Now that the government fiscal year end has passed, government contractors that handle controlled unclassified information (“CUI”) must turn their attention – if they haven’t already – to the quickly approaching calendar year end deadline of being compliant with cybersecurity obligations imposed under Defense Federal Acquisition Regulation Supplement (DFARS) § 252.204-7012. U.S. Department of Defense (“DoD”) rules adopted in 2016 require that government contractors handling “controlled unclassified information” have until December 31, 2017, to implement standards set forth in NIST Special Publication (SP) 800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations) (“NIST SP 800-171”).
To constitute “adequate security” for “covered contractor information systems” (not part of an IT service or system operated on behalf of the Government), the covered contractor information system “shall be subject to the security requirements in NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer.” DFARS § 252.204-7012(b)(i). Further, the regulations make clear that, as of this blog post, time is of the essence because:
(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at [email protected], within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
(B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO.
DFARS § 252.204-7012(b)(ii).
Controlled unclassified information (“CUI”) is information of the federal government which is sensitive but unclassified. Under the regulations, CUI requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is “(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” The requirements for handling of CUI depend on its marking in of two categories: CUI Basic and CUI Specified.
While compliance may seem daunting, most federal contractors that handle CUI most likely have already been following NIST SP 800-171 which outlines the basic safeguarding requirements that must be implemented. The publication includes 14 families of security requirements, comprising 109 individual controls. The CUI requirements within NIST SP 800-171 are directly linked to the baseline controls described in NIST Publication SP 800-53 (“Security and Privacy Controls for Federal Information Systems and Organizations”). To comply with CUI requirements, contractors must fully understand what CUI it stores, processes, or transmits in the course of doing business with the federal government. Compliance requires that contractors provide adequate documentation describing technical solutions, policies, and evidence of being able to detect and respond to incidents. Again, these are best practices that most contractors in the federal government space handling CUI should already have in place.
For contractors handling CUI for the federal government, time has come to ensure that internal controls and best practices align with the agency specific regulations, contract terms related to CUI, and NIST SP 800-171, by taking the following steps:
- Know what CUI you’re handing. Carefully review contracts for CUI handling requirements. Be sure to understand the various types of CUI that you’re handling under existing contracts.
- Perform a “gap assessment” to understand what requirements your current security plan is not meeting under the new rules.
- Update internal controls, procedures, and policies to ensure compliance with the new rules. Again, hopefully this will only require revising controls already in place to remediate identified gaps.
- If you do not have a plan in place for CUI, develop an IT Security Plan to implement such controls, procedures, and policies right away to be in compliance by the year-end deadline.
- Depending on the agency, as with DoD’s DFARS § 252.204-7012, there could be agency specific rules implemented so become familiar with the specific requirements for handing CUI depending on which government customer you work for.
- Finally, prime contractors must also add provisions to flow down CUI clauses to their subcontractors and have policies for monitoring subcontractor compliance as also required by DFARS § 252.204-7012(m).
There’s still enough time during the fourth quarter of 2017 to achieve compliance imposed by DFARS § 252.204-7012 and put NIST SP 800-171 controls for handling CUI in place within your IT Security Plan, but the time has come as failing to do so will preclude you from contracting with the DoD.
About the Author: Kimi Murakami is counsel with PilieroMazza and focuses her practice on corporate transactions with an emphasis on mergers and acquisitions of government contractors. She also has experience advising on intellectual property matters including trademarks and trade secrets. She can be reached at [email protected].