If you’re a defense contractor handling Controlled Unclassified Information (CUI), then your contract will have a DFARS 252.204-7012 clause in it that requires you to protect that sensitive information. While that may seem clear enough, in practice it’s common for defense contractors to work with other contractors in their supply chain, third parties that manage their IT infrastructure and systems (known as Managed Service Providers, or MSPs), Cloud Service Providers (CSPs), and others, in support of their DoD work. Understandably, all those players can muddle the answer to the question: Who’s responsible for protecting CUI?
But the answer is straightforward: If your organization handles CUI, then regardless of any other organization you may work with, the bottom line is that you’re responsible for protecting that CUI.
This blog is written to help you better understand what CUI is, how it gets labeled, and how to protect it.
What is CUI?
CUI is information that the Federal government creates or possesses, or that an organization creates or possesses on behalf of the Federal government. That information requires handling with safeguards and dissemination controls consistent with applicable laws, regulations or government-wide policies. CUI is not classified information. (Remember, the “U” in “CUI” stands for unclassified.)
What is CUI?
CUI is information that the Federal government creates or possesses, or that an organization creates or possesses on behalf of the Federal government. That information requires handling with safeguards and dissemination controls consistent with applicable laws, regulations or government-wide policies. CUI is not classified information.
CUI falls into two possible types—CUI Basic and CUI Specified—that determine how it must be safeguarded and disseminated. Simply put, all CUI is considered at least Basic and must be protected per DFARS 7012 requirements. But some CUI requires dissemination controls and enhanced physical safeguards beyond DFARS 7012; that type is labeled CUI Specified.
The National Archives and Records Administration (NARA) is responsible for administering the CUI program. NARA maintains a National CUI Registry that indicates whether CUI is Basic or Specified, and stipulates how it must be protected—including the security controls for CUI Specified.
Note that DoD also maintains its own DoD CUI Registry. While DoD notes that its CUI Registry “generally mirrors” the NARA’s National CUI Registry, “it may provide additional information unique to the Department of Defense.”
Who is responsible for labeling CUI?
The Federal agency that your organization has a contract with (as either a prime or subcontractor) is responsible for marking or identifying any CUI shared with non-Federal entities. The CUI must be marked consistent with the National CUI Registry, and the agency designating the CUI must make recipients of the CUI aware of the fact that they are receiving CUI. For our purposes, the responsible Federal agency is the DoD.
Who is responsible for protecting CUI?
Check your contract to see if it contains a DFARS 252.204-7012 clause. If it does, then your contract work entails handling CUI. And if that’s the case, then regardless of any other organization you may work with to fulfill your contract, the bottom line is that you’re responsible for protecting that CUI.
That means, for example, that if you hire an MSP or CSP to manage your IT infrastructure or provide cloud storage, then you are responsible for confirming that those providers can adequately safeguard CUI per DFARS 7012 requirements. (See more on this below.)
If you have any questions about the status of the information shared with you as part of your DoD work, ask the organization that gave you the information about it. Sometimes, for example, you may receive CUI that isn’t properly marked as such. Therefore, it is also your responsibility to be informed enough about at least the broad CUI categories listed in the NARA National CUI Registry (and mirrored in the DoD’s CUI Registry) so that you know when to ask questions.
How to protect CUI
DFARS 7012—entitled Safeguarding Covered Defense Information and Cyber Incident Reporting—stipulates the cybersecurity requirements that contractors must meet to safeguard the defense information they handle. DFARS 7012 does not apply to contractors who supply only Commercial off the Shelf (COTS) items to the DoD, such as medicine or fuel that’s readily available in the same form to the public.
DFARS 7012 requires defense contractors to:
- Provide adequate security to protect unclassified Covered Defense Information (known as CDI, a term that encompasses CUI).
To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 is entitled, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Further, if end-to-end encryption is used to protect CUI, then NIST SP 800-171 requires the use of FIPS 140-2 validated cryptographic modules. Note that the use of FIPS approved algorithms is not sufficient to meet this requirement. NIST maintains a list of vendors that use FIPS 140-2 validated cryptographic modules; PreVeil is on that list here.
- Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3).
Contractors must report cyber incidents to DC3, and must share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
- Meet Federal Risk and Authorization Management Program (FedRAMP) standards
Contractors must confirm that their CSP has achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog about compliance addresses the criteria for the FedRAMP Baseline Moderate Equivalent standard.
Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.
See PreVeil’s blog, What is DFARS 7012 and Why is it Important? to learn more.
Consequences of not protecting CUI
Noncompliance with DFARS obligations presents serious business risks and could lead to costly consequences.
If your organization fails to provide adequate security to protect CUI as required by DFARS 7012, you raise the risk of exposure to cyberthreats and ransomware attacks. Cybercriminals know that smaller organizations are often more vulnerable than higher-resourced prime contractors and so don’t hesitate to go after easier targets. The potential result is loss of your organization’s IP and its ability to operate, as well as the burden of associated recovery costs, including possibly a ransomware payment.
Moreover, the loss of DoD information has serious consequences: DFARS 7012 requires that all cyber incidents be reported to the DoD. If the ensuing investigation reveals a lack of adequate security—i.e., failure to comply with your DFARS 7012 contract clause—then the DoD may consider that a breach of contract and can take several possible corrective actions.
Possible corrective actions for noncompliance were outlined in a memo the DoD sent to its contracting officers in June 2022:
Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such breach may include” withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”
CUI: A preferred target for US adversaries
How PreVeil can help
If your organization is responsible for protecting CUI, PreVeil can help. PreVeil Drive and Email are designed to secure, store and share CUI. They deploy easily as a complementary system, with no impact on existing file and email servers—making configuration and deployment simple and inexpensive. Users keep their regular email address, which keeps it simple for users.
Upon deployment, organizations will be well on their way to DFARS 7012 compliance, because PreVeil:
- Supports 102 of the 110 NIST SP 800-171 controls, and 260 of the 320 objectives that guide both self- and independent assessments of NIST SP 800-171 compliance
- Complies with DFARS 7012 c-g cyber incident reporting requirements
- Uses FIPS 140-2 validated modules for encryption
- Meets FedRAMP Baseline Moderate Equivalent standards
Clearly, your organization can make significant progress toward DFARS 7012 compliance on its own by deploying PreVeil’s platform. If you need to hire outside help to meet your remaining obligations, PreVeil can offer help via its partner network of certified MSPs, consultants, and leading organizations and individuals, all with expert knowledge of DFARS and NIST (and CMMC too).
PreVeil offers coordinated access to this vetted and specialized partner community based on contractors’ needs. The partners’ expert knowledge of PreVeil streamlines consulting engagements because no time needs to be spent learning how PreVeil supports compliance.
Next steps
If you need help or have questions about protecting CUI, DFARS 7012, NIST SP 800-171, or any other topics, please don’t hesitate to reach out and schedule a free 15-minute consultation with PreVeil’s compliance team.
You also may wish to learn more by reading PreVeil’s blogs, linked to above throughout this piece, or by checking out PreVeil’s white papers on NIST SP 800-171, which is the core of DFARS 7012 compliance: