Will a “We Don’t Have CUI” Argument Work?
What if we don’t have CUI?
As the government prepares to enforce the NIST 800-171 compliance requirement, you may find yourself thinking one of these thoughts:
- Can we avoid the NIST 800-171 compliance process altogether if we don’t have CUI?
- We don’t process federal data on our systems, so we don’t need to worry about NIST 800-171.
- We don’t have a contract with the CUI clause currently, so NIST 800-171 doesn’t apply to us.
- The government gave us laptops for use on this contract, so we’re likely exempt from NIST 800-171.
Let’s start with a CUI Overview
NIST 800-171 describes the safeguards that contractors must implement to protect CUI. CUI is “Controlled Unclassified Information”. Executive Order 13556 established an “open and uniform program for managing” CUI, and named the National Archives and Records Administration as the “Executive Agent to implement this order”. NARA did its part by cataloging the various types of CUI. NARA organizes CUI into several categories:
- Controlled Technical Information
- Critical Infrastructure
- Emergency Management
- Export Control
- Geodetic Product Information
- Information Systems Vulnerability Information
- International Agreements
- Law Enforcement
- North Atlantic Treaty Organization (NATO)
- Procurement and Acquisition
- Proprietary Business Information
- SAFETY Act Information
Many of these categories have sub-categories. NARA specifically describes what types of information falls within CUI scope based on each category.
Now, back to the question at hand. What if we don’t have CUI based on the NARA definition?
Are you sure you don’t have CUI?
Ok, you may not have access to nuclear data, but what about technical information provided by the government for use on your contract? How about privacy info? This is the type of data that may end up on your systems inadvertently. Have you ever used technical data to demonstrate your understanding of the customer’s needs in a proposal? Have you stored deliverables on your laptop for retention after a contract ends?
Additional CUI Types
NARA reminds us that individual agencies still have some say in how CUI is defined. The top of their site includes the following statement:
***** IMPLEMENTATION REMINDER FROM THE EXECUTIVE AGENT *****
Existing agency policy for all sensitive unclassified information remains in effect until your agency implements the CUI program. Direct any questions to your agency’s CUI program office.
This means you need to be aware of any deviations to the standard CUI definitions by your target agency. For example, consider the new rules proposed by DHS on January 20th:
DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.”
This is a big one. They’re basically saying “everything is CUI”. Let your subcontractors know too, since this applies to them as well.
How do you know you won’t be asked to handle CUI?
Think about it from the government’s perspective: Let’s say you’re an agency that puts an RFP out with the “Safeguarding Covered Information” clause. You get 7 proposals that are all similar in technical approach and pricing. Six of the proposals have the following verbiage: “We are compliant with NIST 800-171 and have procedures in place to protect CUI”. The seventh proposal contains the following statement: “We do not process any CUI and have not undergone a NIST 800-171 assessment”.
Which bid do you think will get thrown out?
Prepare to handle CUI
Regardless of whether you currently process CUI or not, it makes sense to have a CUI safeguarding capability. Your competitors surely do.
ComplyUp offers a comprehensive NIST 800-171 Self-Assessment Platform, complete with easy to understand explanations of each control.