Contractors and subcontractors working on Department of Defense (DoD) contracts are often responsible for handling controlled unclassified information (CUI) as part of their contract work. While CUI doesn’t meet the criteria to be considered classified, it must still be protected and handled according to specific regulations to ensure that the contractor remains in compliance. Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 applies to all DoD contracts (including subcontracts between the contractor and any subcontractors that involve covered defense information), making it the contractor’s responsibility to know if they are handling CUI and if so, following the appropriate controls and procedures to safeguard it.
Identifying CUI, unfortunately, is not always a straightforward proposition. Worse, making a mistake and failing to fully protect the right information can result in costly fines. On the other hand, overbroad compliance efforts can also be expensive and time-consuming. Determining what steps are truly necessary for compliance in an efficient manner is essential for containing both risk and costs for DoD contractors.
The DoD’s CUI Registry is the central reference for information about CUI, intended to standardize how information is safeguarded and provide a uniform marking system for such information. However, the DoD has also included the U.S. Munitions List and the Commerce Control list as authorities for controlled technical information (CTI), which is “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”
This specific type of CUI can be subject to strict export laws such as the International Traffic in Arms Regulations (ITAR), which controls (among other things) the export of defense-related technical data. Export violations in recent years have led to costly fines for companies like Boeing ($51 million), RTX ($200 million), and Oregon-based Precision Castparts Corp. (PCC, $3 million). This illustrates the importance of determining the correct category of CUI, as the type can require additional compliance requirements not applicable in other cases.
Can a contractor assume that a distribution statement means CUI is included? Not necessarily. Different types of distribution statements could apply to classified information, CUI, or unclassified information. While on the one hand, contractors can’t assume that a distribution statement automatically means CUI, seeing one should indicate the need to dig deeper and look for other markings or supporting information that confirms the presence of CUI.
It might seem like a shortcut to safety to treat all information received as part of a DoD contract as CUI, thus eliminating any uncertainty as to whether compliance efforts are sufficient. However, this approach is both inefficient and expensive. On top of the cost of enacting cybersecurity controls that may not be necessary, treating everything as CUI introduces friction and added layers of complexity every time the data needs to be accessed or moved. Appropriately defining the scope of what’s needed helps control costs and ensure that compliance efforts are focused appropriately where they are needed.
The time spent drilling down on the information provided and analyzing the authorities that either define the data as CUI that must be protected or exclude it from compliance requirements ultimately saves time later in the process. While maintaining the correct level of Cybersecurity Maturity Model Certification (CMMC) compliance is essential, overshooting the mark may ultimately hinder contract progress while adding unnecessary expense.
If your organization is unsure of the right approach to protect CUI and meet your applicable compliance obligations on DoD contracts, the experts at Right Click can help. We work with defense contractors to analyze their needs, assess their current cybersecurity readiness and identify specific steps necessary to achieve accurate compliance, and develop a plan to both meet and maintain necessary compliance. With information security a non-negotiable requirement for being able to bid on defense contracts, don’t put your business at risk. Let Right Click provide clarity and a path forward. To schedule your consultation, contact us here today.