As of Nov 2021, CMMC 2.0 was introduced and the information below may not apply in its entirety.
Since the birth of our nation in the late 1700s, the United States government has mandated various protections for classified information. The safeguarding of unclassified but sensitive information is a more recent occurrence.
This year the security requirements governing the protection of Controlled Unclassified Information (CUI) are center stage, with two major compliance actions required by December 31, 2021, in order for federal agencies to complete full implementation of the CUI Program. Implementation of these security requirements also applies to private sector organizations who wish to continue doing business with federal agencies.
In 2004, in the wake of the unprecedented events of September 11, 2001, the 9/11 Commission spotlighted the need for intelligence information—particularly classified information—to be shared cooperatively and transparently across government agencies. The goal was to improve national security through inter-agency communication in order to thwart future events.
In 2009, the scope of the Commission’s recommendations was expanded to include sensitive unclassified information, which makes a world of sense when you think about it. This was defined as all Controlled Unclassified Information (CUI) within the domain of the executive branch of the federal government.
The following year, in 2010, Executive Order 13556 established a comprehensive Controlled Unclassified Information (CUI) Program in support of the 9/11 Commission’s recommendations, with the goal of standardizing the patchwork quilt of agencies’ policies, procedures, and markings that had evolved over time to safeguard sensitive unclassified information. The Information Security Oversight Office (ISOO) was assigned to implement the order and monitor agency actions to ensure compliance. The order also specified that its provisions are to be “implemented in a manner consistent with applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology (NIST).”
In 2011, the ISOO published the CUI Registry, a central repository of all the laws, regulations, and government-wide policies related to federal agency protection of Controlled Unclassified Information in the executive branch.
In 2016, the ISOO issued 32 CFR Part 2002 to establish detailed policies to guide federal agencies in identifying, safeguarding, disseminating, and disposing of information included in the Controlled Unclassified Information Program.
In 2017, the National Institute for Standards and Technology issued NIST Special Publication 800-171, the definitive resource for organizations who do business with federal agencies in protecting Controlled Unclassified Information under their management.
In February 2020, NIST released Revision 2 of Special Publication 800-171, updating its guidance to reflect the ongoing work of the ISOO in refining the CUI Program. (An errata update in January 2021 corrected various minor errors in Rev. 2 without affecting its substance.)
Most recently, in May 2020, the ISOO published updated CUI Program Implementation Deadlines. These final deadlines are based on federal agencies’ progress and projections as reported to the ISOO, and replace the initial deadlines for meeting CUI security requirements.
The ISOO is charged with overseeing the implementation of the CUI Program security requirements, monitoring agency compliance, and reporting to the National Archives and Records Administration. It has issued the following deadlines for agencies within the federal government executive branch.
By June 30, 2020
By December 31, 2020
By December 31, 2021
The NIST 800-171 standardization enforces federal contractors and other non-federal entities doing business with federal agencies to comply by December 31, 2017. The general consensus at that time was that only a very small percentage of contractors had implemented the requirements, and that much work remained to be done.
As a non-regulatory body, NIST does not enforce compliance or security protections, nor does it need to do so. That’s because any federal agency responsible for handling Controlled Unclassified Information is required to ensure that information is properly safeguarded by all organizations who handle, possess, use, share, or receive CUI on behalf of the agency.
Contractors who fail to comply with NIST 800-171 requirements will not be authorized to work with federal agencies, and contracts will be awarded only to those who can demonstrate compliance.
This is where NIST 800-171, Executive Order 13556, and 32 CFR Part 2002 intersect to create a complete and unified CUI Program across the federal government executive branch and its myriad supply chains.
The target audience for NIST Special Publication 800-171 is described as individuals and organizations “in both the public and private sectors.”
In both sectors, the audience includes (but is not limited to) components of the organization that has responsibilities for system development life cycle; acquisition or procurement; system, security, or risk management and oversight; and security assessment and monitoring.
The NIST publication also clearly lays out the requirements for compliance, describing “fourteen families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations.” These are presented in Chapter Three of the publication.
The 14 families of security requirements are listed below. Because these requirements constitute sound information security principles and best practices for any organization’s information security program, they will resonate with any information technology or information security professional, at any level, in either the public or private sector.
It is noteworthy that security awareness and training for employees is considered crucial enough to merit inclusion in the security requirements.
To understand the structure of each family of the CUI requirements, the Media Protection family on page 29 offers a good example and is presented below. It is also representative of the level of detail provided in each of the requirements.
For any organization seeking to comply with any set of regulations, conducting a security risk assessment is widely considered the necessary first step in understanding the security posture of the organization at a given point in time.
Following are the requirements established by NIST 800-171 for risk assessments and security assessments. These can be found in Chapter Three, pages 33 to 35, of the current publication (NIST SP 800-171 rev2). While they are presented as two separate assessment requirements, operationally they can be addressed in one security risk assessment.
Security risk assessments are not only a best practice for information security but are also required for compliance with NIST 800-171. And while the NIST publication does not specify a frequency for security risk assessments, general practice among Information Technology professionals is annual or bi-annual assessment.
One of the most extensive federal supply chains belongs to the Department of Defense, with a network of more than 220,000 contractors and subcontractors, according to the Federal Procurement Data System. Members of this supply chain share two commonalities due to their work with the DoD:
Recognizing the need to harden its supply chain, in January 2020, DoD introduced its new Cybersecurity Maturity Model Certification (CMMC), developed to better protect sensitive data, including CUI, housed in its contractors’ systems.
The rigorous requirements of this new model support and are, in large part, based on NIST SP 800-171. In essence, the DoD has established and will enforce NIST 800-171 throughout its supply chain by requiring compliance with the CMMC.
All contractors who seek to be awarded DoD work will be required to have achieved the appropriate level of CMMC certification by October 1, 2025. Most are motivated to comply as quickly as possible in order to continue to compete for lucrative DoD contracts and RFPs.
Assistance is available to contractors in the DoD supply chain in two distinct but related services.
24By7Security offers a unique, award-winning CMMC Readiness Service designed to thoroughly prepare contractors for compliance and assessment. Assessment is mandatory to ensure that contractors meet all CMMC security requirements before they can be awarded certification by the CMMC Accreditation Body.
In addition, 24By7Security is among the first Registered Provider Organizations who are authorized by the CMMC Accreditation Body to assist contractors in preparing for CMMC compliance.
Executive Order 13556, issued in 2010, established the Controlled Unclassified Information Program across the executive branch of the federal government. 32 CFR Part 2002 outlines the requirements for protecting CUI at the federal level, while NIST 800-171 details the requirements for safeguarding CUI in both the federal and non-federal (i.e., public and private) sectors. Together they create a unified CUI Program across the federal government executive branch and its supply chains.
This year, federal agencies are required to complete the final implementation activities by December 31, 2021. Any federal agency responsible for handling Controlled Unclassified Information is required to ensure that CUI is also properly safeguarded by all organizations who “handle, possess, use, share, or receive CUI on behalf of the agency.” Contractors who fail to comply with NIST 800-171 requirements will not be authorized to work with federal agencies, as contracts will be awarded only to those who can demonstrate compliance.
The National Institute of Standards and Technology provides substantial guidance to all types of organizations in cybersecurity and security risk management, and offers a formal cybersecurity framework to assist Information Security and Information Technology professionals in developing security programs and managing cybersecurity risk across their organizations. Implementing the NIST cybersecurity framework is a perfect place to begin an information security program or upgrade an established program!