Government Proposes New CUI Rules for all Federal Contractors

If you work with Controlled Unclassified Information (CUI), the new proposed rule implements new requirements, including NIST 800-171 revision 2 compliance, for all federal contractors. Read our article to see how this could impact your company in the coming years.

Every agency currently has their own rules for safeguarding Controlled Unclassified Information (CUI), causing inconsistencies and confusion for defense and non-defense contractors alike. On January 15th, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) released a new Proposed Rule seeking to eliminate this confusion by standardizing the implementation of security policies around CUI government-wide. With this rule, the government appears to be moving toward adopting the DoD’s implementation of the CUI Program.

“Who does the Proposed Rule apply to?”

The rule applies to all federal contractors - both defense contractors and non-defense contractors alike. Defense contractors are already expected to implement the CUI Program through DFARS 252.204-7012, which is now being amended to incorporate the CMMC Program. Fortunately, the new CUI Proposed Rule does not contradict any of the requirements already established for defense contractors; instead, it seeks to enforce those same requirements on non-defense contractors and their supply chain.

“What are federal contractors required to do under this new rule?”

The Proposed Rule introduces a number of new requirements for federal contractors, which we have summarized for clarity.

New Form SF XXX (with # TBD!)

One of the key benefits of the Proposed Rule is the creation of a Standard Form (SF XXX ) that clearly identifies what CUI will be involved in a contract or solicitation, and specific safeguards that need to be established to protect that CUI. The form explicitly states whether CUI Basic or CUI Specified is involved, whether or not the system must comply with NIST 800-172, and requirements for:

• Access and Dissemination;

• Security Controls;

• Training; and,

• Incident Reporting.

Minimum Security Control Requirements

One of the biggest changes for non-federal contractors is that the rule establishes that any non-government system that will process, store or transmit CUI must meet NIST 800-171 revision 2 control requirements. This means that any system that touches CUI must have 110 controls in place. This change also requires that any cloud computing services that process, store, or transmit CUI must be FedRAMP Moderate authorized.

Control Validation

Defense contractors are required to validate their compliance with NIST 800-171 through the CMMC Program, conducting one of three types of assessment, as defined in their contract solicitation:

• Self-assessment;

• Certified Third Party Assessor Organization (C3PAO) assessment;

• Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment

Non-defense contractors will have their compliance validated by the government following the NIST 800-171A assessment criteria. As the Proposed Rule currently reads, the government validation should be a simple review of your System Security Plan (SSP), but it is possible that future drafts of the rule may move toward following the CMMC Program model. Check out Hive Systems’ free NIST 800-171 SSP templates to help you get started on documenting your compliance.

The SF XXX will specify at what point the government will need to perform this validation: as part of your proposal during source selection on a contract solicitation; after contract award; or by providing access to your systems for the agency to assess the controls themselves.

CUI Training

The Proposed Rule requires that employees who will process, store or transmit CUI complete at least basic CUI training. Luckily, the DoD’s CUI training is available for free on the Center for Development of Security Excellence (CDSE) website, and provides a PDF training certificate to prove completion. The SF XXX will specify if additional agency-specific training is required for employees performing on the contract.

CUI Incident Reporting

Any suspected or confirmed incident involving CUI must be reported to the agency point of contact listed on the SF XXX within eight hours. The rule further clarified that CUI that has been mismarked, or that you believe is CUI but has not been disclosed on the SF XXX, is only considered an incident if the mismarking or lack of marking resulted in mishandling or improper dissemination of the information. If you are reviewing solicitation details and think something should be CUI, you must notify the point of contact but are not obligated to treat it as an incident.

When an incident involving CUI is discovered, you are required to:

• Determine and inventory what CUI could have been improperly accessed or disclosed;

• Construct a timeline of the activity;

• Determine methods and techniques used to access the CUI;

• Cooperate with agency officials to report and manage the incident; and,

• Preserve and protect system images and relevant monitoring and packet capture data for ninety days after incident report submission, if the incident occurred on an information system.

To reduce the risk of CUI incidents, federal contractors are also required to appropriately mark and handle CUI, including when flowing information down to subcontractors.

Flow Down Requirements

If you know you will be providing CUI to subcontractors in performance of a contract, you must create your own SF XXX to provide to subcontractors, outlining the safeguarding, training, validation and incident reporting requirements just like the agency has outlined in the contract solicitation.

“That sounds expensive!”

Unfortunately, complying with 110 different controls can be costly. Hopefully, if you’ve already been working with CUI as part of a federal contract, many of the controls you have already implemented will overlap with NIST 800-171 rev 2, reducing the cost of implementation. The government provided cost estimates as part of the Proposed Rule, however, the numbers they used seem unrealistically low.

It’s important to note that these estimates, including the annual costs, do not include the costs to maintain your SSP, which is estimated to take an average of 12 hours per year. Additional costs outlined in the Proposed Rule include an estimated 11.5 hours of reporting and image preservation per incident, training at approximately 1 hour per employee, and reviewing the SF XXX at 2 hours per contract solicitation. The cost of validation of your NIST 800-171 compliance by a federal agency was assessed at $50,675 - it was unclear, however, whether this is a one-time fee, a triennial fee like the assessments in the CMMC Program, or per contract solicitation, which makes a significant difference to the overall costs.

“What should I do in light of the Proposed Rule?”

The Proposed Rule is open for comment until March 17th, so if you disagree with what is outlined, need clarification, or have recommendations for improvement, we recommend you voice your opinions by submitting a public comment. It will be important to closely watch how this develops as the government responds to feedback, since the rule has the potential to change dramatically before it is finalized. In the meantime, you should start to evaluate the NIST 800-171 revision 2 requirements to identify your gaps and start planning for the future.

What are my next steps?

Not sure where to start with NIST 800-171? Hive Systems can help! Our team of subject matter experts include Certified CMMC Assessors who are well-versed in the NIST 800-171 requirements, assessment criteria, and the process by which the government will validate your compliance. Check out our CMMC Readiness and Remediation services to see how Hive Systems can get you compliant with NIST 800-171 and prepare you for your validation.