When you’re looking to protect Controlled Unclassified Information (CUI), enclaves have several benefits. But how do you actually get started and what should you consider to ensure you’re successful?
Where to establish the enclave boundary
You need a strategy to isolate CUI and Federal Contract Information (FCI), training for users on the enclave, and ongoing monitoring for compliance with organizational policy. Remember that adopting an enclave might mean a duplicate system to isolate CUI and FCI from your other business.
This may incur indirect costs and cause user inconvenience, so consider carefully where to establish the system boundary for Cybersecurity Maturity Model Certification (CMMC) certification.
Practices vs controls
CMMC’s framework doesn’t specify how a security practice should be applied and most of the required practices allow for multiple avenues of successful implementation. There is, however, a requirement for controls within NIST 800-171 and NIST 800-53. This subtlety is another factor you need to consider when your security professionals embark on the CMMC journey.
Educate them around the nuances of practices vs. controls and be sure your external security assessors have completed CMMC training.
CyberSheath’s Federal Enclave accounts for the multiple approaches to compliance and is able to adjust to the different levels of CMMC 2.0, which will likely soon be required of contractors outside the Department of Defense (DoD).
CyberSheath has helped more than 500 clients discover their compliance starting point and roadmap. We’re holding a webinar on Feb. 23 that covers these considerations in greater depth and how Federal Enclave helps you ensure compliance. Register now!
For the past several years, contractors with the Department of Defense (DoD) have had to meet a custodial requirement in contracts as it relates to security. Soon, this will likely be required outside the defense industrial base (DIB) and apply to all federal contractors.
If you’re like many contractors, you’re wondering how best to safeguard Controlled Unclassified Information (CUI). While there are many ways to meet the rules and regulations, not all of them are feasible or efficient and many of them are expensive.
The key is to limit the scope of your CUI protections. That can be difficult because CUI isn’t always neatly organized in one place. Often it sits in many departments like legal, contracts, accounting, sales, professional services, and engineering. CUI can be on employees’ computers, in their email accounts, on their mobile devices, and on shared network folders.
Contractors tend to take one of three strategies to corral CUI and limit disrupting their larger business:
- Limit by contract or product: You serve the government with specific business segments, so you define your environment based on products and services.
- Limit by geography: A global enterprise only does business with the government through U.S. entities, so it might define limits by geography so the rest of its global sites are undisturbed.
- Limit by technology: Limiting by contract or geography ignore the shared technology resources used across the entire company. An enclave achieves compliance by segmenting CUI from other systems.
An enclave solution, or isolating the CUI within an organization, is a scalable, efficient, and cost-effective approach to the custodial responsibility of security. The National Institute of Standards and Technology (NIST) endorsed this approach with Special Publication 800-171:
“Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.”
While an enclave may require a duplicate system for business processes like email or security tools, creating a large compliance system that spans across a whole product segment or even an entire enterprise and goes far beyond just the CUI is significantly more expensive and time consuming.
CyberSheath is helping clients take the best step forward with its new Federal Enclave, which simplifies adherence to difficult cybersecurity business requirements. Register for CyberSheath’s webinar to learn more about the value of enclaves and how Federal Enclave can help.
Determining what types of information your organization possesses is one of the first steps you need to take when starting efforts to enact cybersecurity controls. This classification of information dictates how the data must be controlled and protected.
Here are the different categories of information.
FCI – Federal Contract Information
As defined by 48 CFR 52.204-21, this is, “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information by the Government to the public (such as public websites) or simple transactional information, such as necessary to process payments.”
National Archives and Records Administration (NARA) specifies, “Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.”
It is important to note that FCI (CMMC Level 1) is the minimum if you have a Federal contract.
CUI – Controlled Unclassified Information
According to 42 CFR 2002.4, CUI is, “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
“CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
Additional Safeguards / Classifications:
- CUI Basic: Requiring or permitting agencies to control or protect the information but providing no specific controls.
- CUI Specified: Requiring or permitting agencies to control or protect the information and providing specific controls for doing so.
- CUI Specified, with basic controls where not specified by authority: Requiring or permitting agencies to control the information and specifying only some needed controls.
NARA states that, “NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).”
CUI categories for the defense industrial base (DIB)
Refer to this chart to see how to classify your CUI.
|Banner Marking||CUI Category||Organization Grouping|
|CUI//SP-CTI||Controlled Technical Information||Defense|
|CUI//SP-CEII||Critical Energy Infrastructure Information||Critical Infrastructure|
|CUI//SP-EXPT||Export Controlled||Export Control|
|CUI//SP-FISA(B)||Foreign Intelligence Surveillance Act (Business Records)||Intelligence|
|CUI//SP-PROCURE||General Procurement & Acquisition||Procurement & Acquisition|
|CUI//SP-PROPIN||General Proprietary Business Information||Proprietary Business Information|
|CUI//SP-NNPI||Naval Nuclear Propulsion Information||Defense|
|CUI//SP-SRI||Nuclear Security Related Information||Nuclear|
|CUI//SP-MFC||Proprietary Manufacturer||Proprietary Business Information|
|CUI//SP-PCII||Protected Critical Infrastructure Information||Critical Infrastructure|
|CUI//SP-DCNI||Unclassified Controlled Nuclear Information – Defense||Defense|
|CUI//SP-UCNI||Unclassified Controlled Nuclear Information – Energy||Nuclear|
While this blog can get you started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your FCI and CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.
Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.
The framework remains largely unchanged
Our analysis is that CMMC 1.0 and the proposed 2.0 revision are both grounded in Defense Federal Acquisition Regulation Supplement: Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS Clause 252.204-7012), which requires the implementation of NIST Special Publication 800-171 (NIST SP 800-171). DFARS Clause 7012 was first published eight years ago and NIST 800-171 came in 2016–so they have both been around for a while.
It’s also important to note that CMMC 2.0 as proposed completed the federal rulemaking process. All articles and information as of this writing are not representative of any final ruling. All the more reason to ground your efforts in what is both final and actually required, DFARS Clause 252.204-7012 NIST 800-171.
In this series of blogs, we will be highlighting some of the changes as outlined in the proposed CMMC 2.0. For a more in-depth walk-through, save your virtual seat at our upcoming webinar, CMMC 2.0: What it Means for Your Business. Register Now
Impacts of proposed changes
Below is a rundown of the changes that CMMC 2.0 looks to bring as outlined thus far, and the corresponding effect on companies looking to continue to engage with the DoD in a commercial capacity.
|Proposed changes in CMMC 2.0||Impact|
|L2 and L4 are projected to be eliminated.||Generally speaking, most companies were aligning to CMMC 1.0 level three, so this repercussion is minimal with no material impact to the defense industrial base.|
|The naming nomenclature has changed.||The new L1 and L2 are the old L1 and L3. Stated another way, the old L3 is now L2.|
|The 20 maturity requirements and controls from CMMC 1.0, L3 have been eliminated.||Simply stated, companies should adhere to NIST 800-171. The 110 requirements of NIST 800-171 have been required for the past six years, focus there. That’s plenty for most organizations to get their hands around.|
Attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.
As the cybersecurity landscape continues to evolve and threats continue to infiltrate the IT infrastructure of companies across the globe, it is more important than ever to ensure that your company and your data is protected, especially when doing business with the Department of Defense (DoD). One mechanism in place to help accomplish this herculean task is 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.
About DFARS 252.204-7012, Clause M
The DoD is requiring compliance with this mandate to help secure the supply chain of the defense industrial base (DIB). With countless contractors and subcontractors engaging with the DoD, it can be a challenge to make sure all the companies take cybersecurity seriously.
Consider all of the different layers within the supply chain. What gets overlooked sometimes is the requirements on how each supplier needs to protect controlled unclassified information (CUI). The DFARS 7012 clause states that for every subcontract, a contractor has to flow down the original information handling requirements to the companies that they are subcontracting with.
Why is it necessary?
Foreign adversaries are starting to detect and piece together information. Individually finite pieces of unclassified data might seem inconsequential, but when aggregated the information could yield intel on a classified hardware.
This clause helps ameliorate the overall impact of information loss. By ensuring that your subcontractors guard against data breaches, you are protecting your sub, your own company, and the DoD. If a breach occurs, this clause requires that not only are you notified, but you also flow that information upstream, back to the DIB Cybersecurity Assessment Center (CAC), helping secure all points of the data flow.
What you need to do
As a contractor or subcontractor, you are required to include this clause in subcontracts or similar contextual contractual agreements. The full text is available here.
As a prime contractor
- Add the above clause in the contract with your subcontractor. Make sure to include all the verbiage within the contract, which states what the subcontractor is required to do.
- Keep your subcontractors informed and accountable. Your subcontractors are potentially putting you at additional risk with how they handle the information you are flowing down to them. Any of your subcontractors hiring additional contractors below them also need to include this clause in their contracts.
As a subcontractor
- Make sure you safeguard the covered defense information by maintaining adequate security to protect any CUI that flows to your organization. You are held to the requirements in NIST Special Publication, 800-171A, which details protections for CUI in non-federal information systems.
- Report incidents or data breaches. It is required that subcontractors notify the prime contractor when submitting a request to vary from the security rules, as well as to provide the incident report number automatically signed by the DoD to the prime when a cyber incident has been identified.
Some contractors and subcontractors who are not doing this, are putting themselves at increased risk for penalties from the government. Further incentivizing compliance is the escalating severity of the consequence of non-compliance, ranging from jail time to loss of future contracts resulting in a hit to your company’s bottom line.
If you have any questions about clause M and how to secure your CUI, you can rely on the experts at CyberSheath to help. Contact us today to get started.