DoD Cybersecurity Requirements Update #3

This is the third in a series of blog posts on the Interim Rule regarding cybersecurity issued by the Department of Defense (“DoD”) that goes into effect on November 30, 2020 (see prior blogs (1st) (2nd)). The Interim Rule relies upon the National Institute of Standards and Technology (“NIST”) 800-171 for compliance with cybersecurity. This blog provides an overview of Controlled Unclassified Information (“CUI”).

The history of CUI goes back to Executive Order (“EO’) 13556 issued on November 4, 2010, by President Obama, that directed executive agencies to review their “agency-specific policies, procedures, and markings to safeguard and control” CUI and established a program for managing CUI. The National Archives and Records Administration (“NARA”) was given the responsibility of creating the CUI Registry. Ultimately, the CUI Registry was established and published September 14, 2016 at 32 CFR 2002. The CUI Registry has 23 discrete categories with 82 subcategories. The 23 categories are Agriculture, Controlled Technical Information, Critical Infrastructure, Emergency Management, Export Control, Financial, Geodetic Product Information, Immigration, IS (Information Security) Vulnerability Information, Intelligence, International Agreements, Law Enforcement, Legal, NATO, Nuclear, Patent, Privacy, Procurement and Acquisition, Proprietary Business Information, Safety Act Information, Statistical, Tax, and Transportation. NARA also issued specific samples of CUI Markings based on the CUI Category.

Shortly before the Registry was published, the Federal Acquisition Regulation (“FAR”) was revised to add 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (Jun 2016) for “Covered contractor information systems.” “Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.” FAR 4.1901 “Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.” Id. FAR 52.204-21 has 15 discrete controls based on a subset of the NIST SP 800-171 110 controls. The FAR does not refer to the CUI Registry, but it does refer to EO 13556. “This clause does not relieve the Contractor of … other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.” FAR 52.204-21(2).

Conversely, DOD has been more aggressive in implementing the CUI requirements. Defense Federal Acquisition Regulations Supplement (“DFARS”) Clauses 252.204-7008 and -7012 were issued effective October 21, 2016. These DFARS Clauses finalized the DoD cybersecurity provisions and expanded the definition of Covered Defense Information. The new Interim Regulations expand on the requirements from DFARS 252.204-7012. The DoD has also set up a specific DoD CUI Program. This Program made the NARA CUI Registry be more specific to the DoD. It lists 18 categories rather than the 23 listed in the NARA CUI Registry. It also has more specific CUI subcategories that are more applicable to DoD. All of this information is provided on the DoD CUI website along with some Desktop Aids. These Desktop Aids include a cover sheet with the marking requirements for all DoD CUI.

Knowing and understanding the DoD CUI Program will be critical for understanding how the Interim Rule will affect your company. If you will handle, store or have access to any CUI, you will have to submit your personal assessment in accordance with DFARS 252.204-7019 to the Supplier Performance Risk System (“SPRS”). (Note that there is also an associated DoD Instruction 5000.79 and a Spreadsheet to help a contractor derive their score. The scores can range from 110 to a negative 300 plus number.) And while, as an attorney, I cannot help you with determining whether you are compliant with the standards, I can advise on whether or not you need to be compliant based on your contracts. If you have been working on contracts that included the DFARS clause 252.204-7012, I recommend that you do the assessment under the attorney-client privilege, while you determine whether you have made any false statements to the government regarding your compliance.

For more information on this issue, contact MWL Counsel Johana “Jody” Reed.