The Controlled Unclassified Information Champion’s Vital Role

By Jill Lawson

Many federal government contractors have been mandated to report their protections of Controlled Unclassified Information (CUI) from government Contracting Officers or Prime Contractors. But what is the CUI program, and how does it affect enterprise management?

The CUI Program’s Security Function

The CUI program standardizes the way the government handles information that requires protection under laws, regulations, or government-wide policies, but does not qualify as classified. This information, if compiled together by adversaries, would meet the threshold of being classified information.

America’s adversaries have sophisticated strategies to gain access to government information, no matter how unimportant that information may seem. The Island-Hopping strategy is commonly deployed as soon as government contract awards are announced publicly. One company and/or employees of that company are surveilled waiting for emails to another company, which leads to another surveillance pathway, and the chain continues until reaching access to a desired company. A highly desired company is a small contractor on an agency critical contract that has hackable systems with valuable CUI.

CUI Program’s Clarity Function

Prior to the CUI program, federal agencies often employed ad hoc, agency-specific policies, procedures, and markings to handle this information. This patchwork approach caused agencies to mark and handle information inconsistently, implement unclear or unnecessarily restrictive disseminating policies, and create obstacles to sharing information. Federal government contractors that execute contracts for multiple agencies were being inundated with complicated and sometimes conflicting information protection requirements which made contract compliance almost impossible.

CUI Contract Clauses

The federal government has a hierarchy of acquisition regulations. The senior authority is the Federal Acquisition Regulations (FAR). Each agency then implements FAR clauses in their own regulations adding additional language that best describes their own contractual needs.

The FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems is the federal clause that identifies and mandates fifteen cybersecurity controls from NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Examples of agency-specific acquisition regulations are the Homeland Security Acquisition Regulations clause 3052.204-70, Security Requirements for Unclassified Information Technology Resources and Defense Federal Acquisition Regulations Supplemental 252.204.2017: Safeguarding Covered Defense Information and Cyber Incident Reporting.

The CUI Champion

Implementing NIST 800-171 expands well beyond the traditional systems administrator IT ownership. Contract Managers, Human Resource Managers, and Facility Security Offices also have responsibilities. It is this interweaving between multiple functions that makes an enterprise CUI manager necessary. The CUI manager oversees the living enterprise NIST 800-171 policies, procedures, plans and training that the C-suite CUI champion has signed and resourced. NIST 800-171 requires a signed resourcing plan.

The Department of Defense (DoD), after years of information losses by contractors, has created three types of NIST 800-171 validations under the Cybersecurity Maturity Model Certification (CMMC) program. The purpose of the CMMC is to require C-suite executives to either self-attest, be certified by a CMMC 3rd Party Certifying Organization or be assessed by the government’s Defense Industrial Base Cybersecurity Assessment Center.

The U.S. Department of Homeland Security has indicated they are watching the CMMC program and have just implemented new clauses for proof of IT security certifications. They are watching the DoD experiences with the third-party certification before adopting a similar program.

CUI champions that plan and budget at the enterprise level and appoint a manager are vital for growing in the federal contract space now. To avoid ill-informed purchases of cloud, software, physical sites, and hiring risky employees, the company needs a champion to assess and create standards tailored to their company. NIST 800-171 requirements costs are becoming a major consideration when developing competitive proposals, and the champion can manage those costs.

Below is an example of a CUI champion’s organizational relationship to the enterprise. If you have questions about what qualifies someone for the CUI champion’s role or on the organizational relationship, please consult with an advisor sooner than later. Proof of safeguarding CUI management is a permanent requirement of DoD and DHS, with other agencies soon to follow.