CUI Programs

CUI Programs are not yet required, but soon they will be. I am reminded of the old motto some security professionals have quoted, \”NISPOM tells you what, we tell you how.\” I try to keep that motto alive in my work. But now, we have CUI guidance to apply. The NISPOM guidance is very clear that CUI will not be inspected unless special circumstances require it, i.e. a contract or CSA requirement. This is out of 32 CFR Part 117 NISPOM:(C) The CSA may conduct physical examinations of the interior space of containers not authorized to secure classified material. Such examinations will always be accomplished in the presence of a representative of the contractor.

(iii) Controlled unclassified information (CUI). 32 CFR part 2002 requires agencies to implement CUI requirements, but compliance with CUI requirements is outside the scope of the NISP and this rule. However, CSAs may conduct CUI assessments in conjunction with NISP USG reviews when:

(A) The contractor is a participant in the NISP based on a requirement to access classified information;

(B) A classified contract under the CSA\’s cognizance includes provisions for access to, or protection or handling of, CUI; and

(C) The CSA has provided the contractor with specific guidance regarding the assessment criteria and methodology it will use for overseeing protection of the CUI being accessed, stored or transmitted by the contractor as part of the classified contract.

Other references to CUI training states that it is not ye required.

However, keep in mind that though it is not yet a requirement, CUI programs will one day be implemented at the contractor location.

So, let\’s go to guidance outside of NISPOM. So far, it is directed to government agencies and not the contractors. The guidance tells us that CUI exists and should be protected, but doesn\’t really get very deep. For context, I\’m helping an agency and some contractors implement their CUI plans. It\’s early in the guidance, but we are trying to get ahead of the requirements and be proactive. So far, capturing and implementing an actionable process is very difficult because the guidance hasn\’t really nailed anything down. I imagine that some of you may be experiencing the same issues.

While I expect that more specific and adequate guidance will come out, it\’s a difficult task to build a program identifying what is the CUI that exists at a certain location, to how do I get the contractors to follow guidance and apply where they perform the work involving CUI. So far guidance only defines CUI , what is required for CUI training, and what are the markings. I see some conflict between the DFARS , DOD INSTRUCTION 5200.48, and how it\’s being interpreted by the CUI links (i.e. ISOO, CDSE, National Archives).

The guidance is really only theoretical and breaks down when you actually try to apply it and make resolute decisions. So far it appears that DoD instructions and DFARS do require contractors to protect controlled technical information, export controlled information and CUI. The requirements for a program at the national level are given and responsibilities have been assigned to agencies. One day DCSA will be overseeing contractor plans. However the CUI blogs and training provided excuse the contractor from participating until told to do so in a contract (in my opinion). THis is a huge disconnect.

Here\’s what I find conflicting with current CUI guidance:

I find this conflicting for the following reason: If the government provides documents marked as CUI, and the contractor creates products from that information, that product should be marked CUI. A contractor doesn\’t need a contract clause to initiate, it\’s in DFARS and guidance is provided in the \”CUI\” marked information.

The answer, in my opinion, should be that if the contract identifies the use and generation of CUI, the contractor should expect to perform derivative CUI products. Again, since CUI is covered in FARS and DFARS, contractor responsibilities are already required.

My recommendation is for defense contractor FSOs, security specialists and SMOs to review DOD INSTRUCTION 5200.48, in addition to what is available and proceed with initiating CUI plans to protect CUI and perform derivative CUI actions.

Additionally, even though the NISPOM only requires conducting training without a contractual requirement:

(f) CUI training. While outside the requirements of the NISPOM,when a classified contract includes provisions for CUI training,contractors will comply with those contract requirements.

I recommend that contractors begin to incorporate CUI training into current training products. Though you may not have a contractual obligation, you may still have inferred requirements with DFARS and the the following rationale:

Many defense contractors derivatively generate controlled technical information, covered defense information, CUI and should have a plan to protect it.

If you follow current guidance of waiting for contractual language or a CSA generated requirement, you may be exposing CUI to unauthorized access.

How have you interpreted the CUI program so far?

If you would like to share your experiences or need any additional assistance with establishing a CUI program, please contact me or respond to this email.

Be sure to visit Red Bike Publishing for books and training.

If you have questions, visit Jeff\’s website: jeffreywbennett.com

Leave a Comment

newsletter

Click here to sign up for the Newsletter