Before jumping into the details of the various cybersecurity requirements that we will be covering in this series, there are a few topics that are important to address in order to lay the foundation for the ongoing discussion. Common themes run through the federal regulations, so we think it would be helpful to take some time to focus on the importance of information classification in the context of the requirements as well as provide an overview of the role of the National Institute of Standards and Technology (NIST).
Those who are familiar with the issued and impending FAR and DFARS rules are aware that in each regulation there is a definition provided for the type of information that must be protected by the contractor performing on the contract. This makes sense as the primary objective of the requirements is to protect sensitive government-related information on contractor networks. However, a major challenge faced by many in the Defense Industrial Base (DIB) is determining what specific information requires protection. Let’s take a look at a few definitions:
Federal Contracts Information (FCI), FAR 52.204-21
- Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Covered Defense Information (CDI), DFARS 252.204-7012
- Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Controlled Unclassified Information (CUI), Section 2002.4 of Title 32 CFR
- Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
As the definitions are intentionally broad, the DoD has provided useful guidance to assist contractors in understanding how the information utilized under their contracts may align with the definitions. However, without clear direction from Contracting Officers, many contractors continue to be unsure of where to draw the line when information is commingled within their numerous internal systems and information serves both commercial and government programs. It is important for contractors to understand that while the DoD is working to train its contracting personnel to better identify information requiring protection, judgements will have to be made, often on a contract-by-contract basis with considerations for information created by the contractor.
Importance of Internal Data Classification Procedures
With the proliferation of data generated and consumed by companies of all types, data classification and governance programs can provide benefits for a multitude of business objectives, compliance being only one. Contractors should capitalize on the challenges presented by federal requirements to develop data classification policies and procedures or enhance existing governance structures to provide a defined approach for identifying, marking, and controlling information across the organization. Integrated within this structure should be considerations for federal cybersecurity requirements with a focus on managing controlled information.
Ultimately, a mature organization will leverage its data governance structure to incorporate a system risk categorization program that aligns the sensitivity of data and risk to the associated system with the security controls required to be implemented on discrete applications or environments utilizing that data. This combination of data management and tailored security requirements greatly assists organizations in implementing a risk-based cybersecurity strategy.
The Role of NIST
NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. The rule-making bodies of the DoD and Executive agencies rely on NIST to develop comprehensive and relevant security frameworks and guidance based on the risks and vulnerabilities identified by its experts. NIST is trusted by federal lawmakers to provide rigorous security guidance that takes the realities and constraints of the DIB into account when developing standards. Below is a tailored listing of NIST Special Publications with which government contractors should be familiar:
- 800-18 “Guide for Developing Security Plans for Federal Information Systems”
- 800-37 “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”
- 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”
- 800-53A “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans”
- 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories”
- 800-161 “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”
- 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
- 800-171A “Assessing Security Requirements for Controlled Unclassified Information”
- NIST Cybersecurity Framework Version 1.1
Chess Consulting specializes in government contract regulatory compliance matters, and our understanding of the operating models of government contractors has afforded us unique insight into the types of controlled unclassified information commonly utilized under government contracts. If you have questions or need assistance, please click the “contact us” button below to reach one of our experts.