Industry Voice: For flow-down CUI requirements, the solution is negotiation

In the brave new world of Cybersecurity Maturity Model Certification (CMMC) compliance, there is the issue of the flow-down requirements: As Controlled Unclassified Information (CUI) is moved from the government to the prime contractor and from one subcontractor to another, where does the CUI control end?

There is a very practical aspect to this. If the drawing plans used in a construction project are marked Controlled Unclassified Information (CUI), then does the tile installer need to be Cybersecurity Maturity Model Certification (CMMC) Level 2? If the drawing for a major assembly part used in a manufacturing process is marked CUI, then do the suppliers for the bushings, nuts, and bolts used to make the part required to be CMMC Level 2? There are no easy answers. It depends on the details.

It is good to begin with the definition of CUI. CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information.

First it is information that the government creates or possesses. It is also information that a third party may create on behalf of the government under a contract. This information is then subject to safeguarding and dissemination controls based on law, regulation, or government-wide policy. It is not classified information.

Next, what kind of information is CUI? This has been determined by the executive agent of CUI, the National Archives and Records Administration (NARA). NARA was appointed to implement Executive Order 13556, which established the CUI requirement. In doing so, NARA identified 20 categories of CUI including critical infrastructure, defense, export control, law enforcement, and other information. CUI covers a lot more than defense-related information.

To actively manage the CUI program's implementation and ensure compliance and standardization across the federal government, NARA delegated these responsibilities to the director of the Information Security Oversight Office (ISOO). This office was established in 1978 as part of the General Service Administration and is now responsible for standardizing, implementing, and reporting federal agency compliance. Most notably, in this context, one of its tasks is to establish standard marking requirements for CUI.

This brings us to another issue: Where does CUI end? There are two elements to this. First, CUI is information that is created for or is in the government's possession. This is information that is not in the public domain. If the information is commercial or open-source, it cannot be CUI.

Secondly, CUI must be marked as outlined by NARA and implemented by the ISOO, with the recommendation for an identified owner.

For the two examples briefly outlined above -- the drawings used in a construction project and a manufacturing process -- the question is still where does CUI end? The answer to this will result from a collaborative process that ends with the deconstruction or disaggregation of the CUI document. This is a discussion between the prime contractor and the government, which may involve the owner of the CUI document.

As mentioned, all CUI documents are to be marked with a designation indicator; the recommendation is to have the point of contact information. A CUI document is also supposed to have banner markings; the requirement is at the top of the page marked as CONTROLLED or CUI, and recommended is also at the bottom. For CUI basic, that is all that is required; for CUI specified, additional markings in the banner are required identifying the CUI category and limited distribution controls if needed.

The reality is that the government may mark more than is required as CUI. At the center of the discussion is making sure the information isn't improperly marked or in the public domain. This is the process of document deconstruction; like an exercise in scope, this is following the legitimate government information that needs to be protected.

In the building example, there may be a combination of government specifications and commercial construction practices. With off-the-shelf construction materials, what is the government information that needs to be protected? The other point is the aggregation of commercial components: At what point do they represent a design or information that needs to be protected? This has to be resolved by the government and the prime contractor; the prime has to look out for their subcontractors and not burden them.

In the manufacturing example, the same issues are at work. There may be government-specified components and off-the-shelf parts, but at what point does the aggregation of the two become controlled government information? Often the machined and commercial components are processed through commercially recognized finishing processes like anodizing and annealing. This also has to be resolved by the government and the prime contractor; the prime has the responsibility to look out for their subcontractors and not overburden them with regulations.

In the CMMC world, the need to protect government-controlled information is a non-negotiable requirement. The extent or depth of protection must be common sense, or it will not work. The extent of any flow-down requirements has to be a negotiated solution.

With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at mikeo@171comply.com.