(This post is a pre-publication and draft of chapter two of a handbook I and Terry Lehman will publish on complying wwith DFARS Interim rule 252.204-7019,7020 and 7021 while also preparing for a CMMC future. We welcome feedback and corrections.)
Billions of bytes swiped at a time and fights with adversaries and attacks allowed through broken systems. Alliteration aside, the state of our cybersecurity posture remains as weak as that lede. In fact, on June 22, 200 Mark Bradeley, the Director of the National Archives Information Security Oversight Office wrote the President of the United States and noted:
Our Government’s ability to protect and share Classified National Security Information and Controlled Unclassified Information (CUI) continues to present serious challenges to our national security.
Our efforts to protect critical information as it traveled through the DIB supply chain relied on “antiquated information security management practices” and relying on a self report of meeting NIST 800-171 failed.
The immediate adoption of the DFARS interim rules seeks to mitigate the risks Director Bradely highlighted in his report.
The federal government has two options when rulemaking a publicly reviewed rule which takes longer to go into effect or an interim rule that goes into effect once the public comment period is over. The stakeholders involved in protecting our country from cyber attacks felt the protection of CUI was a matter of immediate national security. In fact, the DFARS Interim rule specifically applies to contractors who inherit or create CUI and not those who only handle FCI..
Protecting Information: FCI and CUI
As cyber attacks have increased the United States Government has consistently stressed the need to protect two kinds of information: Federal Contract Information (FCI) and Controlled Unclassified Information.
The DFARS Interim rule only applies to companies who currently inherit, meaning they receive CUI, or create CUI. Therefore federal contractors will find it essential to understand the difference between FCI and CUI.
Federal Contract Information
The FAR defines what it takes to get in business with the Executive Branch. The FAR, and its cousin DFARS (the Defense supplemental) get broken down into parts and labeled by a series of numbers. Federal Contract Information for example is defined in FAR 52.204-21.
The Government defines federal contract information (FCI) as any information included in a contract not meant for public release. The expectations for FCI safeguards get described in “FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.”
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Often referred to in shorthand as FAR 21the DFARS interim rules do not apply to DIB supply chain companies that only handle FCI. Yet a culture of good cyber hygiene begins with the basic safeguards required of any company handling FCI:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
These five basic safeguards also map to the NIST SP 800-171 methodology as well all fifteen of the CFR Safeguarding requirements:
(add table of 15 cfr with corresponding NIST SP 800-171 Number)
Identifying FCI is straightforward. First it is not intended for public release. Second FCI is generated by or for the government. So you can assume if an artifact is not marked, “intended for public release” it is FCI.
What about your intellectual property? A great new software that will save the government billions when you sell it off for millions? Don’t worry. It is not FCI if it was not generated as part of a contract. It doesn’t mean you are free of legal obligations; some good ideas may have export control restrictions.
So what is the difference between FCI and Controlled Unclassified Information (CUI). Basically FCI is information that is not shared with the public but CUI must be legally safeguarded and is governed by other federal rules and regulations.
Controlled Unclassified Information
After continuous attacks on the DIB global supply chain the President of the United States created Controlled Unclassified Information through Executive Order 13556. The goal of the order, like many intelligence efforts after 9/11 was to standardize and streamline the labeling and protecting of CUI across 100 different federal agencies and over 300,000 DIB organizations.
Prior to the creation of CUI a, “inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.”
The executive order defines CUI as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
In the definition we can see some clear differences with FCI. While all CUI is technically FCI CUI is a particular subset about data that must be A: safeguarded and B: include information the government creates or possesses. FCI refers to information given out byt the government and CUI often refers to information within the government and authorized members of the DIB supply chain that requires additional protections based on current regulations.
The executive order established the Information Security Oversight Office of the National Archives and Records Administration to create and maintain a CUI registry. If an artifact falls into one of the buckets of CUI identified in the registry then it is CUI.
As a contractor you have five responsibilities in protecting CUI based on DoD Instruction 5200.48 Controlled Unclassified Information: 1. Whenever DoD provides information to contractors, it must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance. 2. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate. 3. DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative. 4. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09. 5. All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section 1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.
As you complete a DFARS Interim rule self assessment you can think about CUI as any data that some law, regulation, or policy says you must protect. So tax information? Yep, there are rules. It is CUI. Plans you recieved to develop a part for an engine? Once again rule exist so it’s CUI.
This has lead to the CUI registry published by NARA to have 24 categories and 83 subcategories. The directory is also a living document and agencies or contractors can use a provisional label if they feel a new subcategory or category is needed. These labels can then be further broken down into Basic CUI and Specific CUI
According to the CUI Marking Guide version 1.1
CUI Basic is, as the name implies, the standard “flavor” of CUI. All of the rules of CUI apply to CUI Basic Categories and Subcategories, making the handling and marking of CUI Basic the simplest.
CUI Specified is not a higher level it is just different. Remember our first rule: CUI is any information covered by laws, regulation and policies. Some of these laws, such as export control laws, apply to CUI in the Defense Industrial Base.
According to the CUI Marking Guide version 1.1: >CUI Specified is different, since the requirements for how users must treat each type of information vary with each Category or Subcategory. This is because some Authorities have VERY specific requirements for how to handle the type of information they pertain to – requirements that simply would not make sense for the rest of CUI.
How do you know if you have CUI Specified? If the contracting agency, law or regulation that governs your project has a place in the CUI Registry as a specified authority you hold CUI specified.
We have included a revised version of the CUI marking guide in the appendix of this book.
Controlled Technical Information
The DoD also finds Controlled Technical Information (CTI), a special type of CUI, as mission critical when it comes to protecting against cybersecurity threats The DoD defines Controlled as
Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination
When considering the presence of CTI this may require CMMC maturation levels above three and have additional protections.
Do I need to protect CUI?
Of course, silly. Protecting CUI is the entire goal of the CMMC efforts. Unprotected CUI costs billions if not trillions a year. Stolen CUI puts may even put our soldiers into the crosshairs of our enemy. The efforts to protect controlled unclassified information lead to DOD launching DFARS 252.204-7012 which required contractors to apply the NIST 800-171 standards.
When overwhelming evidence showed the self reporting mechanisms including SSPs and PO&AM did not get the job done the DoD created the Cybersecurity Maturation Model Certification and will now require third party assessors.
CMMC does not fully kick off until 2025. This doesn’t mean DIB contractors can rest easy. The DoD updated DFARS with three new clauses: DFARS 252.204-7012: 7019, 7020, and 7021.
These rule changes will have an immediate effect on the DIB and if companies do not want to lose contracts or have the Department of Justice haul them in front of a judge under the Fair Clause act they need to get ready.
Department of Defense. (2020) DOD INSTRUCTION 5200.48CONTROLLED UNCLASSIFIED INFORMATION (CUI). Retrieved October 19, 2020
Devin Casey. (2020) FCI and CUI, what is the difference? – CUI Program Blog. Retrieved October 19, 2020, from isoo.blogs.archives.gov/2020/06/1…
NARAL. (2016) Marking Controlled Unclassified Information - CUI Handbook. V1-1-20190524. Washington, D.C.