A storm is brewing for the Defense Industrial Base impacting tens of thousands of companies and research institutions. For the Defense Industry, December 31, 2017 is a critical deadline. Controlled Unclassified Information (CUI) is the compliance risk management topic every Defense Industry and research institutions’ Board of Directors, CEO, CIO, General Counsel, and COO should be discussing. Cyber security vulnerabilities and regulatory compliance requirements are two very challenging areas for most organizations. “Controlled Unclassified Information” (CUI) includes 115 categories and subcategories of unclassified information, which is required to be protected by existing Federal law, statutory regulation, and government-wide policy. Executive Order 13556, Defense Federal Acquisition Regulation (DFAR) 252.204-7012, National Institute of Standards and Technology (NIST) Special Publication 800-171 r1, and CUI program guidance from the Information Security and Oversight Office (ISOO) within the National Archives and Records Administration give very specific new requirements for safeguarding, handling, and marking CUI data. These CUI requirements are mandated to all Federal and Non-Federal organizations if they handle, store, process, create, and transmit CUI data. CUI mandates impact the entire operations and Information Technology (IT) enterprise with the proliferation of data across emails, devices, hard drives, and printed materials. The organizational wide impact of these new CUI and cyber security compliance mandates is complicated, messy, and far bigger than an IT problem, and the DFAR deadline for compliance is looming.
These challenges can fall below urgent day-to-day tasks and other business priorities. Defense Industry and research organizations often struggle with compliance requirements. For now, a formal CUI compliance program is considered “best practices” meaning the requirements are described and defined by NIST 800-171r1, but the means of implementation are left to the company or research institution. Where to start is a significant challenge. Mapping and adapting existing corporate compliance frameworks to manage risk of CUI non-compliance across an organization provides a familiar point of reference to most Defense Industry companies. Export control compliance programs provide a meaningful example of compliance risks that have a broad organizational impact. And yes, export controlled information is a specified category regulated by the new CUI requirements. (Source) Successful compliance programs require cross-functional implementation, robust risk visibility, and effective risk management. Viewing CUI compliance through more than a technology lens is critical to establishing, certifying, and sustaining compliance with the DFAR and NIST 800-171. Using an export control program compliance framework to address CUI requirements will produce better results, in less time, and be more sustainable.
Does DFAR CUI Compliance, sound familiar? It should.
Efforts are already underway to expand CUI mandates to include all companies and entities regulated by the Federal Acquisition Regulation (FAR). Reports indicate that Defense Security Service is actively seeking to expand the NISPOM to include CUI within their authority. CUI compliance and enforcement is only at the beginning. The vulnerability of CUI data and IT networks to global and non-state threat actors presents a grave national security risk to the United States of America. Physical and cyber security standards and enforcement are critical to protecting CUI data from unauthorized disclosure. A clear understanding of the downside risk and penalties of non-compliance is absolutely imperative. NIST 800-171r1 allows for companies to submit their System Security Plan (SSP) and Plan of Action and Milestones (PO&AM) before the deadline as a commitment to a path of CUI compliance. Failure to comply by the deadline could result in being unqualified to bid on future contracts and perhaps even jeopardize the status of current contracts. The new 72 hour reporting requirements on incidents regarding the unauthorized disclosure of CUI and cyber security incidents are “high risk triggers” for investigation and evaluation of a company’s compliance to CUI and NIST 800-171r1 mandates. Failure to disclose, misrepresentation of CUI compliance, failure to fully execute the PO&AM and sustain compliance could result in contractual, civil, and criminal penalties. CEO’s and key leaders need to ask the right questions to lead their organizations towards the successfully meeting the CUI compliance requirements by December 31, 2017.
Federal risk visibility & corporate risk exposure- New CUI mandates require disclosure of incidents involving potential compromise of CUI data and cyber security incidents within 72 hours of detection.
CEO: What is CUI? What is our CUI?
The new CUI compliance requirements present significant challenges across a defense industry and supplier implementation. The new CUI data requirements focus on safeguarding “information” and in some companies, the data is likely to be scattered everywhere. The U.S. Government (USG) is consolidating many different types of unclassified data required by existing laws and statutes to protect from disclosure, into a uniform set of standards for protection and safeguarding. CUI data includes 115 categories and sub-categories. (Source) For large defense industry companies many types of CUI data could exist in both printed and electronic format throughout the company. Many are familiar with pre-existing control markings such as “For Official Use Only (FOUO)”, “Sensitive But Unclassified (SBU)”. However, many CUI files and other sensitive data are not likely marked at all. The definitions for Covered Defense Information (CDI) as likely detailed in current contracts and CUI are aligned. (Source) The USG contract officer is the focal point for guidance on CUI marking, protection, and implementation on current contracts, potentially leaving industry open to a wide array of variation in guidance. Reducing risk exposure through the application of uniform implementation and best practices is likely the best course of action as CUI compliance requirements codify through policy updates beyond the deadline and even expand in 2018-19.
Many companies may actually create many different types of CUI data, including export controlled CUI data. CUI data that is export controlled has specified handling and protection requirements. Export controlled CUI is defined as, “unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.” (Source)
A Defense Industry company who produces, markets, and sells products and services that are export controlled must satisfy all the requirements of the DFAR, Arms Export Control Act (AECA), the ACEA implementing guidelines International Traffic In-Arms Regulations (ITAR) and the Export Administration Regulations (EAR) with regard to safeguarding and handling CUI data and meet the cyber compliance requirements mandated in the NIST SP 800-71. This is a complex and challenging problem set because the shared ownership of CUI information is likely among many business units, operations, research and development (R&D), engineering, manufacturing, sales and marketing, etc. to name a few. CUI data and normal unclassified data are intermingled across an IT backbone blind to any differentiation between normal data and CUI data. Determining what types of CUI data are within the corporate-wide enterprise is critical. An organizational wide CUI risk assessment is needed across all 115 categories and subcategories of CUI data to identify those business processes and projects, which include any of the categories of unclassified data regulated within the new CUI compliance requirements. (Source)
CEO: Who are the CUI Compliance Stakeholders?
The CUI compliance stakeholders include all those areas who receive, process, print, store, create, protect, and share any of the 115 categories and subcategories of CUI data. CUI compliance stakeholders include all those areas and personnel across the business functional areas who contribute to an efficient and effective CUI compliance risk management program.
The relationship among the CUI compliance stakeholders is interdependent, because the stakeholders execute tasks, use systems, and capture information, which are essential to an efficient, and effective CUI compliance program. They contribute to regulatory compliance or fuel CUI compliance risk. The participation of the CUI stakeholders is critical to establishing an effective CUI compliance program and meeting the requirements by the December 31, 2017 deadline.
CEO: How do we baseline our CUI risk?
Key leaders set the groundwork for establishing a CUI compliance risk management framework. The framework guides, coordinates, and unifies the parallel activities CUI stakeholders must complete across the organization in order to meet the December 31, 2017 deadline. The CUI stakeholders leverage the experience of internal and external resources to accelerate the assessment, development, and rollout of essential CUI compliance program components. Program components include a complex mixture of policy, procedures, and technology across a wide variety of functional areas. Consulting support during implementation will also be critical because of the constraints of time and internal resources competing with on-going responsibilities.
The manner an organization frames CUI compliance is essential to accelerating implementation, saving time, and reducing challenges. Although cyber security is essential to CUI compliance, it should not be the focus. CUI compliance risk is an operations-based, organizational wide challenge. A CUI Compliance Program is a risk management initiative that reflects industry best practices in order to ensure compliance and mitigate critical business risk and legal ramifications. CUI compliance mandates encompasses the cyber risks to your IT network and the risk of disclosure of sensitive information. Both are high profile vulnerabilities with mandatory reporting requirements. CUI compliance represents an enduring strategic business risk with persistent vulnerabilities, and high regulatory oversight.
The first thing the General Counsel should do is evaluate the new CUI requirements and contrasts the types of information and information systems within the corporate domain. A clear understanding of the downside risk and penalties of non-compliance is absolutely imperative. Non-compliance could result in being unqualified to bid on future contracts or perhaps even jeopardize the status of current contracts. If the evaluation of the new CUI mandates started within your organization’s IT departments, the data management and cyber security requirements focus will not likely address the greatest contributors to CUI compliance risk, day-to-day operations. CUI is principally an information management issue and the compliance mandates require a deliberate integration into on-going business operations, products, and services contract fulfillment activities. Information management, data management, and even cyber security are people-centric challenges, first, and technology challenges, second.
Finding and properly marking data and documents required under the new compliance mandates is going to be challenging in small organizations, let alone complex organizations. CUI data likely exists across your entire network, on hard drives, emails, video, and perhaps printed in paper format. For example, CUI data for export controlled technologies are likely scattered across the business development, marketing, manufacturing, R&D, training, supply chain, logistics, and C-suite to name a few. The challenge is CUI data represents a consolidated new category encompassing many different types of regulated unclassified data. Once the CUI stakeholders work through the complex process of determining what types of CUI data they receive, create, store, and share. The CUI data will be very difficult to find without specialized tools and methods and will need the guidance and support of CUI stakeholders. CUI stakeholders must help determine “what data” is actually CUI data that must meet the safeguarding, dissemination, and marking requirements, and what data is not CUI. During that process the data maybe unrecognizable without specific experience, unlabeled, or perhaps even mislabeled.
A formal CUI risk assessment is an effective vehicle for leaders at all levels understand the risks across the organization. A CUI Risk Assessment is needed to establish the scope of legacy CUI issues potentially existing across the core business functional areas, physical security, as well as products and services functional areas. The CUI Risk Assessment also scopes the potential impact of the CUI mandates on day-to-day operations. The CUI Risk Assessment should identify the scope of search, types of data, and specific data features and signatures of your CUI data, so IT can identify the specialized tools and methods necessary to find legacy CUI data scattered across the IT enterprise. The CUI Risk Assessment should also include a network security assessment and evaluate the specific changes required in your current network security technologies and practices.
Current policies, procedures, and practices need to be evaluated with the CUI requirements across operations and IT areas, from an information management (Operations), data management (IT), physical security (Operations), and cyber security (IT) considerations.
An organizational wide compliance program requires an effective training program that not only trains employees on CUI awareness, but also integrates relevant policies, procedures, and practices. A baseline of knowledge about CUI compliance requirements is necessary in order to develop effective solutions and meet the program implementation and sustainment challenges. Training the general employee work force also includes evaluating, certifying, periodically inspecting, and auditing performance. Defense Industry and Research Institutions CUI compliance programs should mirror Federal Agency requirements, except when policy standards specifically identify standards for Non-Federal institutions and (Private) organizations. In a series of policies, the USG requires CUI program training to all agencies personnel, individuals, and private organizations with handling and safeguarding responsibilities. Best practices supporting a strong CUI compliance program should train, evaluate, and certify employees can:
- Convey individual responsibilities related to protecting CUI
- Describe the differences between CUI basic and CUI specified.
- Identify the categories routinely handled by personnel and special handling requirements of Specified CUI.
- Describe the CUI Registry, its purpose, structure, and website address.
- Identify offices and organizations with oversight responsibilities of the CUI Compliance Program.
- Address CUI marking requirements.
- Address the required physical safeguards and methods of protecting CUI.
- Address CUI destruction requirements and methods.
- Address CUI incident reporting procedures.
- Address the methods for properly sharing or disseminating CUI internally and externally.
- Address the practices for properly decontrolling CUI.
- Understand network security risks and user vulnerabilities
- Recognize Insider Threats to Network Security
Other more specialized functional areas supporting CUI compliance require specific training and knowledge as described in NIST 800-171 r1. on:
- Network security
- Network auditing and accountability
- Network configuration management
- Network identification and authentication
- Incident response procedures
- Network maintenance
- Media protection
- Personnel security
- Physical protection
- On-going Network risk and security assessments
- Systems and communication protection
- Systems and information integrity
Measuring and monitoring risk is essential to good risk governance. Assessing key metric areas for developing an effective CUI compliance dashboard is absolutely essential during the risk assessment process. Compliance metrics improve risk visibility, and also provide insights to managers and leaders in evaluating effectiveness the CUI compliance program.
Assessing and understanding third party CUI risk is also critical. The new CUI requirements make it clear prime contractors are responsible for subcontractors and vendors CUI compliance. This is also a complex challenge, because meeting internal and external CUI compliance requirements all have the same deadline, penalties, and reporting requirements. A compliance gap analysis and prioritization within the CUI risk assessment help drive the program schedule and tasks. Many companies will need external consulting support across a wide variety of areas in order to meet a very tight CUI compliance deadline on December 31, 2017.
CEO: Is a CUI Compliance Program needed to implement, sustain, and manage CUI compliance risk?
CUI compliance is an unfunded requirement. Quite literally, CUI mandates are the new cost of doing business with the Federal Government. For those Defense Industry companies and other non-Federal Institutions whose products, R&D, technologies, and services are included within the scope of CUI program mandates, the requirements are impactful and the deadline is danger close.
Often within companies, a precious few people worry about compliance risks. Unfortunately, the brutal impact of CUI compliance violations on an organization is far greater than those precious few. Sanctions, fines, and prohibitions not only impact shareholder value, but may also disrupt core revenue streams. Addressing CUI compliance risk is a complex leadership challenge, especially across large organizations. Many compliance professionals understand compliance risks, but few understand how to implement, shape and reduce risk across the organization.
The consequences of organizations not “owning” CUI compliance risks are far reaching. Organizations some do not “own” risk very well. Leaders require knowledge, visibility, and resources to manage their organizational risks. Good corporate governance must include CUI compliance risk within their strategic risk management process. “Strategic risks are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately effect shareholder value or the viability of the organization.” (Source) A CUI Compliance Program serves to implement, manage, and provide strategic risk visibility and is a business imperative. Engage and embrace the organizational and people-centric realities within establishing and sustaining compliance programs, or ignore them at your peril.
CEO: How can outsourcing support accelerate our CUI Compliance Program implementation and reduce risk?
Coherently integrated experience, services, and technologies offer remarkable accelerant to companies seeking to rapidly address CUI compliance risk. Once developed and implemented, a CUI Compliance Program approach is self-sustainable. Executives and managers need the outside assistance and perspectives of quality consulting organizations who can identify the CUI challenges organizationally, functionally, and technically.
Mapping consulting capabilities to a CUI compliance risk reduction framework whose purpose is to establish compliance within the organization, bridges missing internal capabilities and risk reduction objectives. Surging consulting capabilities to drive risk-reducing outcomes enables the roadmap and tight schedule for the Board and senior leaders committed to CUI compliance. Corporate and organizational leaders with authority and compliance consultants work together to leverage findings from the CUI risk assessment to rapidly develop a strategy, plan, tasks, and schedule. Results will always outperform legacy “passive recommendations” made by typical consultants. A hands-on approach is absolutely required.
Boards and corporate leaders need to embrace those consulting firms whose reputation is tied to results, not just beautifully bound and printed documents. Comprehensive CUI compliance risk assessments should also reveal managerial and systemic compliance vulnerabilities obscured by other approaches. Consulting success must be tied to reducing organizational-wide CUI risks: Assess, Understand, Prioritize, Enable. What are the critical elements to comprehensively reducing your CUI compliance risk?
CEO: Do we fully understand the new requirements?
The Defense Federal Acquisition Regulation (DFAR) [252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting] mandates contractors (and sub-contractors) must protect CUI to the standards outlined in the National Institute of Science and Technology (NIST) Special Publication 800-171r1, [Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations]. The Special Publication lists 110 actions required to protect CUI in 14 different categories. The United States Government (USG) has an interest in safeguarding the CUI data from unauthorized dissemination and also has an interest in insuring the confidentiality, integrity, and availability of a company’s IT system which safeguards CUI data. The new CUI policies mandate requirements for all Federal Agencies beyond the network security requirements, individuals, and private organizations handling CUI basic and specified data.
CUI is divided into two categories, basic and specified. Export Controlled information falls within the CUI specified category because laws, regulations, and government policies mandate specific requirements regarding disclosure and protection. Export control, as with many other specified categories of CUI, also includes significant penalties for violations and mishandling. Much like export controlled compliance regulations, the DFAR directs contractors (and sub-contractors) disclose and report when CUI data is compromised. Since most companies rely heavily on IT systems and the preponderance of CUI data is electronic, the DFAR requires cyber incidents be disclosed within 72 hours of detection to the Department of Defense (DoD). CUI requirements in larger organizations are complex both technically and programmatically. CUI program leaders need the authority and ability to coordinate implementation across complex organizations.
Eventually, circumstances will require companies demonstrate their CUI compliance across their organization. Companies and research institutions that ignore the CUI compliance requirements to safeguard CUI information, data, and meet network security requirements place themselves at significant risk to civil, criminal, and contract penalties. In today’s cyber security environment of ubiquitous risk, the detection of a reportable incident is inevitable. With mandatory reporting requirements, an entity should be able to produce a system compliant security plan and security assessment upon request. CUI non-compliance places current and future DoD business opportunities at significant risk.
Conclusion
New Federal regulations surrounding CUI data and safeguarding mandates requires strict adherence to programmatic and technical regulations that are detailed, unforgiving, time-consuming, and often not well understood. Foreign interests aggressively target CUI data through a variety of surreptitious means. Even for the most vigilant companies, urgent business pressures distract well-intentioned leaders, managers, and employees from the looming CUI requirements on information, data, and security management requirements are a distant priority…until it’s too late. The CUI Compliance deadline on December 31, 2017 will arrive, and organizations will, or will not be ready. Even with a path towards compliance detailed in the PO&AM, companies must effectively implement and sustain the mandates with the 72 hour reporting requirements significantly increasing their risk exposure. CUI Risk Management acknowledges the strategic risk to your business and the necessity to establish effective risk governance. A CUI compliance program accelerates successful implementation, and effectively manages the risk of sustaining compliance across your entire organization. The path toward implementation and managing CUI compliance risk is not easy, so what do we do now? We lead.
SPECIAL THANK YOU... National Archives and Records Administration, Information Security & Oversight Office for their feedback and insight.
About the other contributing authors:
Robert Enriquez is Director of Trade Compliance Risk Management Products and Services at Globaleyes, LLC. Robert joined the Globaleyes team in May 2010, and has prepared hundreds of license/agreement applications (classified and unclassified), performed gap assessments, live trainings for multinational companies in both English and Spanish. Roberto draws from his expertise as a mechanical engineer to assess difficult commodity jurisdictions and classifications. He is uniquely skilled at analyzing complex business transactions and quickly developing the appropriate export authorizations for clients. He has created ITAR compliance manuals and process documentation to comply with AECA and ITAR requirements. He has developed and provided compliance trainings for clients in the U.S., Italy and Mexico. He has supported all aspects of export licensing and has extensive experience related to re-export authorizations required to comply with U.S. export controls. Globaleyes provides compliance risk management solutions to global Fortune 500 companies, governments, and highly specialized technology firms. Globaleyes compliance risk management products and services integrate consulting, audit, training, certification and automation across all trade compliance operations and stakeholders. Globaleyes is one of the world's leading boutique trade compliance risk management firms.
Bo Birdwell co-founded Cyber Forward in June of 2017. He has over a dozen years of experience defending the largest public and private networks on the planet. He has led elite technical teams of cyber operators within both the Citi Security Operations Center and United States (US) Department of Defense. At Citi, he led 20 analysts in monitoring, detecting and escalating potential malicious or fraudulent activities to appropriate investigative services. He joined Citi after completing a twenty-year career within the US Air Force, where he served as one of the Air Force’s premiere experts on offensive cyber operations. He represented the Air Force to US Cyber Command, commanded an elite 140-member network warfare squadron and directed a team of 120 individuals conducting intelligence activities for Air Force air mobility operations.
Dowell Stackpole co-founded Cyber Forward Inc. Cyber Forward works with a select set of clients to build a forward strategy for maximizing their data integrity and security. Dowell previously served as the Chief Information Security Officer (CISO) for Bass Companies, a two-thousand employee, multi-billion dollar global operations enterprise. He established and managed Information Security across Financial, Energy, Manufacturing, Commercial Property and Agricultural sectors. As the CISO, he invigorated employee awareness training through incorporation of engaging videos. Additionally, Dowell evaluated and overhauled information security appliances and systems, bringing them in line with National Institute of Science and Technology Best Practices. He also worked closely with Physical Security personnel to establish a combined Cyber/Physical Security Operation Center.