In my last article, I provided a brief overview of this series to help you understand and be prepared to succeed in winning federal contracts, either as a prime or a sub, with these NextGen cybersecurity compliance requirements.
In these articles, I will refer to “secret ingredients” to NextGen federal contracts. These secret ingredients will help you identify if you need to comply with cybersecurity requirements.
The first secret ingredient is knowing if you need to comply with the cybersecurity requirements. Many federal contractors think the requirements do not apply to them since they do not focus on information technology (IT), but that may not be the case.
FCI And CUI
Knowing if your company deals with Federal Contract Information (FCI) or controlled unclassified information (CUI) is a key secret ingredient to NextGen federal contracting. Let me start by defining these terms.
FCI is information that is not marked for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the Government to the public. It has minimum cybersecurity requirements in a non-federal information system. Contractors do not have FCI until a contract is awarded, since the information offered during contract bidding is available to the general public.
CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
CUI does not include classified information but it is sensitive information that is created or owned by the government that must be safeguarded. It is information that is marked or identified as requiring protection under National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171). Also, Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 (DFARS 7012) requires contractors to safeguard covered defense information, including CUI.
Tips On How To Tell If You Have CUI
One way to tell if you have CUI is to look at the government or defense-related information your company handles. This is information that was given to you or that you created as part of the contract. Would you post the information on social media? If you would not post it on social media because it is too sensitive, then you need to take steps to keep threat actors away from it.
Here is a shortcut way to tell if one of your federal contracts includes CUI. If your contract includes the DFARS 7012 clause, then your contract includes CUI, and your company is required to meet security compliance requirements.
This means that any government contractor, prime or sub, who deals with CUI needs to meet security requirements, regardless of the types of services they provide.
Having trouble determining if you have CUI? Contact IBSS and will give you a free estimate to evaluate your CUI data.
Next Up
Now that you understand what FCI and CUI are, in the next article, I will look at why there’s so much fuss about CUI and why you need to pay attention to CUI and the 800-171 requirements.
