Don’t Let CUI Fly Away…

If you have been following the CyberSheath blogs, you might have seen an increased focus on the updated DFARS regulations. These protocols dictate the newly imposed federal requirement for compliance with the NIST 800-171 controls for government contractors who process, transmit or store controlled unclassified information (CUI). The December 2017 deadline for compliance is fast approaching and contractors are required to meet the requirements of the regulation or face possible penalties. The federal government has continued to prioritize its cybersecurity initiatives and isn’t slowing down.

Many government contractors have been using the NIST 800-53 and FIPS 200 as regulatory guidelines for their information security standards. While this is good practice and a great jump start toward a secure baseline, these guidelines are just recommendations, not actual requirements unless you are a federal agency. NIST 800-171 is derived from those standards, but dictates ‘requirements’ for compliance. Additionally, it is important to understand the focus of the NIST 800-171 differs in that it is more concentrated on the ‘Confidentiality’ of data, and less on the ‘Availability and Integrity’ of data as in NIST 800-53 and FIPS 200.

The regulation states that any government contractors that process, store or transmit CUI are in scope for compliance requirements. First, it is important to understand what CUI is.

Controlled Unclassified Information is defined as:

Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information,
December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

– Executive Order 13556

The National Archives and Records Administration defined several categories for designating CUI. It is important to understand that NIST 800-171 focuses on CUI in its entirety, while DFARS 252.240-7012(a) defines a subset of information that is the category of ‘Covered Defense Information’(CDI). The DFARS 252.240-7012(a) clause defines ‘Covered Defense Information’ as unclassified information that:

(i) Is-

  1. Provided to the contractor by or on behalf of DOD in connection with the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and

(ii) Falls in any of the following categories:

  1. Controlled technical information.
  2. Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
  3. Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual-use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license applications; and sensitive nuclear technology information.
  4. Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information).

You don’t need to a cybersecurity specialist, CISO or a contract attorney to realize that these definitions are expansive and open-ended, it is by design. In a general sense, we can take away from the definition that CUI is any information that relates to a government contract which is not intended for public release. These can include the following locations:

  • Email systems
  • Internal documentation stores
  • Engineering and design systems
  • Accounting systems
  • Contracts and Proposal stores

Considering common systems that contain CUI, the realization becomes there are several different media types where these systems may reside:

  • Internal servers
  • Workstations and Laptops
  • Cloud systems
  • Removable media
  • Mobile devices

While these locations and systems may seem fairly straightforward for some, they may not for others. Another consideration is for contractors in a specialized industry vertical. What additional considerations do you need to be aware of? What other systems and locations are you responsible for safeguarding this protected information based on the regulations?

Let’s use a specific defense contractor vertical, the aviation industry as an example.

The US Government Accountability Office stated, “Modern aircraft are increasingly connected to the internet” and “interconnectedness can potentially provide unauthorized remote access into avionics systems.”

This brings to light may new technological systems that these contractors rely on that additionally contain CUI which needs to be protected. Both ground and flight operations depend on these systems to provide interconnectedness which boosts operational efficiency and safety in many instances. Many of these new avionics rely on internet connectivity which in turn allow an entry point for malicious attacks. Some of these systems include the following:

  • Flight Planning systems
  • Electronic Flight Bags
  • Flight Control Systems
  • Navigation systems
  • Communication systems
  • Satellite communications (specifically internationally where they are knowingly intercepted by foreign governments)

What this demonstrates is that while NIST 800-171 applies to many government contractors in a similar fashion, it can vary greatly by industry. It is important to recognize the true definition of what CUI is and how your company and industry transmit, store and process it in order to safeguard it correctly.

Understanding what needs to be protected is only the basis for complying with the regulation. Defining and implementing policies and systems to meet the compliance controls can be the bulk of the burden of meeting the requirements. This may seem like an overwhelming undertaking for many contractors who focus their primary energies on producing the quality products and services that they are known for in their industry. If you have a concern about the December 2017 DFARS compliance deadline and are lacking the resources to address your information security obligations, let CyberSheath be your trusted partner in navigating the NIST 800-171 gauntlet. We have a specialized team of Cybersecurity Professionals who have proven industry experience to guide your corporation to compliance.