This is a step-by-step manual for defence contractors in charge of handling Controlled Unclassified Information (CUI) on the computer networks and data storage systems of their company.
The task of winning a first-time contract may appear as difficult for small businesses who are unfamiliar with DoD procedures as climbing Mount Everest.
Since the DoD employs the most people globally, it is also the biggest employer in the United States.
Naturally, a government organisation of size and complexity has all the processes and requirements you would anticipate.
Information security competence must be shown as one of the qualifications for a DoD contractor. That includes knowledge on how to safeguard so-called Controlled Unclassified Information (CUI).
Although this subset of government data is less well-known than its cousin, classified information, the DoD nonetheless views it as being of utmost importance.
Even small businesses that are new to the defence industry must understand how to safeguard it.
Controlled Unclassified Information (CUI)
CUI is described as information that has to be secured and protected using information security controls mandated by existing laws, rules, and policies of the government, or information that a company or organisation owns or develops for the government.
Millions of war veterans’ records were in danger in October 2009 as a result of a significant data breach at the National Archives and Records Administration (NARA).
Executive Order 13556, titled “Controlled Unclassified Information,” was issued in response and for the first time established a programme to handle CUI.
The agency has consistently worked to provide better guidelines on how to safeguard sensitive information over the last ten years.
It has taken this action in response to a sharp rise in cybersecurity threats and data breaches in recent years as well as to educate contractors on what is necessary to protect CUI.
Over the last ten years, there have been a number of high-profile cyberattacks against government institutions, to which the government has reacted with executive orders and laws.
NIST SP 800-171, the Cybersecurity and Infrastructure Security Agency Act, the Cybersecurity Maturity Model Certification (CMMC) programme, NIST SP 800-172, and the formal launch of the CMMC programme were only a few examples of the executive orders and laws mentioned above.
In significant part, the government’s countermeasures to cyberattacks and data breaches reflect a concentrated effort to safeguard CUI.
Despite the fact that CUI is not considered to be secret material, the federal government has decided that it has to be secured because of the danger that its unauthorised distribution presents to national security.
In response, the government issued executive orders and passed laws, such as NIST SP 800-171, Rev. 1, the Cybersecurity and Infrastructure Security Agency Act, the Cybersecurity Maturity Model Certification (CMMC) programme, NIST SP 800-171, Rev. 2, and NIST SP 800-172, as well as the formal launch of the CMMC programme.
Over the last 10 years, the government has made a significant effort to defend CUI, as seen by its reactions to cyberattacks and data breaches.
Although CUI is not considered to be classified material, the federal government has decided that it has to be secured because of the danger that may arise from its malicious release to the public.
Recommended: How to Get A Scammer In Trouble?
CUI And CMMC (Cybersecurity Maturity Model Certification)
The Cybersecurity Maturity Model Certification (CMMC) programme, which imposes new information security criteria for all organisations within the Defence Industrial Base (DIB), was announced by the DoD in the latter half of 2020.
By the end of 2025, CMMC Level 2 and Level 3 must be third-party certified by a CMMC Third-Party Assessment Organisation (C3PAO).
The department views the dramatic rise in cybersecurity assaults over the last several years as a severe danger to the nation’s economic and national security, which is why it launched the CMMC programme.
Some of the most recent instances of prominent, recent cyberattacks are those against SolarWinds, Kaseya, and Accenture.
“SolarWinds is a great example,” says Tony Giles, a professional in information security with NSF-ISR.
The hack occurred at this large publicly listed company in December 2020. You may examine their incident response process.
There are other factors at play there. These days, everyone appears to be concerned about information security.
According to a study by the Centre for Strategic and International Studies (CSIS) and the information security company McAfee, the damages brought on by cybercrime are enormous, with reliable estimates ranging in excess of $600 billion annually.
This is a significant increase from a 2014 research that estimated yearly worldwide losses at just under $445 billion.
A key component of the Defence Department’s reaction to the growing cybersecurity risks is the introduction of the CMMC programme.
It serves as a means for confirming that companies collaborating with the DoD have efficient cybersecurity procedures to safeguard CUI.
The DoD anticipated a five-year, phased implementation of CMMC, with CMMC requirements beginning to appear on all supplier contracts in the fiscal year 2026.
This implies that in order to submit a proposal for future defence contracts, all DoD contractors and their supply chain partners will need to comply.
What Level Of System And Network Configuration Is Required For CUI?
The NIST SP 800-171 controls serve as the foundation for the three tiers of cybersecurity practises included in the CMMC model. An overview of the three CMMC levels is provided below:
- Basic cyber hygiene and the security of federal contract information (FCI) are the main topics of Level 1.
- The safeguarding of CUI is the main goal of Level 2. It contains the measures listed in NIST SP 800-171.
- Level 3 focuses on the information security precautions a business should take to identify and address risks. Part of NIST 800-172 controls are required for compliance.
Controlled Unclassified Information (CUI) | Its Importance
One of the objectives of the CMMC programme is to secure CUI inside the Defence Industrial Base (DIB).
The significance of protecting CUI and how it fits into the CMMC process should be understood by DoD contractors who are dedicated to putting cybersecurity practises into place and building a strong culture of information security compatible with DoD regulations.
At NSF-ISR, Rhia Dancel is a CMMC Registered Practitioner. She defines CUI as “information produced or delivered by the government and in need of protection and protective procedures.
The primary focus of the chat is CUI, which is an essential component of the first CMMC evaluation.
Controlled technical information (CTI) and Proprietary Manufacturer (MFC) are the two primary CUI types that we encounter, continues Dancel.
Technical drawings or blueprints would be classified as controlled technical information (CTI) under the CUI category.
The CUI category of MFC would also apply if a part or component was manufactured based on a technical design or specification.
The DoD took a big stride by developing an entire information security framework around CUI. Defence contractors were given a clear and concise message:
Certain categories of unclassified information are sensitive, significant to the nation, and sought after by foes. These need robust protections.
The DoD receives, manages, produces, and shares CUI across all levels of authority and mission areas, in contrast to classified information.
The DoD has created a standard system with guidelines on how CUI papers should be marked across all federal government agencies in order to preserve CUI.
Categories In CUI Registry
There are 18 organisational categories in the government’s CUI Registry:
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural And Cultural Resources
- Procurement And Acquisition
- Proprietary Business Information
- Statistical, and Tax.
Controlled Unclassified Information (CUI) Identification
Within the CUI hierarchy, there are seven subcategories, including:
- Individually Identifying Information
- SPII Stands For Sensitive Personally Identifiable Information.
- Commercially Sensitive Information (CSIS)
- Technical Data That Isn’t Categorised (UCTI)
- SBU, OR Sensitive But Unclassified
- Only For An Official Usage (FOUO)
- LES: Law Enforcement Sensitive
When processing CUI as part of contract work, vendors and the department are both subject to the mutual standards outlined in DoD Instruction 5200.48.
The instruction’s phrasing accurately conveys what is necessary while addressing CUI. nor “recommended,” nor “suggested,” but “required.”
The DoD must first alert the contractor to any CUI and make sure that it is designated appropriately. The DoD must make explicit in all contract papers the provision of CUI.
Suppliers are required by DoD contracts to monitor CUI and report classifications to the division.
CUI will be handled with “moderate” levels of secrecy and will adhere to all DoD systems’ 8500.01 and 8510.01 directives.
All legal agreements with non-DoD organisations must be compliant with the criteria of DoDI 8582.01 in order for non-DoD private sector systems to ensure appropriate security.
Then, in accordance with departmental directive 5230.09, DoD representatives and contractors will submit all unclassified DoD material for review and approval before dissemination.
Anytime the DoD delivers CUI to or anytime CUI is developed by someone other than the DoD, all CUI records must adhere to authorised required disposition regulations.
The six steps DoD contractors should take to establish if contract documents and information are deemed CUI are outlined in our white paper, Identifying and Protecting Controlled Unclassified Information (CUI).
Controlled Unclassified Information Protection
Given the essential services they provide as part of their operations, information security professionals advocate particular actions businesses should take to determine their CUI risk.
The steps are a user manual for putting in place a cost-effective information security strategy and being ready for a future CMMC evaluation.
Identifying the four kinds of corporate assets—people, information, technology, and facilities—is the first stage in the process.
In order to identify and safeguard CUI, organisations must map out their operations and define these fundamental categories.
Let’s examine the contents of each category in turn:
- People are all the employees who design and provide the goods and services that a business provides to clients.
- Information is any data that is utilized to create a company’s goods or services, including client information and order details.
- Technology is the equipment and software that the business uses to produce its goods and services. An example of this may be a cloud service provider (CSP) or a managed service provider (MSP).
- Facilities are the structures, including offices and warehouses, where a company’s employees utilize information and technology to produce goods or services.
Asking pertinent questions across these four crucial areas is the first step in mapping out vital services.
Staff time and resources are needed for this question-and-answer process, but the end result will be a crucial flow chart outlining how CUI and other information move around the company.
Under the heading “people,” it’s critical to understand:
- Who supports the functioning of the site, including employees and other parties?
- Who and what organizations may access the portal?
A business must be aware of the following under the heading of information:
- Where is the information kept?
- Is it hosted in the cloud, locally on the server, or on a SAN/NAS device?
important issues in information and technology include:
- Is the portal virtual, cloud-based, or hosted on a server?
- How does data go within the corporate network?
There will be some questions that fall under many categories. For instance:
- Are portal data backups available? And if so, where?
- Does the company have a portal catastrophe recovery site?
- Who has access to the site and who supports its operation?
- Where in the firm do portal employees work?
The purpose of this question-and-answer session is to produce the data flow diagram that the business requires to identify and safeguard CUI inside the organisation.
Large and small, shrewd DoD contractors have studied the defence environment, recognised the value of CMMC compliance, and taken the necessary steps to educate their workforce to preserve CUI in both their own internal operations and those of supply chain partners.
They are driven by two things.
- They initially want to keep doing business with the DoD.
- Second, they are aware that having strong information security strategies in place to safeguard confidential data enables their company to guarantee best practices to prevent cyberattacks and data breaches.
Long-standing DoD contractors are likely to already have reliable CUI identification and protection information security systems in place.
For smaller organisations trying to establish their own position in the DIB ecosystem, understanding the DoD requirements and putting strong data security measures in place in response are likely to be far more difficult tasks.
We hope you like this article (What Level Of System And Network Configuration Is Required For CUI?), If you really enjoy the article, don’t forget to share Multiplextimes.com with your friends. Thanks!
Leave a Reply