Controlled Unclassified Information

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.


Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

Pursuant to Executive Order 13,556 and as forecasted in the draft of the National Institute for Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171, the National Archives and Record Administration (“NARA”) released on May 8, 2015 a proposed rule addressing the government-wide designation and safeguarding of Controlled Unclassified Information[1] (“CUI”) (“the Proposed CUI Rule” or “the Rule”).  On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of CUI residing in nonfederal information systems.

SP 800-171 also includes interpretations of and best practices for compliance with the Proposed CUI Rule.  As a result, reading SP 800-171 in conjunction with the Proposed CUI Rule suggests that contractors may soon face significant additional burdens for safeguarding government information on their systems.


Continue Reading New Proposed Rule and Accompanying Guidance May Impose Additional Cybersecurity Burdens on Contractors Handling CUI

On November 18, the National Institute of Standards and Technology (“NIST”) released Draft Special Publication 800-171 (“SP 800-171”), which includes new recommended security controls for nonfederal organizations such as government contractors, state and local governments, and colleges and universities that “process, store, or transmit” controlled unclassified information (“CUI”) on their own systems.  These draft standards were issued pursuant to Executive Order 13556, Controlled Unclassified Information (“CUI EO”), which called for the establishment of a uniform government approach for managing unclassified information requiring safeguarding or dissemination controls.  The draft standards are based on the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, but were tailored to eliminate requirements that are uniquely federal, related primarily to availability, and/or presumably already routinely satisfied by nonfederal organizations.

To maintain the security of CUI, the CUI EO instructed the National Archives and Records Administration (“NARA”) to collaborate with various agencies to propose CUI classifications and associated markings, and issue any directives necessary to implement the CUI EO.  As noted in SP 800-171, “the CUI program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions” through a federal CUI Registry.  This Registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.  Although the categories of information included in the Registry are unclassified, the government has determined that additional safeguarding – such as storage on a secure server – or limitations on sharing the data should be employed.  To ensure that controls are reasonable and justified , the CUI EO requires each category to be based in statute, regulation, or government-wide policy, and the Registry lists such authorizations.


Continue Reading NIST Draft Standards Provide Guidance For Protecting CUI on Contractor Systems