Controlled Unclassified Information & Cybersecurity Maturity Model Certification

An important CUI & CMMC deadline is approaching… are you ready?

Beginning in June 2020, all defense contractors must comply with new federal cybersecurity regulations around Controlled Unclassified Information (CUI) and certification. The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD A&S) is currently creating the new framework for certification of CUI and NIST 800-171 inside of the Cybersecurity Maturity Model Certification (CMMC)

Your company won’t be able to bid on new contracts unless you demonstrate you’re following these rules and procedures.

We can get you ready. Here’s everything you need to know.

  • What is Controlled Unclassified Information (CUI)?
  • What is Cybersecurity Maturity Model Certification (CMMC)?
  • Why is this happening?
  • What government umbrella does this fall under?
  • Do I have to worry about Defense Federal Acquisition Regulations (DFARS)?
  • Do I have to worry about Cybersecurity Maturity Model Certification (CMMC)?
  • What does my company have to do?
  • How can SecureStrux help?
  • When are the important related deadlines?

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information is sensitive (but unclassified) information that the government requires its handlers to keep safe. There are strict rules concerning its dissemination, and these rules are tightening in the coming months.

The handlers of CUI include private defense contractors.

Some of the data that falls into CUI territory includes: 

  • Government financial information
  • Research data
  • Critical infrastructure plans & policies
  • Procurement & government supply information
  • Export control and restriction information

…and much more; you can find a complete list on the CUI Registry.

CUI requirements are currently outlined only by NIST-800-171 — but as you’ll read below, the introduction of the CMMC will soon implement additional guidelines for the CUI handled by defense contractors.

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is the framework for managing compliance to NIST SP 800-171 Rev 1 and includes the controls which you will be audited against by a 3rd party organization as CMMC is rolled out in the coming months.

The DFARS in contracts will reference various levels of CMMC compliance needed to participate in RFIs (Request for Information) and RFPs (Request for Proposals). CMMC compliance will apply for both prime and subs on Federal Contractors.

The current CMMC rollout schedule is (as of August 30th, 2019)…

  • CMMC Rev. 1.0 will be released in January 2020
  • CMMC will be included in RFI’s starting in June 2020
  • CMMC will be included in RFPs starting in Fall 2020

See an updated CMMC timeline here…

See “4 Steps Your Organization Should Be Taking To Prepare For CMMC

Why is this happening?

Executive Branch agencies — like the Department of Defense — are required to take specific steps to protect CUI. However, the laws, federal regulations, and government-wide policies created to serve this purpose have traditionally been on an ad hoc and inconsistent basis, and this has led to several stress points:

High costs, confusing guidance, and low return on investment

Defense contractor feedback has consistently cited these as factors adding to their noncompliance or hesitation to pursue contracts with the federal government. 

Attacks from foreign-sponsored hackers on military contractors

When rules are hard to understand, they’re hard to comply with. These types of attacks are consistently on the rise, which is another factor in the decision to strengthen the rules around CUI.

Protecting the Department of Defense (DoD) supply chain

The loss of intellectual property along the length of the DoD supply chain decreases our advantage in relation to our rivals as well as lowers their cost of R&D on new technology,

Self-attestation isn’t working

Under current rules, companies may self-attest that they comply with CUI regulations. Upon audit, however, many are found not to comply — not because they’re trying to get away with it, but because they truly do not recognize that they aren’t following one or more rules that apply to them.

What government umbrella does this fall underneath?

The National Archives and Records Administration (NARA) is in charge of creating and implementing rules for CUI and making sure agencies comply with them. Each agency must create a public registry of CUI categories and subcategories for handling all sensitive, unclassified information and defining why it is considered CUI.

NARA is a parent organization to the Information Security Oversight Office (ISOO), which is the parent organization to the National Institute of Standards and Technology (NIST). The NIST was charged which creating NIST-800-171 and CUI-800-741 to help protect CUI for Non-Federal Information Systems and Organizations — this is the umbrella under which defense contractors fall.

There is also a process underway to develop new standards for Cybersecurity Maturity Model Certification (CMMC) — you can read about that below.

Do I have to worry about DFARS?

For specific government agencies — like the Department of Defense, and private companies it contracts with — there is an additional set of rules: Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 252.204-7012). Anyone who works with CUI from those agencies must implement specific security measures for how they handle data. 

Even if your current contracts don’t stipulate anything about DFARS, if you possess applicable data, you are still required to follow its requirements.

Do I have to worry about CMMC?

If you are getting funding, grants, or contracts from the federal government under the Department of Defense (DoD),  yes. 

The DoD announced in July 2019 that it is developing (along with several other organizations) a structure around Cybersecurity Maturity Model Certification (CMMC), a framework that will assess and enhance cybersecurity efforts of the DoD — particularly as it relates to CUI within the supply chain.

The CMMC is the structure that will define the security levels around CUI, and enforce third-party auditor validation and related compliance requirements. CMMC certification becomes a requirement in 2020. The review board that will build and enforce the CMMC’s rules is not yet formed.

Companies that fail to secure third-party auditor validation will no longer be eligible to receive funding, grants, or contractors from the DoD!

The DoD says the CMMC will serve as the “unified cybersecurity standard” that will be consistently applied to all organizations across the DoD’s supply chain. All DoD contractors, subcontractors, and suppliers will be required to be certified — and audited by a certified third-party organization— to a contractually defined level to participate in the DoD supply chain.

The CMMC’s requirement for third-party validation is a tightening of the rules under existing regulations (DFARS 252.204-7012), which are essentially based on trust.

Once the CMMC is implemented, DFARS stipulations in RFIs and RFPs will reference various levels of CMMC compliance that must be met to participate in the bidding process.

What does my company need to do?

The bottom line: You need a third-party auditor to verify that you are meeting new CUI requirements, in order to be able to keep receiving government contracts. Self-attestation will no longer suffice.

Defense contractors must assess and document their compliance in handling CUI in 14 areas, called “Control Families,” and identify the new regulations that apply to them.

How can SecureStrux help?

We’d be happy to talk with you about how we can:

  • Provide GAP analysis and remediation recommendations
  • Streamline compliance, saving time and money addressing CUI compliance versus NIST SP 800-53
  • CUI and Cybersecurity Maturity Model Certification (CMMC) Training at technical and non-technical levels
  • Project Management – guidance as a client advocate
  • Support continuous monitoring planning and implementation
  • Configure, test, and implement physical and electronic security safeguards
  • Create and/or update documented policies and procedures
  • Provide a comprehensive compliance package for the auditors
  • Help your staff understand the differences between CUI and the overarching DFARS regulation
  • Provide ongoing support through our Managed Security Service Provider (MSSP) or Cyber Support Plans (CSP) to provide continuous monitoring, planning, and implementation.

Even if you’re confident you’re covered for the future requirements, remember: You still need a third-party auditor to verify this is the case!

When are the important related deadlines?

The deadline for meeting new CUI requirements — including having received a third-party audit — is June 2020.

The proposed CMMC rollout schedule is (as of August 30th, 2019):

  • CMMC Rev. 1.0 will be released in January 2020
  • CMMC will be included in RFI’s starting in June 2020
  • CMMC will be included in RFPs starting in Fall 2020

We offer a few different ways to support your organization

Managed Security Service Provider

Get continuous monitoring, POA&M item support, vulnerability assessments, insider threat, & endpoint security protection.
Learn More

Cyber Support Plan

Subject Matter Experts will join your team 1-4 weeks/month to reinforce your team and help you maintain your compliance and cyber hygiene.
Learn More