How to Categorize Non-Public Information
One of the first steps in crafting the cybersecurity plan for your company is knowing what information needs to be protected. With all of the designations of information forming an alphabet soup, figuring out how to proceed can seem challenging.
Protecting sensitive information starts with understanding the various information categories. The next step is being able to map the information your company holds to the contracting regulations you must adhere to. Depending on your relationship with the Department of Defense (DoD), there are a number of requirements to protect non-public information (NPI).
Identify NPI and Map to Applicable Regulations
Familiarize yourself with the different kinds of NPI, which is defined as information associated with a DoD contract that is not intended for public release. There are several regulations established to protect different classes of NPI.
- Federal Acquisition Regulation (FAR) 52.204-21 establishes 15 requirements to protect federal contract information (FCI).
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 invokes NIST SP 800-171 to protect covered defense information (CDI), which is also a term for controlled unclassified information (CUI).
- DFARS 252.204-7021 invokes Cybersecurity Maturity Model Certification (CMMC) to protect both FCI and CDI/CUI.
What information you have dictates how you need to protect it. For example, under the CMMC framework, if what you are protecting is FCI, there are 17 cybersecurity controls required to protect that information. If you have CUI, there are 130 controls.
Important note: These regulations do not apply to commercial off-the-shelf products and services (COTS). If you are a vendor who only supplies COTS solutions, then these designations do not apply to your business. FAR 2.101 states that these items are considered COTS, “…any item of supply (including construction material) that is:
- A commercial item (Item that can be sold, leased, or licensed to the general public);
- Sold in substantial quantities in the commercial marketplace; and
- Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
- … Does not include bulk cargo.”
COTS products and services include catalog items such as laptops, keyboards, and printers; commercially available applications; and janitorial services for public buildings.
Determine Your Information Type
Definition – FCI is non-public information associated with a federal contract. CMMC offers this description, “FCI means information provided by or generated for the Government under a contract not intended for public release.” FAR 52.204-21 expands on this to state, “FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
- Contract schedules
- Statements of work
- Non-technical requirements
- Delivery information
Definition – CDI is a form of CUI that is developed under a DOD contract. It is non-public information where a specific law, regulation, or government-wide policy is published that requires that information to be protected in some manner.
Introduced in DFARS 252.204-7012, this term means “unclassified controlled technical information or other information…that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
- Controlled technical information (CTI), such as engineering drawings, technical reports and notes, bills of materials, software executables and source code
- Export controlled information (EAR or ITAR)
- For official use only (FOUO) documentation, which is under the DoD realm, but no longer a valid classification.
- Operations security (OPSEC) plans
Definition – CUI was established by Executive Order 13556 as a way to standardize how to handle sensitive but unclassified information. According to this order, “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
Examples – Same as above for CDI
- National Archives and Records Administration (NARA) CUI Registry: This is a registry of all CUI categories. Look through it because it has links to the specific law, regulation, or government-wide policy that causes that category of information to be designated as CUI.
- DoD CUI Registry: This registry highlights those categories that are in the NARA registry but are relevant to DoD contracts. Some of the NARA CUI categories are relevant to other federal government agencies. It also provides links to additional resources.
While this blog provides you the information you need to get started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.
Sign Up Today for Your Free Training
Learn more about how to categorize non-public information in our upcoming defense contractor cybersecurity compliance training. Registration is only open May 26, 2021 until June 9, 2021. Get started today.