COMMENTARY CYBERSECURITY
Controlled Unclassified Information - The Devil is in the Details
iStock photo
Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors. This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.
If the government identifies that an entity will receive, generate, or transmit such information, then the rule is clearly triggered.
On the other hand, if an organization is not told that it will receive, generate, or transmit CUI, then will it still be covered by the rule if it uses its own confidential proprietary or trade secret information to perform? Understanding whether a contractor has controlled unclassified information will be the trigger for compliance with these requirements. This makes knowing what is and is not covered especially important.
The devil is in the details as different contractors take steps to parse out the nuances of identifying CUI. Current guidance does not necessarily provide intuitive solutions.
In January, the Cybersecurity Law and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division held its third tabletop exercise, which took a hypothetical contractor, already in compliance with Defense Department cybersecurity requirements for protecting controlled unclassified information, and ran that company through some of the challenges of identifying it.
One of the first lessons learned in the tabletop is that manufactured data created from existing CUI is also likely protected CUI. The good news is that many in the tabletop audience were able to identify that type of information when they were polled. But as the issue moves from the theoretical realm to the practical realm, it becomes more complicated.
For example, what if the manufactured product is indistinguishable from existing commercial products? Is the manufacturing data considered CUI? In that case, the government may be willing to engage in a discussion on whether to exclude the product from being identified as controlled.
A second lesson learned in the tabletop is that the government’s goal is to define CUI uniformly, not just within the department but, eventually, across all agencies. This is an important goal. If a contractor has this kind of information it will then result in an obligation to protect it.
Not all controlled unclassified information is alike. Some may be more sensitive and require higher levels of certification to protect against advanced persistent threats.
Unless a contractor takes the approach of addressing all data in all systems — across all its locations, subsidiaries, etc. — by complying with CMMC at the highest level, it may find issues arise regarding how to best set up its systems to ensure the level of cybersecurity required for protecting the particular type of CUI.
The panel agreed that generic, overbroad definitions of controlled unclassified information are not helpful to contractors and they could lead to a liberal interpretation of how it is identified and, consequently, unnecessary expenses to protect misidentified CUI. Conversely, failure to identify the information could lead to vulnerabilities and issues down the road.
A best practice discussed was for contractors to ask contracting officers when they are uncertain about what constitutes CUI and whether it will be involved under their contracts. Contracting officers must be ready to respond accurately and with specificity.
A third lesson learned in the tabletop was how to properly flow down the new DFARS clauses which require implementation of cybersecurity for CUI protection — such as DFARS 252.204-7012, 7020 & 7021 — to subcontractors and vendors. The audience was polled and most agreed that not only should the clauses be flowed down, but that contractors need to be proactive at ensuring compliance at their lower tiers.
In addition to provisions and due diligence upfront, contractors at higher tiers should also periodically check on their lower tiers to ensure their compliance.
The contractor should engage with their subcontractors and vendors early on to establish a proper understanding of how controlled unclassified information will be identified and what they need to do to comply with the requirements of the contract. This discussion is similar to the communication that contractors should have with the government on the parameters of CUI.
As the tabletop confirmed, the identification of controlled unclassified information will remain a challenge as the government continues its activities to implement cybersecurity requirements and to enforce these provisions.
However, beyond understanding the definition of CUI in a contract, government contractors should maintain good communications with government agencies and higher- and lower-tiered contractors and vendors to clarify what it is and how to identify it. This area is evolving and must be diligently attended to by contractors to avoid non-compliance or misidentification.
Susan Warshaw Ebner and Rolando Sanchez co-chair the NDIA Cyber Division Cyber Law and Policy Committee. Ebner is a partner at Stinson LLP where she is co-chair of the firm’s government contracts and investigations practice group. Sanchez is the principal of Offices of Rolando Sanchez LLC.
Topics: Cyber, Cybersecurity, Infotech
Comments (3)
Steve to your point, the National Archives and Records Administration (NARA) identifies categories of data that would be considered CUI. https://www.archives.gov/cui/registry/category-list . ITAR (export-controlled data) and Critical Energy Infrastructure Information are among the types of data that are identified as CUI. The 252.204-7012 rule requires that if you are using, generating, transiting, storing CUI in performance of a contract with that clause, then you have triggered those requirements. If there is a question, one thing we learned from the tabletop exercise was to take steps early on to engage in a discussion with your contracting officer, or higher tier prime or subcontractor, that is flowing down the clause to you. If you do get their guidance on whether this is CUI, you should memorialize those communications so that you have a record in the event an issue arises. And, if you aren't satisfied, you receive inconsistent guidance, or you encounter an issue, you might seek assistance to pursue this further.
Susan Warshaw Ebner at 10:56 AMAnother resource in identifying CUI is https://www.dodcui.mil/ and the DOD CUI Registry at https://www.dodcui.mil/Home/DoD-CUI-Registry/
Thomas Gerke at 5:57 PM
A basic fallacy here is the "contracting officer". Design and manufacturing data produced by the defense contractor is not developed under the aegis of a contract or a contracting officer. It is CUI under ITAR, NAVSEA-08, DoE regulations et al. but no "contracting officer" is involved and none have cognizance or responsibility. I have Distribution Statement B materials under the Proprietary Information and Export Controlled "reasons" yet there is no controlling DoD office. This is akin to initially making an item "classified" but the guidance for CUI is incomplete.
Steve Alonso at 3:24 PM