cyber Security

Debunking the Myths about Protecting Covered Unclassified Information

When it comes to meeting the compliance requirements for NIST, CMMC, and DFARS, safeguarding Covered Unclassified Information is crucial. The new CMMC cybersecurity requirements have made it clear that anyone who is a part of the defense Industrial Base supply chain should take necessary measures to protect CUI. However, DoD has not yet made it clear how to protect the CUI. Thus, getting help from CMMC consulting firm is recommended. 

There is confusion amongst DoD contractors as to how to protect CUI. In this blog, we have cleared some myths that surround CUI protection and cybersecurity compliance.

Myth 1: If a contractor handles CUI, the entire IT infrastructure and environment must be CMMC level 3 compliant.

According to the CMMC model v1.02, during the implementation of CMMC, the DoD contractor can achieve a specific level of certification for the whole IT network or particular enclaves. The decision will depend upon where you are storing the covered unclassified information. It’s worth mentioning that the Department of Defense has approved the CMMC compliance for the enclave model.

Myth 2: Defense contractors are obligated to use Microsoft GCC High since most DoD enterprises use it.

Agencies that are under the Department of Defense do not typically use GCC High. They usually have their DoD-only cloud storage for CUI.

Besides this, the DoD has not made it mandatory for the DIB supply chain members to use a particular solution for storing and sharing CUI. The DoD has only mentioned that the contractors at all levels should comply with the regulations set out by them to safeguard the CUI within the supply chain.

Myth 3: Cloud Service Providers appointed to handle CUI must have accreditation from FedRAMP.

Only those service providers are included in the FedRAMP marketplace with the Authority to Operate with the federal government. FedRAMP members are sponsored by the Federal agencies and appointed by them. However, an Authority to Operate is unnecessary if the cloud services provider is hired by a private enterprise that has taken federal government contracts.

Myth 4: Cloud Services Providers should accept the DFARS 7012 flow downs

Department of Defense has released a procurement toolbox that addresses the concern of the DFARS flow-down clause. While a contractor doesn’t usually flow down the DFARS clause when it comes to cloud services providers, however, if the CSP is hired as a part of the CIS, they should meet DFARS compliance requirements.

Myth 5: Since proper marking of controlled unclassified information has not been done yet, subcontractors should consider all information at CUI.

While it’s true that proper marking of CUI has not been done in the past, initiatives are underway to ensure an appropriate system for making emails containing CUI. All contractors and subcontractors should do the proper marking of the CUI that has come down to them under the DoD programs that follow CMMC compliance.

Myth 6: It’s a data breach if a DoD user sends an unencrypted email with controlled unclassified information to a DoD contractor.

Such incidents are termed as security incident and not a breach. The subcontractor or DoD keeps a record of the incident internally and looks for any residual information. Additionally, such incidents don’t prevent one from bidding for government contracts.…

What Does DFARS Compliant Mean for DoD contractors?

DFARS 252.204-7012 compliance is required of all defense contractors and subcontractors who process, store or transfer covered defense information regardless of size. Contractors seeking for CMMC government contracting must adhere to several requirements, but two in particular—demonstrating “sufficient security” and reporting cyber incidents—seem to be the most important.

Adequate Security (as demonstrated by NIST 800-171 compliance): According to the DFARS, “security precautions that are proportionate with the implications and possibility of loss, misuse, or unauthorized access to, or modification of information” are included in sufficient security measures. The Government has stated that contractor information systems that handle, hold, or transfer CDI shall enforce security standards in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations,” to help give additional context for what constitutes adequate security with regard to the protection of covered defense information.

The term “must” is used precisely, necessitating NIST 800-171 compliance. In essence, the Government is saying that NIST 800-171 compliance constitutes “sufficient security.” 

“Actions conducted through computer systems that lead to a breach or an actual or potentially harmful effect on a data system and/or the information housed therein” are what the DFARS 252.204-7012 describes as a “cyber incident.”

Contractors are required to take the following actions if a cyber incident affects CDI:

  • To ascertain whether a particular CDI was hacked on contractor PCs or servers, conduct analysis and acquire proof.
  • Report the cyber issue as soon as it is discovered (within 72 hours). To report the incident, a medium-assurance license will be needed.
  • Maintain and safeguard OS images and additional forensic data for 90 days, such as packet captures and logs.

These specifications require vendors to have an emergency management plan and processes in place (and tested).

Being DFARS compliant involves several factors to take into account. The main element to consider is whether your business complies with the 110 controls listed in NIST 800-171 Appendix D. NIST 800-171 Appendix E also contains the frequently overlooked non-federal organization (NFO) rules. These 63 additional controls are “anticipated to be regularly fulfilled by non-federal enterprises without specification,” according to NIST 800-171. In essence, they are measures that should be included in a thorough security program. Federal contractors frequently ignore the procedures in Appendix E, even though they are necessary to apply to be deemed compliant. To comply with the cyber disclosure rules, should a breach occur, government contractors must also have a strong incident response program in place.

What would happen if an organization wasn’t NIST 800-171 or DFARS compliant?

Simply put, a government contractor who violates DFARS 225.204-7012 runs the danger of not receiving future contracts from the Government. According to the Government’s response to feedback on the DFARS vs CMMC regulation, the rule does not preclude a demanding activity from clearly declaring in the request that compliance with the NIST SP 800-171 would be utilized as an assessment criterion in the source selection process.

However, it will be the government’s responsibility to determine how they will evaluate compliance with the particular solicitation. Additionally, according to the Government, by agreeing to the contract, the contractor commits to abide by its provisions. The federal contractors’ best interest is served by their ability to demonstrate compliance with NIST 800-171 regulations. Compliance with DFARS 225.204-7012 has been a prerequisite for government contractors for more than two years.

However, the fact that federal contractors gave a self-attestation regarding their compliance is one of the critical issues. It might be challenging to determine whether firms genuinely adhere to the measures listed in NIST 800-171 without a third-party audit. The DOD is quite concerned about whether government contractors adhere to the standards in NIST 800-171, which is why the Cybersecurity Maturity Model Certification (CMMC) was developed.…

Scroll to top