Last Updated on January 25, 2023
If your company does business in the US defense industrial base (DIB) or other US government supply chain, your contract may charge you with protecting controlled unclassified information (CUI) on your systems.
But if some of your CUI is unintentionally mishandled or falls into the wrong hands, should you voluntarily disclose the incident to your prime contractor or USG contracting officer? Or wait to see if the problem goes unnoticed? The penalties for failing to secure CUI, especially certain classifications, can be very steep.
To give SMEs in the DIB a leg up on top CUI questions and concerns, a recent episode of The Virtual CISO Podcast features Stephanie Siegmann, Partner and Chair, International Trade and Global Security Group and Cybersecurity, Data Protection, and Privacy Group at Hinckley Allen. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
Demonstrate provable security and compliance
As other experts have advised on The Virtual CISO Podcast, being provably secure and compliant with the NIST 800-171 standard for CUI protection, etc., is the best way to temper the USG’s legal wrath in the event you do have a CUI incident.
“Everyone should have a good compliance program, and if they don’t they should work to create one as soon as possible,” Stephanie states. “That is one of the factors that will be considered in determining the punishment.”
Talk to a lawyer right away
Unsurprisingly, Stephanie recommends informing a lawyer before you disclose a breach or suspected breach.
“If you voluntarily self-disclose, first contact a lawyer—an in-house lawyer if you have one,” says Stephanie.
Self-disclose to reduce potential penalties
The USG strongly encourages self-disclosure in the event of a CUI incident in two ways: going easy on you if you do and potentially nailing you harder if you don’t.
“Voluntary self-disclosures will definitely be considered if you identify a violation,” Stephanie relates. “That’s going to drastically reduce any potential penalty.”
The US Department of Justice (DoJ) has a voluntary self-disclosure program alongside its Civil Cyber Fraud Initiative. The stick to that carrot is the venerable False Claims Act, which has lately netted the USG billions in remuneration (largely in healthcare cases).
“The DoJ has been promoting the fact that they are going to give companies a huge benefit if they come in and just self-disclose any violations,” Stephanie adds. “Similarly, the Department of State encourages companies to also voluntarily self-disclose because they impose administrative fines for violations of the Internal Traffic in Arms Regulations (ITAR).
The Department of Commerce can also levy fines for CUI Specified incidents that fall under the Export Administration Regulations (EAR). And if your CUI disclosure involves an export violation to an entity on an Office of Foreign Assets Control (OFAC) naughty list, you could be up against the Department of Treasury.
Suffice to say, facing even one—never mind several—of these US federal agencies in court is not where you want your company to be. Willful and knowing violations of export control regulations is a serious crime carrying up to a 20-year felony sentence. Best to have a NIST 800-171/CMMC compliant program to protect CUI, including an incident response plan with early detection capabilities and quick breach disclosure as primary tenets.
To hear this podcast episode with defense industry legal expert Stephanie Siegmann all the way through, click here.
Are you doing the recovery planning you should be? Here’s how to build momentum in that direction: How Not to Talk Yourself Out of Recovery Planning