Keeping secrets is everyday work for defense industry contractors. But how do you keep a secret when you don’t recognize it? This is the puzzle that prime contractors and suppliers sometimes face as they manage controlled unclassified information (CUI).
Members of the Defense Industrial Base (DIB) have legal and contractual responsibilities, as well as a patriotic duty, to protect classified information. They have a similar obligation to properly manage sensitive data and systems that are controlled yet unclassified. But because CUI is a broad government descriptive for many components of defense work, companies can feel like they are chasing bureaucratic ghosts: Many things related to a Department of Defense (DOD) contract may be CUI — or not.
“There is a lot of confusion related to CUI,” agreed Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the DOD. “One problem is if you have a system that triggers on keywords or phrases you’re going to get a lot of unnecessary warnings about CUI. The government also does a lot of things that might seem to meet the definition of CUI, particularly related to contract information and solicitations, but they’ve been placed on a public website so they may not be CUI. Understand that properly designating CUI material is often a matter of context and can be a tedious process.”
Where CUI meets CMMC
CUI is information that the government creates or possesses, or that a company possesses on behalf of the government that requires safeguarding or dissemination controls. Put simply, it is government data that is not classified but still needs protection. CUI can include program details, technical data, engineering files, and federal contract information (FCI) that may include scheduling and pricing information.
The government mandates the protection of defense-related information through laws, regulations and policies in order to keep it out of the hands of adversaries. One of those mandates is the Cybersecurity Maturity Model Certification (CMMC). CMMC 2.0 is the cybersecurity standard created by the DOD to confirm all companies in the defense supply chain meet minimum security requirements to protect CUI. Meeting the CMMC standard starts with having a complete understanding of how to identify CUI.
As Tanji noted, CUI is challenging to recognize both because it can appear in many different elements of defense work and is not always clearly marked. CUI runs the gamut from product specifications and drawings to personally identifiable information such as employee names and social security numbers, as well as proprietary business information such as contract bids or R&D materials. In short, it can be anything for which the government’s position is, Don’t let this leak.
This sensitive information is spread across supplier operations, making it tricky to find. It might be contained in emails or meeting notes. Sometimes information that appears generic can be CUI, and sometimes sensitive-looking data actually isn’t CUI. It depends mainly on decisions made by the DOD. “While the government is getting better at marking CUI, contractors must still be able to recognize it based on the terms of their contracts and the nature of the information itself,” Tanji said.
Managing CUI requires teamwork
There are many steps for an organization to take to assure they are following the rules for protecting CUI and meeting CMMC requirements. It’s about more than just recognizing CUI. Tanji said each supplier should conduct an assessment to understand where CUI is processed and stored. Next, the supplier must develop and implement a System Security Plan that outlines (among other things) the security controls they will use to protect CUI. “You must also ensure that you train all employees in CUI handling and security policies,” Tanji said. “It is important that all of these functions and resources are subjected to regular monitoring to ensure they’re being followed.”
Despite the air of mystery, the good news about managing CUI is that it’s more a team sport than a lonely pursuit. During a recent CMMC cyber webinar hosted by MxD, Amit Chaudhary, who is Rolls-Royce Vice President/Head of Cyber Security North America & Defense, said discussion and deliberation between suppliers, prime contractors and the DOD can clear up confusion and assure correct decision-making.
When in doubt, Chaudhary said, suppliers can consult with their prime or go directly to the DOD for guidance. “They will help you out,” he said.
That’s because everyone should understand that protecting CUI is only possible when it is identified.
