IBM reports that in quarter 4 of 2023, we saw the exposure of nearly 8 million records worldwide. Keeping the integrity of your sensitive data secure is so important. Especially in today’s ever-changing technical landscape. Controlled Unclassified Information (CUI) is a category of such important data. This class of sensitive information often holds the potential to impact national security. As well as privacy and business operations.

As a defense contractor handling this information, you will find that your commitment houses a DFARS 252.204-7012 clause in it. Note that DFARS is an acronym for the Defense Federal Acquisition Regulation Supplement. This clause specifically requires you to protect sensitive information. So that should close the book on who is responsible for protecting CUI, right? Well, not so much.

Like anything in life, things get a bit more complicated than that. After all, contractors may work with other contractors, as well as other third-party solutions. You might end up working with Managed Service Providers (MSPs) or Cloud Service Providers (CSPs) for IT management assistance. Having all of these hands on deck now complicates things a bit when it comes to responsibilities and safeguards.

So who exactly holds the responsibility for protecting CUI? And how should one go about it? Let’s get into it!

• What is CUI?

• Who is Responsible for Protecting CUI?

  • The Policies

• Importance of Compliance Training

  • How does CUI relate to CMMC?

• Conclusion

First, let’s go over what exactly controlled unclassified information (CUI) is. This term reflects the definition and description found in the Code of Federal Regulations (CFR). It is information under the executive branch that law, regulation, or government-wide policies require safeguarding.

This is because CUI contains unclassified data that the United States government creates or possesses. Understandably, this data is something they must limit in distribution to the public. CUI can also include data that organizations create or possess on behalf of the Federal government. While this information is not necessarily “classified”, it is still sensitive. All of the information types which CUI covers are available at the CUI Registry of the National Archives.

These policies oversee the controlling and handling of this unclassified information. Excluding the information classified under Executive Order 13526. Or any predecessor or successor order. This also excludes the information in the Atomic Energy Act of 1954, as amended. 

On the other hand, CUI may include research information or project information. This is often from an exploration team, which receives it through a federally funded contract.

While working with CUI, you must have the proper cybersecurity safeguards and measures in place. So who exactly needs to abide by these regulations? Let’s find out!

Okay, so this is sort of a trick question. Anyone who works with or creates CUI is responsible for protecting it. By handling this sensitive information, you automatically are liable for any possible data leaks. However, I should mention that 32 CFR Part 2002 formally names the National Archives and Records Administration (NARA) as responsible. Specifically, NARA is the program’s Executive Agent (EA). 

NARA houses information such as the Federal CUI Registry. This is what makes them the perfect point of contact for all CUI-related regulations. When it comes to the Department of Defense (DoD), the Defense Counterintelligence and Security Agency (DCSA) handles it CUI Program Implementation.

There are four main policies that govern CUI. If you involve yourself in a contract with CUI requirements, be sure to familiarize yourself with the following:

• Executive Order 13556 “Controlled Unclassified Information”. This order establishes the program for handling unclassified information. This ensures a uniform and open program which requires safeguarding and establishing procedures. These controls are under to and consistent with:

• Law.

• Regulations.

• Government-wide policies.

• 32 CFR Part 2002 “Controlled Unclassified Information”. Establishes the CUI program throughout the federal government. States the roles and responsibilities of said program. As well as any important key elements. Involves Government created/possessed information. Or information that an entity creates on behalf of the Government. 

• DoDI Instruction 5200.48 “Controlled Unclassified Information”. Dated on March 6th 2020, this order establishes policy in pursuit of a uniform program for CUI throughout the DoD. This program assigns responsibilities and prescribes procedures based on Executive Order 13556.

• NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. Mentions the baseline CUI security requirements. This is for when information is in nonfederal systems and organizations. This covers the entire Industry, based on Part 2002 of Title 32, CFR.

With all of these orders and regulations, you might assume that there are strict rules regarding training for contractors. And you’d be right, however, this is something that has a bit of leeway. 

The scope of training when it comes to CUI is important, but also flexible. The Center for Development and Security Excellence (CDSE) offers this training available to Industry. This CUI training is mandatory. But as I mentioned before, it is relatively customizable depending on the contractor.

It is per DoD 5200.48 and under the contractual agreement that contractors complete initial training. It is also mentioned that annual refresher training on CUI is mandatory. This is unlike the agencies governed by 32 CFR 2002. That order requires refresher training every two years.

What’s nice about this training is that contractors can create their training. Hence, the flexible part. Either Industry can use the CDSE training, or like I said, create their program. But if a contractor does decide to create their training, there are stipulations. It must contain CUI Notice 2016-01 information, specifically all 11 topics outlined.

The topic of CUI and how to protect it also tends to leak into other areas of training and compliance. A good example of this is through the Cybersecurity Maturity Model Certification (CMMC) program. If you’re wondering how stay tuned.

Did you know that the DoD is migrating to using only the CMMC framework?

This is in regard to assessing and enhancing the cybersecurity of the Defense Industrial Base (DIB). Although I’ve discussed this in previous blogs, to save you a few minutes, I’ll just rehash what CMMC is. This framework sets compliance standards for contractors, who work with the Federal government.

When talking about CMMC, we are talking about a verification check. This mechanism ensures that companies within the scope of the DIB practice necessary cybersecurity practices to protect CUI and Federal Contract Information (FCI). The focus is within unclassified networks. So when it comes down to it, think of CMMC as another security checkpoint for protecting CUI!

I know we went over a bunch of technical terms and in-depth policies. But it is all necessary to keep compliant when it comes to Federal information. The amount of records that experience exposure every year highlights the importance of safeguarding your sensitive data. In particular, this is especially true for CUI. The nature of this information is private as it deals with national security. That means there is no such thing as being overly cautious. This is why the responsibility for protecting CUI falls onto anyone who handles it.

The National Archives and Records Administration (NARA) oversees the implementation of these regulations when it comes to CUI. While there are various policies that we covered today, they all are equally as important to staying compliant. Defense contractors especially must use these tools to create training, if they so choose. Otherwise, training should come from the CDSE resource program. 

Initiatives such as the Cybersecurity Maturity Model Certification (CMMC) also emphasize the importance of keeping CUI guarded. The interconnectedness of this framework as the pinnacle of current federal cybersecurity standards and CUI is critical to understand.

In short, remember this blog when you handle anything to do with CUI. A multifaceted approach is best for protecting CUI, as we can see from this blog.

There is, of course, much more detail to this system of detailed policies and comprehensive training. Every day there is a constant risk of hackers infiltrating online databases. It is because of this, and advancing technology, that contractors must commit to compliance.