Working with the US Department of Defense (DoD) is an attractive opportunity for contractors in various industries. There is honor in working with the largest, most powerful military, and achieving “preferred contractor” status can also be lucrative. That said, it’s not easy to achieve this status. You’ll need to be compliant with regulatory frameworks and keep abreast of every update published by the DoD, such as the most recent one on how to safeguard CUI or controlled unclassified information.
With the right guidance, safeguarding CUI is a breeze, and in this article, we’ll show you how.
Department of Defense Guidance on Safeguarding CUI
The recent guidance on safeguarding CUI builds on a years-long push to bolster the cyberdefenses of military contractors. It corresponds to changes in compliance practices, namely a transition to a more robust and accessible system.
This guide will break down all you need to know about safeguarding CUI across three sections:
- What CUI is and the background for new DoD guidance
- The most recent DoD publication on CUI and what to expect
- Overview of everything it takes to achieve CMMC compliance to protect CUI fully
By the end of this blog, you’ll be prepared to protect all CUI you come in contact with and reach full CMMC compliance.
Understanding Controlled Unclassified Information
To understand the new safeguarding CUI guidance, let’s start with the basics: What is CUI, and why is it so critical to protect?
CUI is one of the protected forms of information that classifies DoD contractors as a critical infrastructure sector, according to the Cybersecurity and Infrastructure Security Agency (CISA). In particular, the network of manufacturing, service, and trade-based institutions that work with CUI comprise the Defense Industrial Base sector (DIB).
As we’ll get into in more detail below, CUI and other protected forms of information across the DIB are sensitive not because of individual consumer protections, as is the case with specific other regulatory frameworks. Safeguarding CUI regulations involve stakes far beyond your cybersecurity and that of your direct personnel and clientele. As its name implies, the DIB is essential to the basic functionality of the US military, both domestically and abroad.
So, any threat to the DIB is also a threat to the safety and security of every US citizen.
DFARS Clause 252.204-7012: Defining CUI and Protections
There are many documents that define and offer insights into the nature of CUI, sometimes in ways that complicate or seem to contradict others. But the primary source text for all DoD and other agencies’ rules about CUI is the Defense Federal Acquisition Regulation Supplement (DFARS). In particular, clause 252.204-7012 defines CUI alongside one other form of data:
- Controlled Unclassified Information (CUI) – Data on US military operations that were either never classified or has been declassified but is still protected as “sensitive but unclassified,” (SBU) “law enforcement sensitive” (LES) or “for official use only” (FOUO).
- Covered Defense Information (CDI) – Data related to other security matters both directly under DoD control and adjacent to it, such as technical and repair manuals.
DFARS also details basic requirements for both data forms’ protection while linking to the new CUI Registry for clarification—the registry is one significant impact of the new DoD guide.
NIST SP 800-171: Earlier Framework for Safeguarding CUI
The required protections detailed in DFARS materialized into different regulatory frameworks that apply to various DoD Stakeholders. The biggest one, up until about 2018, was the Special Publication (SP) 800-171 of the National Institute for Standards and Technology (NIST). The core of NIST SP 800-171 comprises 14 Requirement Families, which break down as follows:
- Access Control – Two Basic and 19 Derived Requirements
- Awareness / Training – Two Basic and one Derived Requirement
- Audit / Accountability – Two Basic and seven Derived Requirements
- Configuration Management – Two Basic and seven Derived Requirements
- Identification / Authentication – Two Basic and nine Derived Requirements
- Incident Response – Two Basic and one Derived Requirement
- Maintenance – Two Basic and Four Derived Requirements
- Media Protection – Three Basic and six Derived Requirements
- Personnel Security – Just two Basic Requirements (no Derived)
- Physical Protection – Two Basic and four Derived Requirements
- Risk Assessment – One Basic and two Derived Requirements
- Security Assessment – Just four Basic Requirements (no Derived)
- Systems and Communications Protection – Two Basic and 14 Derived Requirements
- Systems and Information Integrity – Three Basic and four Derived Requirements
While current CUI safeguarding regulations surpass these, NIST SP 800-171 informs all current regulatory requirements and surrounding literature, including the DoD publication in question.
Unpacking Recent DoD Guidance on Safeguarding CUI
The last contextual piece to understand the DoD’s current CUI guidance is the broader network of military and adjacent agencies involved in the development, enforcement, and general oversight of CUI protection. One of these primary stakeholders is the Defense Counterintelligence and Security Agency (DCSA), per their own DCSA guide to CUI. DCSA also names the Center for the Development of Security Excellence (CDSE) as a primary source for education and development, citing CDSE toolkits for CUI as a critical resource.
The actual DoD guidance that builds on all of this background is titled DoD Instruction 5200.48. It was published on March 6th, 2020, in response to executive orders and direction provided by then-president Donald Trump and supersedes orders dating back to 2010.
The document primarily addresses roles and responsibilities within the DoD and sketches useful considerations for DoD contractors, which it refers to as just “Industry.”
DoD Instruction 5200.48 Guidelines for Internal DoD Staff
DoD Instruction 5200.48’s purposes are twofold. The primary goal is to define specific responsibilities for DoD employees safeguarding CUI, including the following general areas:
- Handling and marking – The function is to promote greater visibility when sharing CUI amongst stakeholders who have access privileges. Uniform marking and catalog protocols facilitate security despite movement.
- Uses and disclosures – Specific use cases and disclosure scenarios for CUI also aim at increasing accessibility to those parties for whom use and disclosure are within their defense-oriented roles. These same rules also restrict all other types of access.
- Dissemination or disposal – Finally, the DoD guidance specifies how parties should disseminate, decontrol, or destroy documents containing CUI (or traces of CUI existing on any data that is otherwise salvageable) to minimize accidental improper disclosure.
The other function of 5200.48 is setting up the groundwork for and launching the CUI Registry alluded to above. This document creates a unified database of all common CUI categories and a searchable index on working with them to keep stakeholders safe.
DoD Instruction 5200.48 Guidelines for the DoD Industry
DoD Instruction 5200.48 also highlights what the “Industry” needs to do. This refers to the DIB as a whole and contractors specifically. The authors highlight the critical need for seven areas covered in NIST SP 800-171. These are as follows:
- Access Control – Including both physical and virtual restrictions on access to CUI
- Audit and Accountability – Requiring systematic review of controls relevant to CUI
- Configuration Management – Restricting connections to all systems containing CUI
- Identification and Authentication – Controlling user-end certificates for CUI access
- Incident Response – Addressing attacks that compromise CUI immediately
- Systems and Communications Protection – Requiring strict protections, such as cryptography, for CUI both at rest and when being transported on unsecured networks
- System and Information Integrity – Ensuring proper function of security architecture
These areas exceed the scope of their respective categories in NIST SP 800-171. Furthermore, the newest framework for DoD contractors also far exceeds the range of this guidance. Let’s take a look.
Undertaking Full CUI Protection per DoD Requirements
Something alluded to but not covered in detail in the DoD guidance on CUI is the extent to which full protection moving forward hinges on a new regulatory framework, the Cybersecurity Maturity Model Certification (CMMC). The CMMC is published by and overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S). It builds on and encompasses all of NIST SP 800-171, along with controls from many other security frameworks.
Compliance with the CMMC will be facilitated by Certified Third-Party Assessor Organizations (C3PAOs), themselves accredited by the CMMC Accreditation Body (CMMC-AB). Unlike with NIST SP 800-171, companies can implement the requisite controls at a more moderate pace, scaling up a series of “Maturity Levels” as they implement more complex CUI protections.
CMMC Regulatory Framework Core: Levels and Processes
CMMC’s distinguishing characteristic is the flexibility it affords to DoD contractors in implementing its vast array of controls. These cover the complete protection of CUI and other sensitive classes of data, such as Federal Contract Information (FCI). They also account for Advanced Persistent Threats (APT), an evolving category of cybercrime as yet undefined.
Per the most recent CMMC v1.02, published March 2020, the levels break down as follows:
- Maturity Level 1 – Focused on protections for FCI specifically. Practices constitute “basic cyber hygiene,” and Process Maturity of “performed” is not yet measured.
- Maturity Level 2 – Focused on transitioning to full CUI protection at the next level. Practices constitute “intermediate cyber hygiene,” and Processes are “documented.”
- Maturity Level 3 – Focused on full-fledged protection for CUI, including all of NIST SP 800-171. Practices constitute “good cyber hygiene,” and Processes are “managed.”
- Maturity Level 4 – Focused on shifting attention toward APT while still protecting FCI and CUI. Practices constitute “Proactive” measures and Process Maturity is “reviewed.”
- Maturity Level 5 – Focused almost entirely on APT, without neglecting FCI or CUI. Practices constitute “Advanced/Progressive” while Processes are “Optimizing.”
The specific practices required for compliance and certification at a given level do not suffice. Companies also need to document their process maturity. This is a measure of the extent of institutionalization or buy-in and accountability across every member of the organization.
CMMC Regulatory Framework Core: Domains and Practices
The CMMC’s other defining characteristic is its sheer breadth, including the depth and complexity of its controls. It includes all 110 of NIST and an additional 61 compiled from other guides and consensus best practices for DoD contractor cybersecurity. These spread out across Domains and corresponding Capabilities. Per CMMC v1.02, they break down as follows:
- Access Control (AC) – Four Capabilities and 26 Practices
- Asset Management (AM) – Two Capabilities and two Practices
- Audit / Accountability (AU) – Four Capabilities and 14 Practices
- Awareness and Training (AT) – Two Capabilities and five Practices
- Configuration Management (CM) – Two Capabilities and 11 Practices
- Identification / Authentication (IA) – One Capability and 11 Practices
- Incident Response (IR) – Five Capabilities and 13 Practices
- Maintenance (MA) – One Capability and six Practices
- Media Protection (MP) – Four Capabilities and eight Practices
- Personnel Security (PS) – Two Capabilities and two Practices
- Physical Protection (PE) – Just one Capability and six Practices
- Recovery (RE) – Two Capabilities and four Practices
- Risk Management (RM) – Three Capabilities and 12 Practices
- Security Assessment (CA) – Three Capabilities and eight Practices
- Situational Awareness (SA) – Just one Capability and three Practices
- System / Communication (SC) – Two Capabilities and 27 Practices
- System / Information Integrity (SI) – Four Capabilities and 13 Practices
In total, the 171 controls comprising the CMMC can be challenging to implement, even with the gradual progression over its Levels. Hence the importance of a robust CMMC advisory program.
Full Compliance and Cybersecurity for DoD Contractors
The safeguarding CUI regulations detailed in the recent DoD guidance depend heavily on the context of broader CUI protection. This all stems from DFARS controls, which have since been adopted in the NIST SP 800-171 framework and adapted in the more robust CMMC framework. This document is the one all DoD contractors will soon need to follow, despite its challenges. But fear not—to see how simple it can be to safeguard CUI, contact RSI Security today! Our team is happy to keep you safe.