Our nation relies on the Department of Defense (DoD) and its partners — including Defense Industrial Base (DIB) contractors — to keep it safe, which requires protecting its information from a wide range of threats.
Hackers continually launch cyberattacks on the DoD and its business partners, employing ever-evolving techniques to bypass security measures. DIB contractors must be steps ahead of the latest threats, which can be challenging since cyberattack techniques have become more advanced.
For these reasons, DIB companies are held to a high cybersecurity standard and are required to implement robust controls outlined in Cybersecurity Maturity Model Certification (CMMC). CMMC was designed to ensure organizations protect sensitive data such as Controlled Unclassified Information (CUI).
CUI is information created or possessed by the government or on behalf of the government, requiring safeguarding or dissemination controls to protect against threats. It’s a broad category referring to any type of information that could provide adversaries with DoD details.
CUI does not include classified information, nor does it encompass information or property not created, stored, or transmitted by or for the government. Nevertheless, CUI is highly vulnerable to attacks and, if exposed, could threaten national security.
DIB contractors must understand CUI safeguarding requirements and adhere to them accordingly. Adequately safeguarding CUI reduces the risk of a data breach that could directly affect the safety of our nation’s military personnel and, by extension, everyone. DIBs must also comply with CUI-related regulations to be eligible for DoD contract awards. Complying with CMMC requirements may also be a good idea to mitigate the risk of becoming the latest organization needing to confess to being hacked.
In 2010, the National Archives and Records Administration was given the authority to establish the CUI Program through Executive Order (EO) 13556. The CUI Program enforces a standard approach to safeguarding CUI and helps prevent inconsistent, inefficient, and agency-specific methods of marking and protecting sensitive documents.
CUI guidance and policy were further developed in 32 CFR Part 2002. Part 2002 applies directly to executive branch agencies, like the DoD, and indirectly to non-executive branch organizations, such as DIB contractors.
Part 2002, along with EO 13556 and the CUI Registry, provides the rules and procedures for handling CUI.
The two types of CUI include:
CUI Basic refers to CUI with general handling requirements. Most CUI is considered basic.
Organizations must apply basic standards to all CUI unless it’s designated “Specified.” Otherwise, basic CUI documents may be marked “CUI//Category Marking//Limited Dissemination Control.”
CUI with special handling requirements is called Specified. CUI Specified requires specific controls and is marked with “SP” in addition to the category marking.
For example, a document containing Controlled Technical Information (CTI) with specific handling instructions may be marked “CUI//SP-CTI.” Note that CUI Specified does not mean it’s a higher level of CUI — it simply requires specific handling.
Categories enable organizations to identify CUI quickly and determine whether they require Basic or Specified handling controls. According to EO 13556, government agencies must only use the categories published in the CUI Registry when marking information to share with contractors.
There are many CUI categories, including the following in the Defense sector:
For example, CUI that falls under the CTI category includes engineering data, manuals, and computer software related to military or space applications. Defense agencies must follow the guidance in the CUI Registry for marking CTI, which includes adhering to guidelines published in the DoD’s Instruction 5230.24.
Some businesses, particularly subcontractors, may wonder if they must prepare to hold CUI in their physical or digital environment. If you need clarification on whether you’re handling CUI, the first place to look is your contract. Whether you are a prime contractor or a sub, your contract should specify CUI requirements.
Additionally, the government agency you are contracting with is required to mark CUI or communicate its presence.
If you’re still unsure whether you’ll work with CUI, it’s best to contact the prime contractor or government agency you’re partnering with for clarity.
How you’ll protect CUI depends on various factors, such as the type of CUI, your existing security framework, and contractual requirements. That said, the following steps provide an overview of how to ensure you’re protecting CUI in compliance with regulations:
CMMC incorporates the requirements of NIST SP 800-171 and provides a framework for assessing compliance with these requirements. It was developed by the DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment in 2019 to standardize security requirements and ensure DIB contractors and subcontractors adequately safeguard CUI.
CMMC consists of three levels. Almost all DIB organizations will need to implement CMMC Level 1. Most organizations handling CUI must achieve CMMC Level 2. Contractors handling highly sensitive CUI may need to reach CMMC Level 3, which includes additional security requirements. In any case, CMMC compliance is necessary for organizations working with the DoD and handling CUI.
At Business Transformation Institute, Inc. (BTI), we specialize in helping DIB companies understand and implement CMMC to protect CUI. Our experienced CMMC consultants have expertise in utilizing the technical controls required to safeguard CUI in various environments. They also have real-world experience applying CMMC and have written key components of the model.
We are dedicated to helping our partners achieve their cybersecurity and CMMC goals within their existing frameworks and are eager to share our knowledge with you.
Whether you’re a prime contractor or a sub, safeguarding CUI properly takes diligence — and resources. Part of that process involves complying with CMMC, which can be a whole new challenge in itself.
We understand that complying with CMMC requirements can be a significant undertaking. Whether you’re new to the defense sector or need support maintaining CMMC compliance, we can help.
We offer expert CMMC consulting, assessing, and training services tailored to your organization’s needs and goals. As an authorized CMMC Certified Third Party Assessment Organization (C3PAO), you can have peace of mind knowing our services are delivered by experts. Contact us today.