February 4, 2021

Last Updated on January 12, 2024

The objective of the Cybersecurity Maturity Model Certification (CMMC) program is to protect Controlled Unclassified Information (CUI) when it moves beyond federal information systems and into the systems of contractors within the defense industrial base (DIB).  

Most of what DIB companies need to worry about with CUI is spelled out in the DFARS 7012 clauses in their contracts.

But there could be other guidelines that your firm needs to comply with around CUI. 

This important but infrequently broached subject came up in a recent episode of The Virtual CISO Podcast featuring Corbin Evans, Principal Director, Strategic Programs at the National Defense Industrial Associationthe DIB’s largest trade association. John Verry, Pivot Point Security CISO and Managing Partner, hosts this and all our podcast episodes. 

As John points out, “One of the things I’ve experienced in working with clients recently is the criticality to review contracts, because there are requirements beyond CMMC [or NIST 800-171] that your contract might have, which you need to be aware of. So as you’re going through this [compliance] process, you’re doing everything, Otherwise you could make a mistake.”

“What I’ve been saying to clients is not all CUI is created equal,” John says. “So can we talk a little bit about why sometimes CUI has a different terminology, has different sets of contractual obligations, and what some of those could be? What should people be looking for in their contracts beyond just this DFARS 7012 guidance that they see?” 

“I think you’re right that CUI is not created equally—and it’s not defined equally from contracting officer to contracting officer,” Corbin agrees. “This has been something that we’ve had a lot of conversations about with the DoD, with the National Archives and Records Administration (NARA) and others in government to try and create a more unified and clear definition around CUI—to ensure that not only can the CMMC program be implemented successfully, because obviously your CMMC level hinges on whether you have CUI or not—but also the amount of CUI you have can make a difference between your contract having a Level 3 requirement or a Level 4 or Level 5 requirement.” 

“For the definition of CUI, I will point folks towards a new resource: dodcui.mil is a new website that includes some additional definitions, some additional training that they’re actually using internally for contracting officers and program managers around CUI, and ensuring that folks have a good understanding of CUI and how to essentially mark it when sending it out to contractors,” shares Corbin. 

An important part of this equation is ensuring that the government rightsizes the information they’re sending to prime contractors, to ensure that they’re not overly burdening prime contractors to protect CUI that might not be necessary to perform the contract,” Corbin adds. “Then the other side of that equation is ensuring that prime contractors are rightsizing the information that they flow down to their subcontractors.

“We hear these horror stories of folks taking large packets of CUI at the prime contractor level and sending it down to all 300 of their subcontractors, three or four tiers deeps. That really creates a problem where the CUI is essentially available for extraction or manipulation by an adversary. 

“And knowing what CUI is—the difference between controlled unclassified information [and subcategories of CUI like] covered defense information or controlled technical information… We talked previously about ITAR and how that plays into the CUI conversation. There are all these different categories of information. Understanding what’s in your contract, not only what requirements are there but actually what information you have on your systems is certainly going to be an important of the path to compliance, whether it be to the 7012 clause or the CMMC program,” clarifies Corbin.

Looking for practical guidance on how best to navigate your DoD cyber compliance challengesDon’t miss this podcast episode with Corbin Evans. You can check out all our other DIB-focused episodes of The Virtual CISO Podcast here. 

If you don’t use Apple Podcasts, you can access all our podcast contenthere.