.jpg?ext=.jpg)
How do I know if I have CUI
With mandatory NIST SP 800-171 compliance on the horizon and CMMC coming on its heels, questions about CUI are increasing in number. The ultimate question remains, however, “How do I know if I have CUI?”
There are three primary ways to find out this important information.
DFARS Clauses in the Contract
The first is to look in your contract for one of five DFARS clauses. What is DFARS? The Federal Register defines DFARS as follows: “The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) is administered by the Department of Defense (DoD). The DFARS implements and supplements the FAR. The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public. The DFARS should be read in conjunction with the primary set of rules in the FAR.” What is the FAR? The FAR is what federal agencies use to regulate the acquisition of products and services with allocated funds. The three agencies in charge of the FAR are the Department of Defense, GSA, and NASA.
Within the DFARS, there is a section called “Safeguarding Covered Defense,” and that is where the clauses in DoD contracts come from.
The following are the five clauses potentially in your contract that would mean you are handling or storing CUI:
- 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
- 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
- 252.204-7020: NIST SP 800-171 DoD Assessment Requirements
- 252.204-7021: Cybersecurity Maturity Model Certification Requirements (this is pending the final release of the CMMC rule)
- 252.2040-7024: Notice on the use of the SPRS (Supplier Performance Risk System)
Government Actions and/or Documentation
Sometimes knowing you are handling CUI is easy. A contracting officer or a contact from the prime or the government may simply inform you that the contract you are undertaking will include CUI. At that point, you may be able to ask for more details to know for sure what type of CUI you will be receiving.
Another way the government may inform you of CUI is via security classification guidance. This guidance will indicate that there is CUI in your contract and how you are expected to handle that CUI.
Finally, the government may make it very simple for you and will mark CUI on the contract itself. It is important to note that “for official use only” does not necessarily mean the contract has CUI. It may, but that is not enough to verify 100% whether there is CUI or not.
Just Ask
If you have reviewed your contract and have not received explicit directions from anyone, it is acceptable and even desired that you ask your contracting officer if there is CUI. It is always best to be certain than to hazard your company’s success on a guess. Make sure. You are well within your rights to do so.
Questions
If you would like to discuss your company's current situation regarding cybersecurity and CUI, contact us today. Now is the perfect time to wrap your arms what CUI you are handling and how best to protect it.