1 of 20

What is CUI?�Understanding and Protecting Data for DoD Contractors

Presented by NCMEP/IES

1

Industry Expansion Solutions

2 of 20

Webinar Details

  • 30 minutes to cover CUI basics
    • IES background and why we care about CUI
    • Why contractors should be aware of CUI
    • Defining CUI
    • Protecting CUI

  • Resources:
    • Free Online Course
    • Q&A/Ask An Expert
    • Online Resource List

Industry Expansion Solutions

3 of 20

  • IES was founded in 1955 to help North Carolina industries grow and prosper
  • Engineering-based, solutions-driven, client-focused unit of NC State University
  • Collaboration with DoD, NIST, NC State
  • Emphasis on supporting manufacturers in North Carolina
  • Working with NIST and local organizations to improve manufacturer awareness of cybersecurity risk and defense

Who We Are: IES Background

Industry Expansion Solutions

4 of 20

Why Should the DIB Care About CUI?

  • The weakest link is the best place to attack
  • Foreign adversaries understand the US government is a difficult target, contractors operating in the DIB are less equipped to defend data
  • Big breaches get big coverage
    • OPM Hack- 2013-2015
    • Sea Dragon- 2018
    • SolarWinds (not contractor attributed)- 2020
    • Colonial Pipeline (unknown attack vector at this time)- 2021
    • Lincoln Law- October 2021 (False Claims Act) DOJ announces use of FCA to pursue contractors

Industry Expansion Solutions

5 of 20

Small Business and CUI

  • CUI is governed the same for businesses large and small
  • Smaller businesses struggle with requirements because:
    • They have limited or no IT infrastructure
    • Less experience in cyber defense/compliance
    • Smaller or no dedicated cyber defense budget

Industry Expansion Solutions

6 of 20

Defining CUI

  • CUI is non-classified information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies
  • Anything other than COTS (Commercial Off-The-Shelf) software
  • Any manufacturer who provides a product or solution that is designed for government or modified for government, the information associated with such would be considered CUI

Industry Expansion Solutions

7 of 20

CUI Life Cycle

Identify

Safeguard

Share

Decontrol

  • Identify: The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category
  • Safeguard: Appropriate protections must be implemented to protect CUI once identified
  • Share: Sharing should be restricted to the least amount of people possible. Sharing should be based off of all applicable labels and requirements
  • Decontrol: Not all CUI can be decontrolled, applicable laws should be followed before decontrolling

Industry Expansion Solutions

8 of 20

Standards Requiring Protection of CUI: DFARS

  • DFARS/NIST SP 800-171: the Defense Federal Acquisition Regulation Supplement states that contractors and subcontractors working with the Department of Defense (DoD) are in scope of DFARS
  • NIST 800-171 is a globally accepted standard which includes 110 controls across 14 domains
  • Once these requirements have been met, organizations can bid on and win RFPs (request for proposal) with the DoD

Industry Expansion Solutions

9 of 20

Standards Requiring Protection of CUI: CMMC (CMMC 2.0)

  • CMMC: Cybersecurity Maturity Model Certification (CMMC) is a standard published in 2020 for implementing cybersecurity across the defense industrial base (DIB)
  • CMMC differs from other standards governing CUI because it mandates third party assessment and verification of policies and procedures

Industry Expansion Solutions

10 of 20

Where Does CUI Live

  • CUI is data, data can be stored, sent, received, and destroyed
  • CUI can reside on a electronic storage media (hard drive, flash drive, CD, DVD)
  • CUI can be on a physical printout or piece of mail
  • CUI can found in an electronic communication (email)

Industry Expansion Solutions

11 of 20

Identifying CUI

  • External Origin:
    • Does the contract or RFP mention CUI?
    • Does an item received (physically or electronically) contain CUI cover page, banner or other CUI marking?
  • Internal Origin:
    • Start from yes, work backwards
    • Consider common types of CUI
      • PII
      • Technical information
      • Network diagrams
      • Patent applications

Industry Expansion Solutions

12 of 20

Examples of CUI

  • DFARS compliance applies to any business that collects, stores, or transmits CUI on behalf of the DoD. Some examples include:
  • Privacy data
    • Personally Identifiable Information (PII)
    • Protected Health Information (PHI)
    • Financial records
  • DoD CUI
    • Contract information
  • Research/engineering data
    • Proprietary technical information about tools or engineering solutions
  • Technical reports
  • Technical data sets

  • Computer software code and programs
  • Critical infrastructure data
    • Power grid
    • Communications networks
  • Cutting edge technology 
    • Stealth
    • Weapons systems
    • Components of technology

Industry Expansion Solutions

13 of 20

Labeling CUI

  • NIST 800-171 and Cybersecurity Maturity Model Certification require Department of Defense (DoD) contractors to “mark media with necessary CUI markings and distribution”
  • Paper documents must be marked with a Banner Marking and a CUI Designation Indicator. Agencies may choose to use Portion Markings
  • Storage media (CDs, DVDs, Flash Drives, etc.) must be marked as CUI and include CUI Designation Indicator (which agency determined it to be CUI)

Industry Expansion Solutions

14 of 20

Reducing CUI Burden- Less CUI, Less Work

  • Although CUI may be inevitable as part of Federal contracting, it should be minimized whenever possible:
    • Use traditional mail (postal service) instead of email for “one-off” communication
    • Request that prime contractors deliver only required information (nothing more than is needed to complete the job)
    • Decommission CUI when it is no longer in use
    • Keep CUI on work devices, and keep the work network segmented from the internet if possible

Industry Expansion Solutions

15 of 20

The Bottom Line

  • All DoD contractors will eventually be required to obtain a CMMC 2 certification (timeline is fluid)
  • Protecting CUI is your responsibility, audits will be conducted (changes to CMMC will dictate who is audited)
  • Contracts are the first place to check for CUI requirements, the originator of CUI is responsible for labeling as such
  • CUI requirements will change over time, manufacturers should be looking for updates
  • In the end, defending your business and data isn’t just a government mandate, it is a cornerstone of a well run company in 2021!

Industry Expansion Solutions

16 of 20

Free Online CUI Course

  • Intro level course
  • Designed by IES
  • Free to all
  • Focus on DoD contractors
  • No login required
  • Demo!

Industry Expansion Solutions

17 of 20

Ask An Expert

  • Meet Our Expert: Laura Rodgers
    • Leading member of the NCMBC’s business development team
    • Identifies federal prime and subcontracting opportunities
    • Identifies and notifies companies of these opportunities
    • Provides one-on-one assistance to help companies bid on and win contracts
    • Hosts free cyber chat/workshops for NC businesses looking for cybersecurity/compliance information and support

The North Carolina Military Business Center (NCMBC) is a statewide business development and technology transition entity of the State of North Carolina, headquartered at and supported by Fayetteville Technical Community College (FTCC). The mission of the NCMBC is to leverage military and other federal business opportunities to expand the economy, grow jobs and improve quality of life in North Carolina

Industry Expansion Solutions

18 of 20

NCMBC Resources

  • Free Resources
    • Courses
    • Blog
    • Cyber Chats
    • DFARS/CMMC training and updates
    • In a Box solutions
  • Experts with military/cyber expertise and experience
  • NCMBC Website

Industry Expansion Solutions

19 of 20

Q&A

Industry Expansion Solutions

20 of 20

Industry Expansion Solutions