Welcome back. Previously, I discussed how I am going to set up this series of articles, and I defined Federal Contract Information (FCI) and Controlled unclassified information (CUI).
Today, I am going to explain why protecting CUI is important and why your prime or sub federal contracting services company needs to protect CUI. I will start building the foundation to show you how building a strong cyber hygiene program is THE key secret ingredient in NextGen federal contracting.
Why Is There Such A Fuss About CUI?
It boils down to this. There are fewer security controls over CUI compared to controls over classified information. With fewer controls, that means that CUI is a high-value target for adversaries. Put another way, CUI is low-hanging fruit that threat actors can use to gain access to federal systems. Once the threat actor has access, they can work up the “food chain” and work to gain access to more and more sensitive information. The threat actor can then use the information for malicious purposes, such as technical, economic, political, or military agendas. Many attacks are retaliatory attacks in response to sanctions or are focused on industrial espionage.
All federal service providers, prime and sub, need to do their part to build sound information technology (IT) security practices that are adaptive and resilient not only to reduce security breaches but also to reduce the financial burdens associated with breaches.
Perspective On How Many Contracts Have CUI
Here is some perspective on how many contracts include DFARS Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 (DFARS 7012). In the industrial base, over 3 million contracts include CUI. Of those, the National Industrial Security Program (NISP) has over 1 million contracts that include this clause. Chances are high that your company has a contract that includes CUI.
What Does This Mean For Your Company?
Working with CUI requires additional safeguards to protect this sensitive information since it is a threat actor target. This means that all federal contractors who work with CUI, regardless of the type of service they provide, need to meet CUI protection standards.
Most Department of Defense (DoD) service providers, prime and sub, must comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171) and DFARS 7012 to safeguard covered defense information, including CUI. DFARS 7012 and 800-171 are the minimum security requirement for handling CUI.
DFARS 7012 calls for “adequate security” to be built into IT systems, but the Cybersecurity Maturity Model Certification (CMMC) has furthered this idea by requiring “managed processes” and “good cyber hygiene practices”. The CMMC initiative was created for the purpose of streamlining the security protocols surrounding the handling of CUI.
If your company handles CUI, then you need to acquire a CMMC Level 3 or higher and you need to do a self-assessment for 800-171.
A lot goes into preparing for these assessments. If you would rather spend your time on business development, IBSS is available for assessment consultations. Contact us today for a free estimate.
Next Up
The next article in my series will provide examples of CUI and after that, I will discuss methods of controlling CUI.
