In the last article, I discussed how System Security Plans (SSP) are the foundation of the DFARS self-assessment, which is designed to protect companies from security breaches as well as protect the defense supply chain. Now, I will hone in on how protecting CUI is broadening its horizons and making its way into contracts and contract vehicles outside the defense arena.
The government has seen an increase in security breaches, even with the current cybersecurity standards in place. Because of this, current standards are being combined and tightened up to protect individual contracting companies as well as the government.
When discussing controlled unclassified information (CUI), many contractors believe that CUI is limited to defense contracts, and thus they also believe they do not have to worry about CUI protection requirements.
However, over 70 government agencies or departments have CUI. That means that almost every government contractor stores, processes, or transmits CUI.
Government Departments That Include CUI In Contracts
To name a few, contracts with CUI can be found in the following departments:
- Department of Commerce (DOC)
- Department of Defense (DoD)
- Department of Education (ED)
- Department of Energy (DOE)
- Department of Health and Human Services (HHS)
- Department of Homeland Security (DHS)
- Department of Housing and Urban Development (HUD)
- Department of Justice (DOJ)
- Department of Labor (DOL)
- Department of State (DOS)
- Department of the Interior (DOI)
- Department of the Treasury
- Department of Transportation (DOT)
- Department of Veterans Affairs (VA)
DoD may have been the first agency that started requiring CUI protection requirements, but they are not alone anymore. Government agencies want risk assurance that data will be protected.
Many contract vehicles are starting to include CUI protection as a decision factor for awards. If contractors do not have security measures in place, they could be passed up for key contract vehicles like Polaris.
All service contractors, regardless of size and whether they offer information technology (IT) services, will need to meet CMMC at least at level 1 standards.
If you are applying for Polaris or other contract vehicles, consultants like IBSS can provide a gap analysis to identify compliance toward the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171) security requirements.
Next Up
In the next article, I will go through the new Polaris contract vehicle more minutely to explain why you will need to comply with the 800-171 self-assessment if you want to compete for the vehicle.
