CUI Federal Regulations

What is CUI?

CUI, or Controlled Unclassified Information, refers to sensitive information that is not classified but still requires protection due to its potential impact on national security, privacy, or other vital interests. Safeguarding CUI is crucial for several reasons: 

  1. National Security: CUI can encompass a wide range of sensitive information, including defense-related data, intelligence reports, infrastructure details, and critical technologies. Unauthorized access or disclosure of CUI could compromise national security, jeopardize military operations, or expose vulnerabilities to adversaries. 
  2. Privacy and Personal Information: CUI often includes Personally Identifiable Information (PII), such as medical records (Personal Health Information or PHI), financial data, or proprietary business information. Safeguarding CUI helps protect individuals’ privacy. 
  3. Critical Infrastructure: CUI can encompass information about critical infrastructure systems, such as power grids, transportation networks, or communication systems. Unauthorized access or manipulation of CUI related to infrastructure can disrupt essential services, cause economic disruptions, or compromise public safety. 
  4. Compliance and Legal Requirements: Many government agencies are bound by regulations and legal requirements to protect CUI. Failure to safeguard CUI can lead to legal consequences, financial penalties, or reputational damage. Compliance with security protocols helps the institution meet its obligations and demonstrate our commitment to responsible information management. 

Robust security measures, including access controls, encryption, employee training, and regular assessments, are essential to prevent unauthorized access, disclosure, or misuse of CUI. 

Federal agencies designate CUI based on laws, regulations, or government-wide policies that require information protection but do not qualify as classified. NIST SP 800-171 is the default security framework for protecting CUI in nonfederal systems.

CMMC

The Cybersecurity Maturity Model Certification (CMMC) program is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and subcontractors in the Defense Industrial Base (DIB) implement appropriate cybersecurity measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  

Protected Information

The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with defense contractors and subcontractors during contract performance. 

  • Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.” 
  • Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website. 

Overview of Assessments

The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines. 

Level 1: Basic Safeguarding of FCI

Requirements:

  • Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21. 

Level 2: Broad Protection of CUI

Requirements:

  1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.  
    • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems. 
  2. Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

Requirements:

  1. Achieve CMMC Status of Final Level 2. 
  2. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 
  3. Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172. 

CMMC vs. CUI

While CMMC is specific to the DoD, CUI is a broader federal designation governed by Executive Order 13556 and implemented across all executive branch agencies via the CUI Program, overseen by the National Archives and Records Administration (NARA). Each agency uses the CUI Registry (maintained by NARA) to identify categories and subcategories of information that qualify as CUI.  

Agencies designate CUI based on laws, regulations, or government-wide policies that require information protection but do not qualify as classified. NIST SP 800-171 is the default security framework for protecting CUI in nonfederal systems.

Contract Clauses

DFARS 252.204-7012

DFARS 252.204-7012 is a clause in contracts that addresses the safeguarding of CUI and compliance with cybersecurity requirements. The purpose of the 7012 clause is to ensure that contractors adequately protect CUI and maintain robust cybersecurity practices to prevent unauthorized access, disclosure, or loss of sensitive information. It applies to contractors, including subcontractors, who handle, store, process, or transmit CUI in connection with performing Department of Defense (DoD) contracts.  

The clause includes specific deadlines for compliance with cybersecurity requirements. Contractors must implement the specific security requirements within a designated timeframe, which may vary depending on the contract’s date of award. Additionally, contractors are required to develop and maintain a System Security Plan (SSP) that describes their implemented security controls. Agreements that contain DFARS 252.204-7012 cannot be signed until all related security requirements are completed. 

DFARS 252.204-7020

DFARS 252.204-7020 establishes the mandatory assessment requirements to verify contractor compliance with DFARS 7012. Under DFARS 7020, contractors are obligated to implement the security controls specified in NIST SP 800-171 to protect CUI, information systems that contain CUI, and document the security controls in an SSP. DFARS 7020 delineates three assessment types used to validate a NIST SP 800-171 SSP: BASIC (self-assessment by U-M); MEDIUM; and HIGH. MEDIUM and HIGH assessments are conducted by a federal government organization. All three assessment types require contractors to have affected SSPs registered in the DoD Supplier Performance Risk System (SPRS) database before a contract can with the DFARS 7012 clause can be signed by either party. 

FAR 52.204-21

FAR clauses refer to the standard contractual clauses that are prescribed by the Federal Acquisition Regulation (FAR). FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems” is a provision that outlines cybersecurity requirements to protect Federal Contract Information, a form of CUI. 

FAR 52.204-27

FAR 52.204-27 prohibits the presence of the TikTok app (and any other ByteDance product) on all federal IT systems, equipment, and devices. The ban includes similarly affected contractor- and personally-owned systems, equipment, and devices used to monitor or manage a federal contract. 

FISMA

The Federal Information Security Management Act (FISMA) was enacted to improve the cybersecurity posture and information security practices within federal government agencies. FISMA generally applies to agreements under which the institution is performing work on behalf of a federal agency (e.g., Health and Human Services). FISMA mandates the use of security controls and standards to protect federal information and systems. NIST SP 800-53 provides a catalog of controls and guidelines for federal agencies/contractors to follow when FISMA applies.