Commentary: Controlled Unclassified Information - The Devil is in the Details
Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors. This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.
If the government identifies that an entity will receive, generate, or transmit such information, then the rule is clearly triggered.
On the other hand, if an organization is not told that it will receive, generate, or transmit CUI, then will it still be covered by the rule if it uses its own confidential proprietary or trade secret information to perform? Understanding whether a contractor has controlled unclassified information will be the trigger for compliance with these requirements. This makes knowing what is and is not covered especially important.
The devil is in the details as different contractors take steps to parse out the nuances of identifying CUI. Current guidance does not necessarily provide intuitive solutions.
In January, the Cybersecurity Law and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division held its third tabletop exercise, which took a hypothetical contractor, already in compliance with Defense Department cybersecurity requirements for protecting controlled unclassified information, and ran that company through some of the challenges of identifying it.
One of the first lessons learned in the tabletop is that manufactured data created from existing CUI is also likely protected CUI. The good news is that many in the tabletop audience were able to identify that type of information when they were polled. But as the issue moves from the theoretical realm to the practical realm, it becomes more complicated.
For example, what if the manufactured product is indistinguishable from existing commercial products? Is the manufacturing data considered CUI? In that case, the government may be willing to engage in a discussion on whether to exclude the product from being identified as controlled.
A second lesson learned in the tabletop is that the government’s goal is to define CUI uniformly, not just within the department but, eventually, across all agencies. This is an important goal. If a contractor has this kind of information it will then result in an obligation to protect it.
Not all controlled unclassified information is alike. Some may be more sensitive and require higher levels of certification to protect against advanced persistent threats.
Unless a contractor takes the approach of addressing all data in all systems — across all its locations, subsidiaries, etc. — by complying with CMMC at the highest level, it may find issues arise regarding how to best set up its systems to ensure the level of cybersecurity required for protecting the particular type of CUI.
The panel agreed that generic, overbroad definitions of controlled unclassified information are not helpful to contractors and they could lead to a liberal interpretation of how it is identified and, consequently, unnecessary expenses to protect misidentified CUI. Conversely, failure to identify the information could lead to vulnerabilities and issues down the road.
A best practice discussed was for contractors to ask contracting officers when they are uncertain about what constitutes CUI and whether it will be involved under their contracts. Contracting officers must be ready to respond accurately and with specificity.
A third lesson learned in the tabletop was how to properly flow down the new DFARS clauses which require implementation of cybersecurity for CUI protection — such as DFARS 252.204-7012, 7020 & 7021 — to subcontractors and vendors. The audience was polled and most agreed that not only should the clauses be flowed down, but that contractors need to be proactive at ensuring compliance at their lower tiers.
In addition to provisions and due diligence upfront, contractors at higher tiers should also periodically check on their lower tiers to ensure their compliance.
The contractor should engage with their subcontractors and vendors early on to establish a proper understanding of how controlled unclassified information will be identified and what they need to do to comply with the requirements of the contract. This discussion is similar to the communication that contractors should have with the government on the parameters of CUI.
As the tabletop confirmed, the identification of controlled unclassified information will remain a challenge as the government continues its activities to implement cybersecurity requirements and to enforce these provisions.
However, beyond understanding the definition of CUI in a contract, government contractors should maintain good communications with government agencies and higher- and lower-tiered contractors and vendors to clarify what it is and how to identify it. This area is evolving and must be diligently attended to by contractors to avoid non-compliance or misidentification.
Susan Warshaw Ebner and Rolando Sanchez co-chair the NDIA Cyber Division Cyber Law and Policy Committee. Ebner is a partner at Stinson LLP where she is co-chair of the firm’s government contracts and investigations practice group. Sanchez is the principal of Offices of Rolando Sanchez LLC.