May 10, 2022

Last Updated on January 14, 2024

Prime contractors have been flowing down the DFARS 252.204-7012 clause, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (aka DFARS 7012) for years. Many primes have received the DFARS 7012 clause from other primary contract owners. The focus has been protecting the confidentiality of Controlled Unclassified Information (CUI) while the restricted information resides within the prime’s information system boundaries.

Some primes have sought to enhance their supply chain risk management by ensuring their suppliers adhere to a set of controls or meet an acceptable level of cyber hygiene before sharing CUI with them. If the supplier’s cyber risk is too high, some primes strategically only share hardcopies of CUI. This ensures suppliers’ IT networks are out of scope for CUI… right?

Maybe. But even hardcopy CUI must be protected per NIST Special Publication 800-171 requirements. The applicable security requirements may go well beyond Section 3.10 Physical Protection.

Hardcopy CUI is still CUI

NIST SP 800-171 provides nonfederal organizations with recommended security best practices for protecting the confidentiality of CUI when the information is within the contractors’ operating environment, or those of its subcontractors. Having only hardcopy of CUI does not relieve contractors and subcontractors from meeting the applicable NIST SP 800-171 security requirements. Additionally, having only hardcopy CUI does not negate the need for a system security plan (SSP).

Sharing CUI via conventional postal delivery services is one of the many strategies leveraged by prime contractors and the defense supply chain. The idea is to reduce the risk of unauthorized disclosure if the subcontractor does not meet the prime’s security posture, or to further reduce a supplier’s potential financial impact and other burdens in the event of a data breach or compliance issue involving CUI.

However, the responsibility to safeguard CUI is not limited to nonfederal IT information systems; it includes nonfederal organizations, the physical boundary defined by the contractor/subcontractor, and the controlled environment. The NIST Glossary defines information systems as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”

It’s about the overall CUI controlled environment

Hardcopies of CUI, as well as the personnel collecting, creating, editing, distributing, or destroying of that dataset are all considered asset types that may be within the scope of the subcontractor’s CUI operating environment or controlled environment. The CUI program defines the CUI controlled environment as “any space or area with adequate physical or procedural controls to limit unauthorized access to CUI.”

Some of the obvious NIST 800-171 security requirement families that apply to this use case include but are not limited to Access Control, Physical Protection, and Media Protection. Besides these, there are potentially a number of not-so-obvious additional requirements that could apply in your situation (see table below).

Summary of applicable NIST 800-171 requirements

The following summary and accompanying table of NIST 800-171 requirements are tailored to help nonfederal organizations safeguard any hardcopy CUI they may process, store or transmit on behalf of prime contractors and the US Department of Defense (DoD).

If the organization converts the CUI hardcopies into digital format, then the organization must meet all applicable security requirements listed within NIST SP 800-171.

Here’s a summary of how the security requirements apply, in accordance with the CMMC Level 2 Assessment Guide:

  • Risk Assessments and Vulnerability Remediation: Any newly established or enhanced CUI program should include a risk assessment to help identify the mission, operations, regulatory, and contractual risk associated with the in-scope assets and individuals affected by the potential change. Receiving CUI via traditional mail is not different. Organizations need to define, manage, and/or remediate the associated risks.
  • Authorized Access Control, Control CUI Flow, Privacy and Security Notice, Mobile Device Connection, Control Public Information, and Access Restriction to Change: Limiting physical access to CUI is key. As such, establishing a controlled environment and physical access control mechanisms are critical to controlling the flow of CUI and to successfully running any CUI program. Controlling the flow of CUI may include prohibiting mobile devices from capturing audio, recording video, or taking pictures in your CUI controlled environment.
  • Media Protection, Markings, and Accountability: As part of controlling the flow of CUI, the hardcopy of CUI is a core practice element. The contractor/subcontractor must handle CUI in accordance with its marking. If reproduced, then the contractor has to ensure personnel handle it in accordance with its sensitivity. The contractor may also need to inventory hardcopy of CUI and maintain audit logs of who is authorized access to the controlled environment. Lastly, contractors must ensure their end users dispose of CUI following authorized destruction methods, and only once it has served its purpose.
  • Physical Protection, Limit Physical Access, Escort Visitors, Physical Access Log, Alternate Worksite, and Monitor: Once the physical controlled environment has been defined, the contractor/subcontractor must limit, control, and monitor access to this environment. If end users are allowed to work from home, and/or transport CUI outside the controlled environment, the contractor must ensure these users are made aware of their responsibility with the restricted data and these users must be identified in an access-controlled list.
  • Awareness and Training, Security Plan, Security Control Assessment, and Controls Monitoring: Contractors/Subcontractors must train their users on how to handle CUI. Similarly, personnel performing physical security activities must be trained on how to properly achieve the organizational security goals surrounding CUI. In short, everyone with direct and indirect access to the controlled environment is responsible for understanding their role and responsibility and for helping achieve the organizations’ objectives, securely. The System Security Plan (SSP) is the document that defines the CUI controlled environment and describes how the applicable controls have been implemented. Contractors must continuously monitor and periodically assess the controls’ effectiveness, and document any identified gaps/improvement opportunities within a POA&M.

Reference table: Subset of NIST SP 800-171 security requirements potentially applicable to hardcopy CUI

RISK ASSESSMENT
3.11.1.  Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
3.11.3.  Remediate vulnerabilities in accordance with risk assessments.
ACCESS CONTROL
3.1.1.  Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
3.1.22.  Control information posted or processed on publicly accessible information systems.
3.1.3.  Control the flow of CUI in accordance with approved authorizations.
3.1.9.  Provide privacy and security notices consistent with applicable CUI rules.
3.1.18.  Control connection of mobile devices.
MEDIA PROTECTION
3.8.1.  Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
3.8.3.  Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
3.8.5.  Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
3.10.4.  Maintain audit logs of physical access.
3.8.4.  Mark media with necessary CUI markings and distribution limitations.
PHYSICAL PROTECTION
3.10.1.  Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
3.10.3.  Escort visitors and monitor visitor activity.
3.10.4.  Maintain audit logs of physical access.
3.10.5.  Control and manage physical access devices.
3.10.2.  Protect and monitor the physical facility and support infrastructure for organizational systems.
3.10.6.  Enforce safeguarding measures for CUI at alternate work sites.
PERSONNEL SECURITY
3.9.1.  Screen individuals prior to authorizing access to organizational systems containing CUI.
3.9.2.  Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
AWARENESS AND TRAINING
3.2.1.  Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
3.2.2.  Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
3.2.3.  Provide security awareness training on recognizing and reporting potential indicators of insider threat.
SECURITY ASSESSMENT
3.12.1.  Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.2.  Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
3.12.3.  Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4.  Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
CONFIGURATION MANAGEMENT
3.4.5.  Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Next steps

Need to meet CMMC or other CUI compliance requirements? Contact PPS’ Federal Risk and Compliance Practice for assistance establishing, expanding, or managing your CUI program.