP?”
Usually a DoD contract specifies a requirement for you to handle CUI. If you can demonstrate that you legitimately don’t have CUI, then you’re off the hook for NIST 800-171 compliance and your compliance target is much smaller. But if you think you have CUI and you don’t, you could be investing in security that you don’t really need given your risk profile.
What are the guidelines for identifying CUI?
The 40-page DoD Instruction 5200.48 from March 2020 established policies, procedures and responsibilities for CUI, including handling and marking requirements. This Instruction also created the CUI Registry, which includes a list of CUI categories organized by business types (critical infrastructure, defense, financial, law enforcement, privacy and many more).
Some widely applicable CUI categories include personnel records, general financial records, and patent applications. Defense-specific categories include Controlled Technical Information and DoD Critical Infrastructure Security Information. In general, CUI in the DIB relates to defense systems, weapon systems, and associated technology. Even your contract could be CUI depending on how detailed it is.
DIB orgs that need to identify CUI should check out both these resources. You should also connect with your contract officer or prime to find out everything you can about the CUI associated with your DoD contracts.
Concerned about CUI and how it could impact your DoD cybersecurity compliance? Contact Pivot Point Security to start a discussion on key steps, best practices and how we can help.
To check out the complete podcast episode with Andrea Willis from Exostar, click here.