In today’s digital age, cybersecurity is of utmost importance, particularly for those who do business with the government. As a government contractor within the Defense Industrial Base (DIB) or someone who handles CUI, you must comply with the regulations and clauses established to safeguard CUI.

What is CUI?

Controlled Unclassified Information (CUI) is a category of sensitive information that is not classified but still requires safeguarding and protection to prevent unauthorized disclosure. CUI can include financial data, personally identifiable information (PII), and technical data.

Why Do You Need to Protect CUI?

The handling and protection of CUI are important to both the government and its contractors, as they can contain sensitive information that, if compromised, could lead to serious consequences for national security or individuals’ privacy. 

Compliance Requirements for CUI Security

The Department of Defense (DoD) has standardized the protection of CUI by developing the National Institute of Standards and Technology (NIST) SP 800-171, which was published as a supplement to the Defense Federal Acquisition Regulation Supplement (DFARS). To ensure compliance, it is essential to familiarize yourself with the clauses in DFARS.

NIST SP 800-171 establishes methods to meet the requirements for safeguarding covered defense information as outlined in DFARS. It specifies 110 security controls as requirements, divided into 14 security categories. Here’s a summary of the 14 security categories:

  1. Access control: Controlling who can access a company’s information and facilities.
  2. Awareness and training: Educating employees and system users about their security responsibilities and best practices for protecting sensitive information.
  3. Audit and accountability: Monitoring and recording system activities to ensure compliance with established policies and procedures.
  4. Configuration management: Maintaining the integrity of information technology systems by controlling changes to system hardware and software
  5. Identification and authentication: Verifying the identity of users, processes, or devices before granting access to resources in a system.
  6. Incident response: Having a plan in place to respond to security incidents, such as cyberattacks or system failures.
  7. Maintenance: Keeping systems running smoothly and securely by performing regular maintenance activities, such as patching and updating software and hardware.
  8. Media protection: Protecting physical media, such as hard drives or USB drives, to prevent unauthorized access to sensitive information.
  9. Personnel security: Implementing measures to ensure that employees are trustworthy and don’t pose a security risk to the organization.
  10. Physical protection: Protecting the physical environment where information technology systems and resources are located
  11. Risk assessment: Identifying and analyzing potential risks to an organization’s operations and assets.
  12. Security assessment: Evaluating the management, operational, and technical security requirements of a system to ensure that they are being implemented correctly and producing the desired outcome.
  13. System and communication protection: Safeguarding information at rest and in transit, such as encrypting data or using firewalls to block unauthorized network traffic.
  14. System and information integrity: Ensuring the accuracy and completeness of the information and guarding against improper modification or destruction of data.

DFARS Clauses Related to Safeguarding CUI

The following clauses are important to understand and implement throughout the life of your contract:

🔹 DFARS Clause 252.204-7012

This clause requires DoD contractors to implement the 110 requirements in NIST SP 800-171, including adequate security protections for cloud computing and other IT services and systems. It also requires contractors to report any cyber incidents or malicious software affecting their systems and possess a DoD-approved medium assurance certificate for incident reporting.

🔹 DFARS Clause 252.204-7020

This clause mandates conducting an assessment to generate a Supplier Performance Risk System (SPRS) score and validate the implementation of the required security controls. The contractor must provide access for the government to conduct a medium or high NIST SP 800-171 DoD Assessment.

🔹 DFARS Clause 252.204-7021

This clause mandates getting a Cybersecurity Maturation Model Certification (CMMC) and going through that assessment process to validate the implementation of the required security controls. The CMMC program measures a contractor’s cybersecurity maturity and consists of multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Expert.” As levels increase, additional controls are required. The Final Rule for CMMC 2.0 is expected to come out in March 2023.

🔹 DFARS Clause 252.204-7019

This clause mandates offerors being considered for award to implement NIST SP 800-171 and has a current assessment for each covered contractor information system relevant to the offer, contract, task order, or delivery order.

NOTE: These clauses are more fully described at acquisition.gov. Keep in mind that these clauses are required to flow down to subcontractors only when the performance of work involves CUI.

If you have any uncertainties about meeting these mandatory security requirements or any further inquiries, please do not hesitate to reach out to our team at PW CPA. We are more than happy to direct you to the right resources and ensure you comply with the requirements.