Nowadays, many people are familiar with at least some types of protected information, whether in the form of personal health information or government-classified information. But, contractors working with the Department of Defense (“DoD”) must remember to protect another type of information: controlled unclassified information (“CUI”). Failure by government contractors to put processes in place that protect CUI could result in the loss of contracting opportunities or potential False Claims Act-related litigation. For more information about the far-reaching implications of cybersecurity requirements on government contractors, please also see Matt Feinberg’s blog on the recent settlement of a cybersecurity False Claims Act (“FCA”) litigation; Isaias “Cy” Alba’s piece about cybersecurity, implied certifications, and the FCA; and Dave Shafer’s analysis of current cybersecurity standards and the DoD’s plans to remedy confusion.
CUI refers to unclassified information that requires proper safeguarding in accordance with federal and DoD guidance. In 2010, President Barack Obama issued Executive Order 13556 in order to address agencies’ inconsistent methods for marking, controlling, and safeguarding CUI, which described CUI as including privacy, security, proprietary business interest, and law enforcement investigation information. In short, even though CUI is unclassified, it is still sensitive information that should be protected.
Today, the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012 requires defense contractors that maintain CUI to implement the security controls specified in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. NIST SP 800-171 lists the security requirements for safeguarding sensitive information on non-federal information systems, which includes, among other things, user authentication, user access, media protection, and incident response.
Last month, the DoD Office of Inspector General (“OIG”) issued a report after it audited nine contractors with DoD contracts worth more than $1 million. The Secretary of Defense requested that the DoD/OIG conduct the audit to determine whether contractors were protecting CUI, especially in light of the 248 security incidents reported to the DoD Cyber Crime Center by 126 contractors from March 2015 to June 2018. The DoD/OIG found that DoD contractors did not consistently implement DoD-mandated security controls for safeguarding DoD information, including CUI. The DoD/OIG warned that failure to do so puts the DoD at a greater risk of its CUI being compromised by cyberattacks.
If you are a defense contractor, ensure you are complying with DFARS 252.204-7012 and NIST SP 800-171, and make certain your compliance includes CUI. Review these resources and:
- use multifactor authentication,
- enforce the use of strong passwords,
- identify vulnerabilities in your system and network,
- mitigate those vulnerabilities,
- document and track cybersecurity incidents, and
- implement physical security controls.
Members of PilieroMazza’s Cybersecurity & Data Privacy practice group can analyze cybersecurity frameworks for compliance, develop information security programs, and help navigate the complex regulatory landscape while limiting liability exposure.