Last Updated on November 30, 2023
Since 2017, orgs in the US defense industrial base (DIB) have been mandated to safeguard controlled unclassified information (CUI) in compliance with the NIST 800-171 cybersecurity standard per the DFARS 7012 clause in their contracts. Yet CUI marking remains a point of confusion for many firms, and many still aren’t meeting the NIST 800-171 requirements. This situation has to change to avoid penalties and loss of contracts.
Stephanie Siegmann, Partner and Chair, International Trade and Global Security Group and Cybersecurity, Data Protection, and Privacy Group at Hinckley Allen, clarifies top CUI questions and highlights top compliance issues to avoid.
Join us as we discuss:
- The finer points of CUI Basic, CUI Specified, ITAR, NOFORN and other regulations
- Criminal penalties for “export controlled” CUI violations that will probably shock you
- How to get your CUI questions answered
CUI Basic Versus CUI Specified
US Department of Defense (DoD) contract officers commonly tell defense contractors to “treat everything as CUI.” But that makes things harder, not easier—and still leaves you open to legal sanctions.
“With regards to CUI Basic versus CUI Specified, Specified is subject to higher level controls,” Stephanie explains. “You have the general information that the government or the contract officer or the prime contractor on the contract says is CUI. But when you get a contract officer to drill down with you as to what specific information is controlled, certainly if you’re working on a military contract and it relates to technical specifications and is going into a submarine, for instance, then it’s likely going to fall under the International Traffic in Arms Regulations (ITAR).”
“That would be Specified versus Basic, because a law actually requires that information to be controlled,” continues Stephanie. “So that would be CUI and the specification would be SP and then EXPT, which stands for Export Controlled.”
Why that’s so important is that if information is subject to export controls, the penalties for mishandling it are far worse than if you just violate contract provisions around handling CUI.
If you’re working on a military contract and it relates to technical specifications and is going into a submarine, for instance, then it’s likely going to fall under the International Traffic in Arms Regulations (ITAR).”—Stephanie Siegmann.
Self-Disclosure of CUI Specified Breaches
If you find you’ve unknowingly violated CUI Specified provisions, such as putting ITAR data in the hands of a non-US person, should you disclose the breach? Or hope nobody notices?
“One of the factors that will be considered in determining the punishment is if you voluntarily self-disclose,” says Stephanie. “It’s going to drastically reduce any potential penalty.”
But first you contact a lawyer—an in-house lawyer if you have one. Or somebody like Stephanie if you don’t.
“The disclosure to a foreign person of data that is controlled under the ITAR is a violation of the Arms Export Control Act, which is a 20-year felony,” warns Stephanie.
“The disclosure to a foreign person of data that is controlled under the ITAR is a violation of the Arms Export Control Act, which is a 20-year felony.”—Stephanie Siegmann
How Do You Know if You Have Export Controlled Data?
You know you need to comply with NIST 800-171 if you have a DFARS 7012 clause in your contract. But what about “export controlled” markings like ITAR and Not Releasable to Foreign Nationals (NOFORN)? Would there be anything in your contract to tip you off about protecting this sensitive data, whether or not it is also CUI?
“I would err on the side of caution,” advises Stephanie. “If you work on a military contract, the likelihood is that there is going to be ITAR controlled data.”
In specific instances you can ask your contracting officer whether data is controlled under ITAR or the Export Administration Regulations (EAR). It’s critical to understand your protection obligations.
But if no clear answer is forthcoming, you wouldn’t be criminally liable for treating that data as CUI Basic. Two of the prerequisites for criminal prosecution for an illegal export are whether the violation is 1) knowing, and 2) willful.
“I would err on the side of caution. If you work on a military contract, the likelihood is that there is going to be ITAR controlled data.”—Stephanie Siegmann
The False Claims Act and Civil Cyber Fraud Initiative
The False Claims Act, aka “The Lincoln Law,” has been the US government’s primary anti-fraud deterrent since the US Civil War. The new Civil Cyber-Fraud Initiative from the US Department of Justice (DoJ) specifically brandishes the False Claims Act to get government contractors to report data breaches, as well as prosecute misrepresentations about cybersecurity practices.
An example of the latter violation would be a NIST 800-171 compliance score in the government’s SPRS database that exceeds what you can substantiate. An example of the former is the recent prosecution and conviction of former Uber CSO Joe Sullivan for covering up a data breach.
Another factor with reporting cyber incidents under the Civil Cyber Fraud Initiative is a 72-hour reporting window. It’s very difficult to move that quickly if your org has no incident response plan.
“The Civil Cyber Fraud Initiative is unique in one respect. It incentivizes whistleblowers to come forward with a financial incentive.”—Stephanie Siegmann
Navigating Cyber Liability Insurance
Another open question around legal liability for DIB contractors is the interplay between government mandates and cyber liability insurance (CLI) requirements in the event of a data breach. What if your breach counselor’s recommendations don’t match up with your contract obligations?
One preemptive solution is to keep your own, hand-picked attorney on speed dial as your breach counselor. If they’re not on your CLI vendor’s pre-approved list, you can often add them if you’re willing to pay any fees above your insurer’s rate cap.
Having a lawyer you know is on your side can be handy in the event of CLI coverage disputes.
“Over time, cyber insurance policies have changed a lot,” Stephanie relates. “There’s the war exclusions that they’ve used recently, and the terrorism exclusions. There have been disputes about whether certain things are covered, and I expect that will continue.”
“Over time, cyber insurance policies have changed a lot. There’s the war exclusions that they’ve used recently, and the terrorism exclusions.”—Stephanie Siegmann
To listen to the full vCISO Podcast episode about CUI with Stephanie Siegmann, click here.
Find out who is subject to NIST 800-171 compliance here: All Federal Contractors are Already Subject to NIST 800-171 Requirements—Not Just the DIB