Cyber Articles

171Comply News, Alerts, and Resources

In the Flow Down of CUI Requirements, the Solution is Negotiation


In the brave new world of Cybersecurity Maturity Model Certification (CMMC) compliance, there is the issue of the flow-down requirements from prime contractor to subcontractor after subcontractor. The question is, as Controlled Unclassified Information (CUI) is moved from the government to the prime contractor and from one subcontractor to another, where does the CUI control end? There is a very practical aspect to this, if the drawing plans used in a construction project are marked Controlled Unclassified Information (CUI), then does the tile installer need to be Cybersecurity Maturity Model Certification (CMMC) Level 2? If the drawing for a major assembly part used in a manufacturing process is marked CUI, then do the suppliers for the bushings, nuts, and bolts used to make the part required to be CUI Level 2? If these parts are also processed or annealed to a common, in the public domain, Mil-Spec, are they required to be CMMC Level 2? Noting that if someone found this part lying on the street, they would have no clue what it was. The answer to the question is hardly direct, other than it depends.
It is good to begin with the definition of CUI. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information.
First it is information that government creates or possesses. It is also information that a third party may create on behalf of the government under a contract. This information is then subject to safeguarding and dissemination controls based on law, regulation, or Government-wide policy. It is not classified information.
Next is what kind of information is CUI? This has been determined by the executive agent of CUI, the National Archives and Records Administration (NARA). NARA was appointed to implement Executive Order 13556, which established the CUI requirement. In doing so, NARA identified 20 categories of CUI from Critical Infrastructure to Transportation, and in between are Defense, Export Control, Law Enforcement, Privacy, Patent, etc., information. Meaning CUI covers a lot more than defense-related information.
To actively manage the CUI program’s implementation, ensure agency compliance, and standardization across the federal government, NARA delegated these responsibilities to the Director of the Information Security Oversight Office (ISOO). This office was established in 1978 as part of the General Service Administration, and as is common in the government, it has never died. The ISOO is now responsible for standardizing, implementing, and reporting federal agency compliance. Most notably, in this context, one of its tasks is to establish standard marking requirements for CUI.
This brings us to the issue of where does CUI end? There are two elements to this. First, CUI is information that is created for or is in the government’s possession. This is information that is not in the public domain. It is not company or commercial intellectual property; it is not commercial-off-the-shelf products or industry practices. If the information is commercial, open source, it cannot be CUI.
The second element is that CUI must be marked as outlined by NARA and implemented by the ISOO, CUI information is to be marked; with the recommendation for an identified owner.
For the two examples briefly outlined above, the building drawing plans used in a construction project and the assembly drawing used in a manufacturing process, the question is still where does CUI end? The answer to this will result from a collaborative process that ends with the deconstruction or disaggregation of the CUI document. This is a prime contractor with the government discussion, which may involve the owner of the CUI document. As mentioned, all CUI documents are to be marked with a designation indicator; the recommendation is to have the point of contact information. A CUI document is also supposed to have banner markings; the requirement is at the top of the page marked as CONTROLLED or CUI, and recommended is also at the bottom. This is required for all pages in the document. For CUI basic that is all that is required; for CUI specified, additional markings in the banner are required identifying the CUI category and limited distribution controls if needed. The reality is that the government may mark more than is required as CUI. At the center of the discussion is the question, is the information improperly marked? Is what is marked in the public domain? This is the process of document deconstruction; like an exercise in scope, this is following the legitimate government information that needs to be protected.
In the building example, there may be a combination of government specifications and commercial construction practices. The building materials are open source and commercial-off-the-shelf. The issue is where is the government information that needs to be protected? The other point is the aggregation of commercial components; at what point do they represent a design or information that needs to be protected? This has to be resolved by the government and the prime contractor; the prime has to look out for their subcontractors and not burden them.
In the manufacturing example, the same issues are at work. There may be government-specified components and commercial-off-the-shelf parts; at what point is the aggregation of these two part types controlled government information? Often the machined and commercial components are processed through commercially recognized or Mil-Spec finishing processes, anodizing and annealing, for example. Here too, this has to be resolved by the government and the prime contractor; the prime has the responsibility to look out for their subcontractors and not overburden them with regulations.
All agree that the need to protect government-controlled information is a non-negotiable requirement. The extent or depth of protection must be commonsense, or this will not work. The extent of any flow-down requirements will have to be a negotiated solution.

The CMMC Proposed Rule. What does it mean?

On December 26, 2023, the Department of Defense, Chief Information Security Officer submitted the proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program. The proposed rule maintains the “three key features” as outlined in CMMC 2.0. The first...

read more

Internet of Things (IoT) Use With Caution

Internet of Things (IoT) Use With Caution As technology becomes integrated into our lives, even at the most mundane levels, it is important to understand that the helpfulness of this technology has another side. Developers of assisted technology, for the most common...

read more

Call Us

Contact us and we'll get back to you within 24 hours.


a Division of CommTech Systems, Inc

Send Us a Message