Responsive image
Contents
decorative line
Inquiries
decorative line

Celestial Defense of Atlanta Georgia is a highly skilled and experienced provider of expert consultant computer security and computer forensic services involving:

  • Incident response
  • Forensic Grade Imaging and preservation
  • Forensic examination and analysis of servers, workstations, laptops, phones, and other storage devices and media
  • File system analysis
  • File activity and usage analysis
  • Device system analysis
  • Intrusion analysis
  • Internet usage analysis and web page reconstruction
  • Social media and text messaging recovery & analysis
  • File deletion activity analysis and data recovery
  • Compliance with organizational, contractual or regulatory requirements like DFARS 4.7300 and 52.204-7012 and NIST 800-171 governing the safeguarding of CUI
  • Database analysis
  • Software analysis
  • Data security process, procedures and systems consulting
    • Systems hardware design, selection, construction and installation
    • Process design, implementation and integration
    • Policy and procedure development
    • Training and process monitoring

Contact us to speak with one of our government contract consultants to learn how we can help you or call 770-777-2090.

Understanding the Road to the
DFARS Safeguarding Controlled Unclassified Information (CUI),
Federal Contracting Information (FCI), and
Cybersecurity Maturity Model Certification (CMMC)
decorative line
by: Gregory L. Fordham

For decades DoD has imposed security requirements for safeguarding classified information on its contractors by way of the National Industrial Security Program (NISP) but the safeguarding of unclassified information is not covered by that program. In fact, prior to 2000 there was not much guidance on the protection of unclassified information in the federal government as a whole. In 2000, however, guidance about the protection of unclassified information was memorialized in OMB Circular A-130, which focused on the management of federal information resources. Since 2000 there have been several significant initiatives related to cyber security in general and Controlled Unclassified Information (CUI) in particular.

In 2002 the Federal Information Security Management Act (FISMA), also known as the E-Government Act, was enacted to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. The Act required the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. The process was to be overseen by the Director of OMB who would report at least annually about agency security practices and policies and approve or disapprove agency information security programs.

In 2014 FISMA was replaced by the Federal Information Security Modernization Act (FISMA 2014). It made several notable changes to the 2002 FISMA legislation. First, the law authorized the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Second, the law changed the agency reporting requirements, modifying the scope of reportable information from primarily policies and financial information to specific information about threats, security incidents, and compliance with security requirements. Third, the law updated FISMA to address cyber breach notification requirements.

While the above measures addressed safeguarding federal systems and the information they contained, the measures were still somewhat decentralized and left to individual agency interpretation, implementation and monitoring. The result was a confusing patchwork of inconsistent policies and practices. In order to remove the confusion, at least for unclassified information, Executive Order (EO) 13556 was issued on November 4, 2010. While EO 13556 centralized the oversight, it did not do much else to remove the confusion.

For example, there is no definition of CUI in EO 13556 nor any provision for security standards for safeguarding CUI. About all EO 13556 did was recognize the issue and designate the National Archives and Records Administration (NARA) as the government’s executive agent for CUI. In addition, there was no clear boundary established for NARA’s management and oversight of CUI. In other words, there was no distinction for whether NARA’s management and oversight applied only to executive agencies or whether it extended to executive agency contractors or even if it extended to the private sector as a whole. In addition, EO 13556 did not describe the data to which it applied other than to say it was information “that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.” Thus, it did not distinguish between government owned data, which it had an ownership interest in protecting, or other data that it not only did not own but may not even use, like proprietary data of commercial contractors and perhaps even other private sector businesses.

In the end, CUI was simply the designation given to “unclassified information throughout the executive branch that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies,” whatever that meant. While such language would seem to apply only to the executive branch, there are numerous other kinds of arms and export control statutes that ensnare all kinds of commercial businesses who are not executive agency contractors.

Both versions of FISMA and EO 13556 authorized the National Institute of Standards and Technology (NIST) to develop standards for the control and security of federal information systems and CUI. Over the years NIST has been quite busy and authored a number guides and standards. A few of the more notable NIST publications are:

  • FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems),
  • FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems),
  • SP 800-30 (Guide for Conducting Risk Assessments),
  • SP 800-53 (Security and Privacy Controls for Federal Information Systems and Resources),
  • SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories),
  • SP 800-94 (Guide to Intrusion Detection and Prevention Systems),
  • SP 800-116 (A Recommendation for the Use of PIV Credentials in Physical Access Control Systems), and
  • SP 800-171 (Protecting Controlled Unclassified Information in NonFederal Information Systems and Organizations) just to mention a few.

One of the earliest and most influential catalogs of security controls for unclassified information was the NIST Special Publication SP 800-53 that was first released in 2005. It has been updated numerous times since and is currently in its fourth revision. The publication is currently produced by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. Since the development of the NIST SP 800-53 standards, that are primarily focused on unclassified information on federal systems, they have also been integrated into security standards for classified information under CNSSI [Committee on National Security System Instructions] 1253. In fact, CNSSI 1253 contains a subset of the NIST SP 800-53 controls and provides the first two steps of the Risk Management Framework (RMF) for national security programs. As a result, these days the requirements for protecting classified and unclassified data have many similarities. Nonetheless, there are a number of drivers other than NIST SP 800-53 for national security systems, since the classified data security requirements are also based on Executive Orders (EO) and Intelligence Community Directives (ICD).

The DFARS Rule on Safeguarding Controlled Unclassified Information (CUI)

The Department of Defense (DoD) was the first executive agency to extend CUI requirements on its contractors. The DoD’s process for extending CUI requirements on its contractors began with a proposed rule in 2011 that was then made a final rule in August 2013. This was before NARA, the executive agent for CUI, ever issued any rules or standards, although NARA had requested NIST to develop a set of security standards. It was also before NARA had promulgated any of its own rules governing federal contractors, although it had indicated that a single FAR [Federal Acquisition Regulation] wide rule would likely be proposed in 2016. In fact, a final rule was published in May 2016 that added requirements to FAR 4.1900, 7.105, 12.301 and the contract clause at FAR 52.204-21, 52.213-4, and 52.244-6.

Prior to DoD finalizing its DFARS rule in 2013 several respondents during the public comment period for that proposed rule expressed concerns that the DoD rule was premature in establishing standards, since a government wide CUI policy in response to EOI 13556 had not yet been formulated. Those respondents feared that the DoD rule could be misaligned with the final CUI requirement. As it turns out, that was exactly what happened.

In late 2015, after the publication in June 2015 of the NIST SP 800-171 standards on protecting CUI in nonfederal information systems and organizations, DoD issued revised DFARS rules without public comment. The 2015 DFARs rule was significantly different from its 2013 version. The differences ranged from the replacement of its earlier CUI security standards, that were based on 51 of the NIST SP 800-53 standards, with the newly published NIST SP 800-171 CUI standards that contained 102 security controls. The 2015 rule also expanded the rule’s coverage from just contractor information systems to cloud based computing services as well. The expansion to include cloud based services as well was clearly in response to OMB’s 2011 policy initiative in that area.[EN-1] The 2015 rule also made other definitional changes that were significant. As a result, DoD renamed the rule governing its CUI efforts from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information”.

If there was any good news for contractors, it was that the NIST 800-171 controls imposed by the 2015 rule update were later determined to be so significant and require such extensive efforts by contractors to implement that another interim DFARS rule was issued on December 30, 2015 that gave contractors until December 2017 to upgrade their systems to meet the NIST 800-171 requirements. The grace period does not affect the 2013 requirements, however. Thus, contractors exposed to the 2013 requirements must still abide by them until their contracts with those provisions are formally closed out, which, depending on the contract type, could be years after final performance.

Remarkably, in October 2016 DoD issued the final rule for its 2015 proposed rule. The final rule also had some differences from the interim rule. Fortunately, the differences mostly narrow the rule’s requirements and applicability. For example, one significant difference is that the rule is not an automatic flow down by upper tier contractors to their subcontractors. Rather, upper tier contractors are supposed to make an assessment of whether their subcontractors will be handling in any CDI and then only flow down the requirement if it is determined that they will be handling CDI.

For contractors other than cloud based computer service providers, there are now three sets of DoD rules involving protection and safeguarding of CUI, a 2013, 2015 and a 2016 DFARS version. Furthermore, since the requirements are imposed on contractors by way of contract clauses, it is possible that contractors could be subject to all three sets of rules if they have a contract mix where some contracts contain the 2013 DFARS rule requirements while others have the 2015 DFARS rule requirements and still others have the slightly different 2016 DFARS requirement.

In essence, the DoD was the first federal agency to impose requirements for safeguarding CUI on its contractors. The process began in 2011, shortly after passage of ED 13556, with the publication of a proposed rule. While the proposed rule was not being included in contracts, the rule was finalized in 2013 and it imposed safeguarding requirements of CUI on contractors at every tier including commercial items. Thus, starting in November 2013 every award of defense contract would have the safeguarding requirements. In addition, those requirements would be passed down to subcontractors at every tier.

DoD’s efforts were well ahead of NARA, the government’s executive agent for managing EO 13556 and the government’s initiative for protecting CUI in non-federal organizations like federal contractors. Once NIST published its standards for the protection of CUI in non-federal organizations in May 2015 in its Special Publication 800-171, it was obvious that DoD’s requirements for safeguarding CUI were severely misaligned. As a result, DoD published another interim rule later in 2015 that both updated its information security controls for contractor information systems but also expanded the coverage to cloud computing services under FedRAMP, another initiative being managed by OMB. The expanded coverage was considered so burdensome that in late December 2015 contractors were given until December 31, 2017 to comply.

DoD’s 2015 rule was finalized in late 2016. Several more changes were made to both definitional aspects of the rule as well as its coverage. The definitions were streamlined. They were also made more tangible with inclusion of the CUI registry as an added source for identifying the covered data. With respect to coverage, it was scaled back such that the requirements were no longer an automatic flow down to subcontractors. Rather, primes and upper tier subcontractors would make an assessment about whether covered data would even be involved with their subcontracts before including the requirements in the subcontracts.

While the 2016 final rule narrows the safeguarding requirements, there are still aspects about the coverage that are still beyond the intended scope of the initiative. The government’s interest in safeguarding CUI is to extend the protection to the systems of non-federal organizations so that the CUI data is similarly protected regardless of the actual environment.

Despite the intentions, the protection of CUI in non-federal organizations is defined such that it extends beyond the government’s data and into sensitive, confidential and trade secret data of the contractor if that data is CTI or other data listed in the CUI registry and it is “collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract”. While this could be a direction in which the country wants to move, it is beyond the intentions of the initiative as described in the NIST SP 800-171 standard. In NIST SP 800-171 it was stated that, “The protection of unclassified federal information in nonfederal information systems and organizations is dependent on the federal government providing a disciplined and structured process for identifying the different types of information that are routinely used by federal agencies.” Thus, the CUI initiative was about protecting federal CUI residing, transiting or being stored in non-federal information systems.

As part of its safeguarding objective, the new rules include a reporting requirement on contractors whenever their information systems involving CUI are compromised. The reporting requirement is not limited to whether the CUI was actually altered, destroyed or taken. Indeed, it extends to any kind of improper access. At least for now, the reporting requirement is not intended as a means to identify a safe guarding non-compliance. In fact, the rules make clear that a compromise is not evidence of non-compliance. The purpose of the reporting requirement is simply part of the government’s monitoring effort to ensure that CUI is safeguarded by monitoring trends and techniques. Undoubtedly, however, those who are more skilled at contract administration than cyber security are sure to misunderstand the reporting requirement and want to link it with some kind of punishment.

All of the CUI safeguards will assuredly change in the future. As the reporting results come in there are likely to be changes in the specific security controls that will be required. There could even be an entire rethinking of the implementation since it provides for the protection of CUI only while a contract is being performed. There is ample concern for the protection of CUI even whether or not a contract exists or the organization is even a contractor. Of course, that could depend on exactly how CUI is defined. As of now, numerous products are controlled and prevented from export. There is an interest in protecting their data whether or not a contract is involved.

The FAR Rule on Contractor Information Systems

Much like DoD, the FAR Council also started working on its version of a FAR rule to protect unclassified data. The FAR rule was broader than DoD's rule and essentially encompassed all non-public contract information and not something more narrow like CUI. Essentially, non-public contract information was information that was either provided by the government to the contractor or provided by the contractor to the government and not intended for public release. Perhaps that is essentially the same as CUI but it would seem to be broader, too. Also, the FAR rule would apply to contractor information systems used to store, process or transmit the non-public contract information in the same fashion that contractor information systems storing, processing or transmitting CUI were covered by the DFARS rule.

The FAR rule was initially published in the Federal Register on August 24, 2012 as simply a proposed rule without taking any effect. Thus, it was not actually required and did not appear as an actual contract requirement anywhere. The proposed requirements were somewhat minimal too. The proposed rule only contained 7 requirements for contractors to follow and they were somewhat simplistic, since they involved things like prohibiting processing and posting the information on public sites, keeping software security patches and updates current, subjecting systems to virus scans, and sanitizing media prior to disposal just to name a few.

It was not until June of 2016 that the rule was finalized and actually included in regulatory and contract requirements. The final rule was significantly updated and imposed 15 requirements versus the original 7. In addition, the 15 requirements contained in the final rule were much more substantive than the original 7 and essentially were comprised of selected items from the NIST SP 800-171 CUI controls. Thus, they did not require all of the CUI safeguards but only a few of those and they were taken from only 5 of the CUI control standard's 14 domains. While the requirements of the final FAR rule were significantly more stringent than the proposed rule, they were still much simpler than the CUI security controls imposed by the DFARS rule. And, as stated above they seemed to apply to a much broader range of information, since they applied to "non-public" information.

Cybersecurity Maturity Model Certification (CMMC)

Compliance with the CUI security standards under the DFARS rule and the required NIST SP 800-171 standards were mandatory by December 31, 2017. Although compliance with the standards were mandatory, there was no oversight of the standards or independent confirmation that they had actually been achieved, however. Indeed, a contractor's compliance and achievement with the various standards was entirely a self assessment effort or honor system, even though there had been talk of having various oversight entities like DCAA or DCMA include their assessment of a contractor's compliance as part of their other oversight efforts. DCMA was going to have a contractor's compliance included in their CPSR reviews of contractor purchasing systems.

By 2018 it was clear that although contractor's were claiming compliance with the CUI requirements, it was thought most were not actually achieving them. Although the basis for that belief and where the shortcomings actually resided was never proven with empirical data and published in meaningful reports, there was a survey conducted in 2017 that was then published in 2018 by the Manufacturing Division of the National Defense Industrial Association of about 200 NDIA members that were mostly from small and medium sized contractors, in fact about half were small businesses of less than 500 employees. About 80 percent of the respondents were from companies that had been DoD suppliers for more than 10 years and about 75 percent of the respondents were from companies acting as primes or first tier subcontractors.

That survey claimed that only around 63 percent of the respondents were aware of the new DFARS requirement. Thus, less than 40 percent were not aware of the new requirement. While the survey made a big deal about this, 64 percent awareness seems pretty good for a new requirement, particularly since it is possible that the new requirement would not have to effect every contractor. The new CUI rules only applied if the contractor had CUI. In addition, the requirement would only appear in subcontracts if the prime or upper-tier sub were passing down CUI to the subcontractor. Thus, it is quite possible that many subcontractors never even saw the requirement. Also, it is not clear from the survey what kind of people were participating. Were they contracts people or CEOs, for example? Not everyone in a company keeps up with the latest compliance issue, particularly if it does not appear in their own contracts.

Whatever the source, the non-compliance perception fostered the idea of having a contractor's compliance verified by third parties and a certification process of sorts. Interestingly, this idea was also a recommendation contained in the survey performed and published by the NDIA manufacturing committee.

In June 2019 DoD announced that it was developing a new cybersecurity standard and certification for defense contractors. The new standard would be called the "Cybersecurity Maturity Model Certification". It would be based on the existing NIST SP 800-171 standards as well as incorporating other frameworks. As its name implies, it would involve a "certification" of the contractor's system. The certification would be provided through independent third party audits and verification of the contractor's systems.

It was expected that the new requirements would go public in January 2020 and then starting around September 2020 contract awards would be dependent on contractors having the requisite certification that their systems complied with the new requirements. Needless to say, this was an ambitious plan, particularly since there were tens if not hundreds of thousands of defense contractors whose systems would need to be reviewed, verified and certified. The infrastructure, specifically the number of available and approved certifiers, did not even exist nor did the systems and standards they would use to verify a contractor's compliance with the standards, whatever those ultimately would be.

There were also huge gaps in the regulatory and contractual requirements. While the DFARS imposed requirements for safeguarding CUI, there was no mention of CMMC or how that would be imposed and managed for DoD's contractors. In fact, it took until late 2020 for the CMMC requirements to be added into the DFARS at 204.7500 and three contract clauses added at 252.204-7019, -7020 and -7021. The -7021 clause is what imposes the CMMC requirement on contractors. The implementation of the new CMMC requirement is not immediate, however. Rather, the new clause envisions a five year phase-in period where only certain contracts would be subjected to CMMC third party certification requirements. In the first year, only 15 prime contract award would be subject to the CMMC requirements where contractors would have to have received their third party certifications by time of contract award. Each year the number of prime contracts requiring third party certification would increase. In the second through fifth years, FY 2022 through FY 2025, the number of prime contract awards subject to CMMC would be 75, 250, 325, and 475 respectively. Whatever contracts are selected each year for the CMMC requirements they must be approved by the Undersecretary of Defense for Acquisition and Sustainment. By the sixth year fiscal year, starting October 1, 2025, all DoD prime contracts would be subjected to the third party certification requirements.

In addition to the 5 year phase-in, the certification for CMMC is to be tiered, as well, and have 5 different levels. The contract solicitation would identify which level, 1 through 5, is required for contract performance. Level 1 is something to close to what is required under the basic FAR rule for contractor information systems. Its requirements are a small subset of the NIST 800-171 security controls and involves only 5 of the NIST SP 800-171 domains. The level 3 certification will require contractors to comply with the entire NIST SP 800-171 security controls plus about another 20 requirements. Since the various CMMC levels are cumulative, Levels 4 and 5 would also require that contractors comply with the level 3 requirements plus a number of enhanced security controls form NIST SP 800-172 and perhaps other frameworks .

It is expected that all prime contractors would have to comply with level 3 CMMC and that this would apply to about 90 percent of the industrial base. Only a small number of contractors working on more sensitive projects and needing protection from Advanced Persistent Threats (APT) would need levels 4 and 5.

While most contractors will not be subject to the CMMC requirements during the 5 year transition period, contractors are still expected to comply with the NIST SP 800-171 security controls as required by DFARS 52.204-7012. During the transition period, contractors will continue their own self certification, although there is now a self assessment process which contractors must complete prior to receiving any contract awards. The self assessment requirement was imposed by two of the new DFARS clauses 52.204-7019 and -7020. Contractors are to have their summary level score of their self assessment entered in the Supplier Performance Risk System (SPRS). A contractor's self assessment summary level score will be given a "LOW" confidence rating, if it has not been verified by government personnel. If the contractor's self assessment results have been reviewed by government personnel they can be given a "MEDIUM" confidence ration if the contractor's assessment documentation has been reviewed and discussed with the contractor. A contractor's self assessment summary score can be given an "HIGH" confidence rating if its security control systems have been assessed as described in the NIST SP 800-171A assessment procedures.

Summary

The federal government's interest and efforts to protect unclassified information have spanned two decades. It started with an OMB Circular. It was then further enhanced and codified with two statutes. The first was FISMA in 2002. The second was FISMA 2014. Both of these dealt more with the protection of federal systems and the unclassified information they contained, however.

When it comes to unclassified information in the hands of federal contractors, EO 13556 is probably the closest authority. While EO 13556, like its statutory counterparts FISMA and FISMA 14, did not specifically address unclassified information in federal contractor systems, it did establish NARA as the government's executive agent for CUI. It was then NARA that asked NIST to develop a set of security standards to protect CUI in non-federal systems, federal contractors in other words.

Clearly, over the years there have been numerous initiatives involving the security of unclassified information at the executive level and there have been numerous false starts as well. The subject is probably still in a state of flux despite all that has transpired since 2010 and the enactment of EO 13556. The DoD alone, with CMMC, is on its fourth iteration. Things probably will not end there either even though there appears to be considerable movement by the entire federal government to adopt DoD's CMMC framework.

When it comes to protecting sensitive information there are simply a lot of vectors which need to be covered. There is no silver bullet; yet, that seems to be the perception with the NIST SP 800-171 framework and even with CMMC.

 

The next part in this series of articles on safeguarding CUI is on the Covered Data Requirements.

End Notes


EN-1 - In 2011 OMB issued a policy initiative for the federal government to rely more on cloud based computing services. This policy initiative became known as the Federal Risk and Authorization Management Program (FedRAMP). A subset of the NIST SP 800-53 controls were ultimately identified for use in protecting cloud based environments.