January 17, 2022

Last Updated on January 4, 2024

While many US government agencies have yet to overtly communicate their specific policies for safeguarding Controlled Unclassified Information (CUI), a mandate is already in place from the Information Security Oversight Office (ISOO)—which governs the CUI program for the entire executive branch—requiring compliance with the NIST 800-171 cybersecurity standard for federal contractors that handle CUI. Many companies, as well as many security professionals, are not aware of this fact or its implications for current and future contracts. The belief that NIST 800-171 compliance currently applies to only organizations in the defense industrial base (DIB) is widespread, but incorrect.

In this blog post, I will explain what federal regulations are currently in place around securing CUI, the status of agencies’ efforts to clarify their CUI requirements up to now, and what this means for your organization.

Critical Background

Since the end of 2016, the US Department of Defense (DoD) has required its supporting contractors, known as the Defense Industrial Base (DIB), to implement the security requirements specified in NIST SP 800-171. This is in addition to other contractual requirements as defined in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 for non-federal information systems that process, store, or transmit CUI. The NIST 800-171 compliance requirement became official in a final rule regarding the DFARS Clause at nearly the same time that the Information Security Oversight Office (ISOO) published the Final Rule 32 CFR, Part 2002 – Controlled Unclassified Information, which governs the CUI Program for the executive branch of the federal government. Both of these rules were published in response to the Executive Order EO 13556, which was released about six years prior to these rules being finalized.

From the release of the above rules to today (2022), there has been a focus on implementing the CUI program throughout the DIB. This effort includes the establishment of the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to assess contractors’ compliance with the DFARS 7012 clause, the DFARS Case 2019-D041 (Final Interim Rule) requiring contractors to submit summary level scores of NIST 800-171 Assessments to the Supplier Performance Risk System (SPRS), and the Cybersecurity Maturity Model Certification (CMMC) Program. These regulatory rulings and programs have been set in place as the mechanism to implement the CUI Program throughout the DoD.

Requirements for Contractors Outside the DIB

But what about contractors that support other executive branch agencies besides DoD? Unfortunately, there has been a lack of direct verbiage in contract clauses set out in other agencies’ FAR supplements (such as the HSAR, DEARS, HUDAR, DOSAR, NSF, TAR, DCARS, etc.) that are similar to what the DoD has enacted via the DFARS rulings. However, this does not negate the responsibility of those agencies to provide oversight of their own CUI programs. Nor does it negate their contractors’ responsibility to implement the security requirements established by ISOO for the protection of CUI within “non-Federal information systems.” This includes NIST 800-171 as the prescribed standard across all agencies to be implemented to protect non-Federal information systems that process, store or transmit CUI.

A large majority of agencies have already developed the Agency CUI Policies that govern their CUI programs (see the references below). Some of these policies are currently active, and some are still in the process of becoming effective. Some agencies have gone through, or at least begun, their FAR supplement rule changes to accommodate the implementation of their Agency CUI Policies and programs, but few have completed the process. Most agencies, however, have opted to begin implementing these programs with their contractor base via memorandums of understanding (MOUs) or agreement (MOAs). In other words, most executive branch agencies are implementing their CUI programs, which include the requirements for their supporting contractor base to implement the NIST 800-171 security requirements if they are handling CUI.

How Should You Respond?

Why is all this so important for non-DIB contractors to be aware of now? We have the advantage of observing the implementation of the CUI program the DoD has been working to implement over the last five years, since the release of their DFARS ruling. We have seen the struggles the DoD has faced in identifying the level of NIST 800-171 compliance across the DIB, and in gaining the assurance that DIB contractors are protecting CUI with the prescribed standards in their non-Federal information systems.

This is largely due to a history of poor processes within acquisition. The DoD acquisition community has struggled to properly identify the requirements and to properly insert the relevant clauses into contracts, based on whether an organization is expected to handle CUI in the performance of a particular contract. By the same token, industry has failed to properly recognize and identify these requirements within their contracts. The establishment of the DIBCAC and CMMC programs, coupled with the rules that resulted from the Interim Rule case (DFARS Case 2019-D041), have led to industry being caught off-guard in complying with the established requirements. Even after five years of effort, the DoD is struggling to get a foothold on the program.

It is imperative that non-DIB contractors supporting executive branch entities and handling CUI in the performance of their contracts implement the proper standards for protecting that data, as prescribed by EO 13556 and the Final Rule 32 CFR, Part 2002 from the CUI Executive Agent (ISOO, as delegated by the National Archives and Records Administration (NARA)). We know today that NIST 800-171 is the prescribed standard across all agencies to be directed for implementation in non-Federal information systems processing, storing, or transmitting CUI. We know today that all agencies have been directed to implement these requirements through the use of agreements (which may come in the form of a contract clause, but may also come in the form of an attachment to a contract, a modification to a contract, or another form of agreement such as MOUs/MOAs).

Have you taken a focused look at your contracts, contract attachments, and other agreements to determine whether your contract is subject to these requirements?

“Winter is Coming”

We can see that agencies are proactively working to implement their CUI programs, but this work may not be clearly communicated to industry partners today. We also know that many agencies have mechanisms in place to require the implementation of the NIST 800-171 for their contractors, even if it is not directly stated in a contract clause.

To solidify the implementation of the CUI program for the entirety of the executive branch (as directed by EO 13556), NARA is working to finalize a FAR CUI rule, FAR Case 2017-016. This rule will clarify what standards are legally required for all contractors handling CUI within their systems. Some may describe this scenario as “Winter is coming.”

 

What’s Next?

To prevent the confusion we have seen from the DoD’s CUI program implementation, and to ensure your organization doesn’t get caught off-guard by these requirements, reach out to Pivot Point Security to speak with one of the experts on our Federal Risk & Compliance team.

Resources on Agency CUI Programs

This list of resources on agency CUI programs is the result of research conducted internally. Links have been provided to help you conduct your own research and validation. Many of the websites offer a wealth of information regarding each agency’s CUI program and implementation.

DoD:

  1. DFARS 252.204-7012, 7019, 7020
  2. DoD Instruction 8582.01
  3. DoD Instruction 5200.48

NASA:

  1. 48 CFR, Chapter 18, Subchapter H, Part 1852, Subpart 1852.2, Clause 1852.204-76
    1. Contract should include Applicable Documents List (ADL) as attachment. ADL should list NPR 2810.7
  2. NPR 2810.7 – https://nodis3.gsfc.nasa.gov/displayDir.cfm?Internal_ID=N_PR_2810_0007_&page_name=main

DoE:

  1. 48 CFR, Chapter 9, Subchapter I, Part 970, Subpart 970.52, Clause 970.5204-2
    1. Requires a Lis of Applicable Directives (list B)(Contract), and a Contractor Requirements Document (CRD)(Departmental Element specific), which should include DOE O 205.1C, or the implementation of NIST 800-171 directly.
  2. DOE O 205.1C – https://www.directives.doe.gov/directives-documents/200-series/0205.1-BOrder-c

Department of Agriculture:

  1. 48 CFR, Chapter 4, Subchapter H, Part 452, Subpart 452.2, Clause 452.237-75, Per 437.110
  2. 48 CFR, Chapter 4, Subchapter A, Part 401, Subpart 401.3, 401.372 (Departmental Directives)
  3. DR 3440-003 – https://www.usda.gov/directives/dr-3440-003

 

DHS:

  1. HSAR 3052.204-7x – HSAR Case 2015-001, updates to include Safeguarding of CUI. Still in Rulemaking Process.
  2. DHS MD 11042.1
  3. DHS Publication 4300A

GSA:

  1. 48 CFR Chapter 5, Subchapter H, Part 552, subpart 552.2, clauses 552.239-70/71
  2. Controlled Unclassified Information (CUI) Policy | GSA – GSSA CIO 2103.2
  3. Security for Sensitive Building Information Related to Federal Buildings, Grounds, or Property | GSA
  4. GSA CUI Guide – Controlled Unclassified Information (CUI) | GSA

 

Department of Commerce:

  1. 48 CFR, Chapter 13, Subchapter H, Part 1352, Subpart 1352.2, clause 1352.239-72
  2. OPBM-NP-18-001 – https://ocio.commerce.gov/node/59

Department of the Treasury:

  1. TREASURY DIRECTIVE 80-08 | U.S. Department of the Treasury

Environmental Protection Agency:

  1. 48 CFR, Chapter 15, Subchapter H, Part 1552.2, Clause 1552.211-79
  2. EPA CIO Directive – CIO 2158.0 – Interim CUI Policy – https://www.epa.gov/cui/about-controlled-unclassified-information-cui-epa

Department of Education – Federal Student Aid:

  1. 48 CFR, Chapter 34, Subchapter H, Part 3452, subpart 3452.2, Clause 3452.239-71/72
  2. http://www.ed.gov/fund/contract/about/bsp.html
  3. DOE Security and Privacy Requirements for Information Technology Procurements
  4. Protecting Student Information – Compliance with CUI and GLBA | Knowledge Center

Nuclear Regulatory Commission:

  1. NRC CUI Program – https://www.nrc.gov/reading-rm/cui.html
  2. Management Directive 12.6
  3. NRC’s CUI Policy Statement

Department of Housing and Urban Development:

  1. 48 CFR, Chapter 24, Subchapter H, Part 2452, Subpart 2452.2, clause 2452.227-70
  2. Potentially 2452.239-70, 2452.237-82/83
  3. https://www.hud.gov/sites/dfiles/OCHCO/documents/22001c17ADMH.pdf

FERC:

1. FERC CUI Processes | Federal Energy Regulatory Commission – Good breakdown of CEII CUI categories.