The CUI Dilemma
Companies supporting the defense industry are scrambling to understand how to classify and protect information. Does this apply to your company? This blog will help you answer the following the top four common questions about unclassified government data in a commercial IT infrastructure.
- What is CUI/CDI/CTI Data?
- Why am I required to safeguard CUI/CDI/CTI as a defense contractor?
- Do I have CUI/CDI/CTI data in my IT System?
- How do I protect CUI/CDI/CTI data?
The Base Requirements
The March 6, 2020 release of DoD Instruction 5200.48 Controlled Unclassified Information (CUI) includes the following requirements for DoD Contractors in section 5.3.
a. Whenever DoD provides information to contractors, it must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance.
b. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate.
c. DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative.
d. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09.
e. All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section 1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.
Understanding the definitions and best practices will help you develop a baseline of knowledge to develop a plan and properly protect unclassified government data in your information systems.
What is CUI, CDI and CTI Data?
Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) are relatively new markings, but similar markings have a long history within the government. CUI is an umbrella term that encompasses all CDI and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. In the past, the government used many different markings to identify this kind of information. You may have seen or used some of these in the past: Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc. These are now all rolled up into the classification of CUI content. Clear as mud…. Right? No one said this was easy….
CUI as a category encompasses both CTI and CDI. CTI is defined as technical information with a military or space application that is marked with a distribution statement in accordance with DoDI 5230.24 (Distribution Statements on Technical Documents). In general, the controlling Department of Defense (DoD) office is responsible for determining if information is CTI and properly marking it prior to contractor access to the information. However, if a contractor develops unclassified CTI in the performance of a contract, the contractor must work with the contracting officer to ensure that the appropriate forms are completed, statements of work are in place and distribution statements are assigned to each piece of content. This content must be protected at the same level as other CDI and CUI content; it just has special marking and tracking requirements.
The CUI Program was originally developed for all Executive Branch Agencies. Believe it or not, this program is significantly simplified. Prior to the current CUI program every agency used a different set of markings, information classifications, and rules for how to manage and control the information. In general, CUI is information marked or identified in a government contract or provided to a government contractor by the DoD in connection with a contract; however, it can also be content that is developed by the contractor during the performance of a contract. This content is marked or identified by the DoD as requiring safeguarding or specific dissemination controls.
I recommend that you review and learn the new CUI marking program to ensure data is properly identified. Get started by checking out the government marking guidance.
There are hundreds of different sets of regulations, laws, and U.S. Code that specifies how each of the CUI Specified information types must be controlled. The best way to determine what the requirements are for any specific type is to go to the CUI Registry and search for the content you are interested in. The full list of CUI categories can be found in the CUI Registry. There are 24 Categories of content and 83 sub categories of content! Each category is defined as either CUI Basic or CUI Specified.
- CUI Basic contains the baseline handling and dissemination controls as identified in the Final Rule issued by NARA (the National Archives and Records Administration) on November 14, 2016. The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level and can be marked as either CUI or Controlled.
- CUI Specified is a subset of CUI where the authorizing law, policy, or regulation puts more restrictive controls on the handling and control of the CUI Specified content. The underlying authority maintains the handling controls on CUI Specified content and ONLY a designating agency may apply the limited dissemination controls to CUI content. This cannot be done by an agency that was not the original designating authority. More importantly, agencies cannot increase CUI Basic’s impact level above moderate external to their agency without an agreement with the external agency or contractor organization operating an information system on their behalf.
The following is a quick reference list of common categories of CUI Specified subsets:
What you really need to know is that CUI agreements can take the shape of a contract, grant, license, memoranda of agreement, or information-sharing agreement. Understand the data categories on your contract, what data you may create during the performance of a contract, the requirements to protect that data, and the costs associated with that protection before you sign the contact.
Why am I required to safeguard CUI/CDI/CTI as a defense contractor?
One of the questions that I regularly receive is “Why are we being required to protect this CUI and CDI content?”. In short, bad actors (hostile states, individuals, and corporations) are trying to get it and if they succeed it could hurt individuals, organizations, or our national security. We see it in the news weekly and if you dig a little, daily. Espionage (both Corporate and State) is at an all-time high. New hacking revelations occur frequently in news media when corporations lose important privacy information due to data mismanagement.
CUI and CTI data doesn’t exist only within government data centers on government systems. It exists across the entire defense industrial base spread across thousands of companies with widely varied IT infrastructures. Many of those infrastructures are simply not up to the task of properly managing and safeguarding of the CUI/CDI/CTI information that they were entrusted with by the government.
Government investigations identified the lack of security as a primary contributor of security breaches; therefore, the CUI / DFARS 7012 programs were established to begin standardizing the security controls across the defense industrial base to better protect our important information in both government and commercial environments.
What you really need to know, is that failure to protect CUI/CDI/CTI data can result in a rapid loss of a contract. Ensure that you have properly identified and classified the data before you propose a contract to ensure that you have provided adequate margin in your contract or overhead calculations to implement controls in your information systems. The new DoD is implementing the Cybersecurity Maturity Model Certification (CMMC) Framework. Today, safeguarding CUI requires DIB contractors to be certified Level 3 in the Cybersecurity Maturity Model Certification Framework by a third-party CMMC assessor or C3PAO. This requirement was issued by the DoD in DFARS Clause 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021. Learn more about CMMC Level 3 Certification here.
Do I have CUI/CDI/CTI data in my IT System?
This is really the crux of the issue, isn’t it? Do you, as a government contractor, have CUI/CDI data that must be protected? Sure, the government has put the DFARS 7012 clause in your contract, but do you have CUI/CDI content in your environment?
Unfortunately, in most every case, the answer is an emphatic YES. Here are common examples of data you must protect under DFARS as a defense contractor.
- Information Systems Vulnerability Information.
Any Personally Identifiable Information (PII) that you may be transmitting, storing, or processing on behalf of the government as part of the delivery of a contract, that data is "government owned" PII and would be considered CUI. For example, if PII is included in a contract that processes benefits, this would be considered CUI.
- Technical information including research and engineering data, engineering drawings, associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analysis, and related information and computer software executable code and source code.
There is an incredibly wide range of content that is unclassified, but falls within the controlled data definitions. In our work across the Defense Industrial Base, we have yet to encounter a company that did not have CUI/CDI/CTI data in their infrastructure if they were working with the DoD and had the DFARS 7012 clause in one of their contracts.
What you really need to know is that technical work that is executed for the government, which results ininformation or data being created or transmitted, is potentially covered by the CTI designation. Ensure that you have properly identified and classified the data in your information system to provide adequate security controls.
How do I protect CUI/CDI/CTI data?
The government provided lane markers as part of the DFARS 7012 rule that stipulates exactly what type of controls must be in place to protect CUI/CDI content in your information system. You have three options.
- An on-premises data center(s) that includes all of your internal IT systems,
- A Cloud Service Provider (CSP) like Azure, Microsoft 365, or Amazon Web Services (AWS), or
- A Hybrid Solution that uses both on-premises systems and CSP solutions to meet NIST 800-171.
With any of these three solutions, you must also ensure that the solution addresses the 110 Security controls in NIST SP 800-171 along with a Systems Security Plan (SSP) and a Program of Actions and Milestones (POAM). Corporations that traditionally serve the defense industrial base have historically managed data in localized data centers and facilities. There was a sense that data centers located behind the physical security of the business provided adequate data security.
The physical presence of the servers in the facility may have provide a false sense of, “I know where my data is.” The reality of the cyber environment today requires a Zero Trust Architecture to maintain a healthy cyber posture. Many large enterprises have sufficient staff and training to maintain on-premises networks to serve their government contracts and controlled data; however, the capital expenditure of replacing hardware and the operational expenditure of the maintenance costs should be reviewed with each round of data center updates.
Alternatively, CSPs are a great option for businesses of all sizes, because it helps the organization offload large portions of physical security, administrative management, and risk to the CSP. CUI/CDI/CTI compliance in a CSP may be a more affordable option since there is no requirement for a large data center capital investment for servers and physical security. Be aware that businesses using a CSP still have a responsibility to ensure that the environment is certified at a FedRAMP Moderate level, AND that you are protecting the environment with the 110 Security controls in NIST SP 800-171. For more details refer to the NIST SP 800-171 blog post.
What you really need to know is that a critical decision to proceed with on-premises data center or a CSP should be a part of a corporate overhead strategy when proposing on defense contracts as a prime or subcontractor that include the DFARS 7012 clause with NIST SP 800-171. Ensure corporate decision makers understand both the short-term capital investments and long-term hidden costs of your proposed data security strategy.
In this video from a recent Cloud Security and Compliance Series (CS2) event, Bob Metzger (Attorney and Co-author of MITRE "Deliver Uncompromised") provides insights on the regulatory origins of FCI (Federal Contract Information) and CUI as it relates to Defense Industrial Base suppliers, how the current state of CUI management and processes impact CMMC and DFARS compliance, and much more. Mr. Metzger also proposes solutions for agencies and contractors alike to address challenges with classifying CUI, FCI, and CTI, and speaks to flow down requirements.
How do I protect CUI/CDI/CTI data?
Summit 7 has served hundreds of government contractors in helping them protect sensitive data in their IT environments. You can read more about Summit 7's security and compliance solutions here.