Cybersecurity Insights: Updates on CMMC Implementation and CUI Identification
In this episode, Wiley partners Gary Ward, Tracye Howard, and Craig Smith examine the ongoing developments related to implementation of the Cybersecurity Maturity Model Certification (CMMC) program. They discuss the current progress, the anticipated timeline, and the potential impact of a change in administration on its finalization. Additionally, the team addresses the concept of Controlled Unclassified Information (CUI) and outlines best practices for contractors handling CUI.
Transcript
Craig Smith
We’re back here with another Government Contracts Podcast. I’m Craig Smith, a partner in Wiley’s Government Contracts Group. Joining me today are my partners, Gary Ward and Tracye Howard. Gary and Tracye, thanks for joining us today.
Tracye Howard
Thanks for having us.
Craig Smith
We’re just delighted to talk about CMMC, the Cybersecurity Maturity Model Certification, that never seems to not be in the news these days. There’s been some developments early this year. We’re excited to get a lay of the land and then really try to think about from a practical perspective, what I do about this? It’s one thing to understand, well what are the words on the page, in a clause or a website say, but what do I actually do about that? So those are the two things we want to talk about today. Tracye, let’s start with where we are. It feels like we’ve been whipsawed back and forth between different versions, what’s the state of play at this point?
Tracye Howard
So right now, we have a proposed rule for CMMC 2.0. It came out in late December and a hundred and something comments were submitted around the end of February this year. So, DOD is reviewing those comments and responding to them, and deciding whether they want to make any revisions before they issue the final rule, and from what we’re hearing, they want to do that fairly quickly. They want to get the final rule out so that there’s sufficient time for Congress to review it before any potential change in Administration. There’s a little bit of an art into calculating what that magic date is, and I’ve seen some estimates that it could be mid to late May to get that full congressional review period in. So I would expect the final rule to come out relatively soon. In the grand scheme of how long CMMC has been around, that feels like lightning speed.
Craig Smith
One thing our listeners may be asking about, Tracye, is this has been around, it doesn’t seem like an administration-specific issue. If it takes a little bit more time to get the rule out, is there any reasonable likelihood you think that there could be a pullback in a different administration?
Tracye Howard
You’re right in that, the original CMMC did start in the previous administration. I guess you never know, and I think the folks who have been working on this for some time and trying to get this final rule out probably want to just avoid the uncertainty that a new administration could come in and, maybe not pull back entirely, but want to make changes, and they don’t want to be going back and starting from square one.
Craig Smith
Okay, that’s fair. I’ve been seeing some anti-CMMC bumper stickers in my neighborhood, so I get people want to get this done. Then let’s assume that, you said lightning speed, you know relatively, so what is it actually going to mean at this point? And Gary, let’s try to think about not our people in IT, our CISOs or whoever, who are just steeped in this, but our listeners who have technical responsibilities, but aren’t technical people, or maybe are technical adjacent. What are the questions to be asking at this point to get ready for a likely final rule?
Gary Ward
Thanks, Craig, and I say you can even ask these questions with your CISO. These can be a conversation no matter what your technical understanding is. This is probably the same conversation you’re going to have, whether it starts with, hey, how are we with CMMC? How are we with NIST? How are we with DFARS? How are we with the 7012 Clause? How are we with basic assessment? Anything that talks about DOD and cybersecurity, it often comes back to sort of three threshold questions. First, do you handle CUI on your information system? Second, do you know where within your information system you handle CUI? And third, do you have a system security plan in place? That’s where I’d start every conversation.
Craig Smith
And for listeners out there, CUI, sometimes is referred to as CUI, or among the French, CUI, I believe is how it’s pronounced. So that seems like a thorny question that bedevils everyone. Why don’t you, can you talk to us a little bit about, how do you decide if you handle it?
Gary Ward
Yeah, and I’ll just put a plug here, I think we prefer controlled unclassified information, CUI, not CUI, but we hear it all the time. But, unpacking what is CUI, really two elements to this, and the second one is often neglected because it’s less relevant for government employees, and a lot of these rules and the training materials developed with government employees in mind, but it’s critically important for contractors. So the first is kind of a categorical approach. We think about this as the CUI categories. So, does the information fall within one of the CUI categories identified in a CUI registry? That could either be the NARA registry or the one maintained by DOD.
Craig Smith
When you say NARA, you mean the Archives?
Gary Ward
That’s right. They have a role in administering this program too because this is a Government-wide requirement. Now the CUI categories are supposed to be limited to information where there’s an existing law, regulation, or government-wide policy that requires or permits the agency to handle that information with restrictions or requires to safeguard. I think about one of the examples is the marking PROPIN, you’ll see in the DOD registry that covers general proprietary business information. Because, not surprising, there are several statutes, regulations, and policies out there that say government employees should not be releasing certain types of general proprietary business information. So that means, some people think, any proprietary information becomes CUI. Well, that’s where the second half of the definition comes into play, and this is a definition that comes from the CUI rulemaking that’s in Title 32 of the CFR. In order for it to be CUI, there has to be some kind of governmental connection.
If we’re talking about information that’s in the hands of a non-federal entity, like a contractor, it’s only CUI if, and this is quoting from the definition, “the entity creates or possesses the information for or on behalf of the government.” This is where you have the line between general business proprietary information that the contractor develops for its own purpose. When it’s on the contractor’s system and the contractor’s hands, that’s not CUI. But if you were, let’s say a government employee who received that, then it would be CUI. It could be CUI if you are a support contractor from the government and you get that information, and it relates to a different company. It’s not just about what is the nature or the type of information, but it’s also what is the connection to the government? Do you have that as a contractor because you need it in support of performing your contract? Did you create it when supporting the contract? There’s got to be that governmental connection.
Craig Smith
One thing just for our listeners to make sure, it could be information related to a contract that never actually goes over to the government, but you could still generate CUI as a contractor, right?
Gary Ward
Yes, because it doesn’t have to originate from the government, it can be something that you create in support of the performance of the contract. And that, really in the context of the contract, the DFARS Clause has a little bit more of a finer point on it, and I’m talking about DFARS 252.204-7012, because it gives two particular examples of that governmental connection. The first is, marked or otherwise identified in the contract task order or delivery order and provided to the contractor. But the other one, the second one, is collected, developed, received, transmitted, used, or stored, by or on behalf of the contractor in support of the performance of the contractor. So it can include something that you develop specifically for the government.
Craig Smith
You know, it sounds like markings are an important signal, but not definitive?
Gary Ward
Well, that gets into a complicated, a little bit of a complicated area, because CUI should be marked. There’s a lot of training on the markings. And then if you have something that’s overmarked, there’s a question of whether it has to be properly decontrolled or whether the contractor can further disclose it.
Craig Smith
It’s a thorny issue, isn’t it?
Gary Ward
Yeah.
Craig Smith
Which is, I feel like overmarking, it’s not a riskless or frictionless activity to just mark things very broadly, right?
Gary Ward
Yeah, that’s – I was already thinking about the overmarking because there is really a gray area. Once something is marked as CUI, the CUI regulations kick in and require it to be decontrolled, and DOD has a policy for how you decontrol something, and it’s got to go through a prepublication review. But at the same time, the whole goal of the CUI program was to not limit the lawful distribution of this information, and there is language going back to the Obama Executive Order in 2010 that really laid the framework for this. It wasn’t intended to create additional restrictions on the disclosure of this information that’s consistent with those underlying statutes, regulations, or policies.
Tracye Howard
I hear a lot of contractors complaining that the government isn’t marking CUI and they don’t really know whether they have CUI or not, but seems like that they sort of have their own responsibility to make some of those determinations as well.
Gary Ward
Yeah, I’d agree. You can’t totally rely on the CUI markings, hopefully we’ll get to a point and time where there is more of a consensus about what is CUI, but in the meantime, it is an incredibly challenging area to figure out what is CUI, because that drives everything else you do in the cybersecurity world. Before you figure out what you have to secure, you have to figure out what is the information that needs to be secured.
Craig Smith
So maybe that gets to another thing that comes to mind with that first question you had is, alright well, we’ve at least reasonably identified what we think CUI is or is not, but then is it on my network or not is another question. Isn’t that?
Gary Ward
Yeah, because one of the situations we see is a contract will require a company to handle CUI, but internally the government agency has a policy that this type of information must only be accessed on government furnished equipment. As part of the contract, the government will give all the employees who support the contract a government laptop, government phone, and all of the CUI stays on those devices. Sometimes you’ll see some of the larger prime contractors do the same thing. In that situation, you’re accessing, you’re handling CUI, but it’s not flowing back to the contractor network, the contractor information system, so you aren’t handling the CUI on your system, so that means you don’t have to comply with all the 7012 requirements, and you shouldn’t have the CMMC Level 2 requirements because it’s not coming on your system, there’s nothing on your system to secure. Now you still have to make sure that you have a policy that prevents those employees from moving that CUI onto your system, and that’s really one of the areas to watch for those contracts.
Craig Smith
Well let’s set that possibility aside and think about, we know we’ve got CUI on our networks, but now I feel like I’m in one of those 1970s public service ads, it’s 11:00 at night, do you know where your CUI is? How does one tackle where in the vast web of networks at my company, we actually have the CUI?
Gary Ward
This really starts with figuring out first, what type of CUI you have, and then you can start the process of mapping it. Now sometimes, on a big picture, some companies will take an approach of saying, CUI can be anywhere on our enterprise network. Well, if that’s the case, then you’re going to have to make sure your entire enterprise network is within the boundary, and that you’re implementing all of the substantive security controls across that entire boundary. Sometimes, on the other end of the scale, you can have a very small enclave. What we see this as, sometimes it’s a virtual desktop – an employee logs into their work laptop, they then click on an icon that opens up a virtual computer on their desktop, and all of the CUI has to stay within that environment.
Craig Smith
The idea is, I can’t bring it onto my local machine.
Gary Ward
Exactly. You can do that through a mixture of policies and technical controls. The tradeoff there then is you have a smaller environment to secure. Your technical requirements are a little bit easier because you have a more controlled environment. Now you have tradeoffs with, now you have to enforce your policies to make sure no CUI comes outside of that environment, because one of the things you can run into is, if that CUI crosses over that boundary into another part of your information system, you have a risk of triggering a cyber incident, because that could be considered an unauthorized information system.
Craig Smith
And are you using “cyber incident” in the way it’s used in the 7012 Clause there?
Gary Ward
Exactly.
Craig Smith
And so, in other words, I mean, I think whether it’s a big boundary or a small boundary, it sounds like you’ve got to have your guard up either way. You mentioned technical controls to make sure the system works in terms of setting boundaries, maybe there’s monitoring might be a consideration.
Gary Ward
Yeah, and you’re always going to have some boundaries. I gave it a very simple version of you have an enterprise-wide setup or you have an enclave setup, but most companies are going to have some systems – think about your business systems, your accounting system, your HR systems – that might not be capable of implementing all the security requirements. You might be using a software as a service that doesn’t implement all the requirements, and so there you need to make sure your CUI does not go onto those systems, and you treat it outside of your boundary.
Craig Smith
Any different approach for, say, access to the CUI versus where it’s stored, or am I asking the same questions?
Gary Ward
Well, every part of the system should have access controls, and access control is one of the family of controls in NIST 800-171 that talks about those specific requirements.
Craig Smith
And then, how easy is it, or what are the questions I should be asking if maybe we have a big perimeter and I’d like to explore having a smaller enclave, or I’ve got a smaller enclave, but it’s creating such operational friction that I need to look at the feasibility of broadening my boundaries. How do you go about thinking about changing your approach in this scenario?
Gary Ward
You got to start with talking with, maybe not start, but an important thing is to talk with your users and figure out where are your employees putting CUI, where would they like to be able to put CUI so that they can do their job. You don’t want to define your enclave so narrowly that it becomes a challenge to do their job. You know, they can’t check for certain information, or they can’t use certain tools. That’s one of the things that you want to talk with and figure out, where do we need to have CUI, where do we need to be able to process it?
Craig Smith
I think what you pointed out a little indirectly there is an important thing also to think about the user experience, that your controls are going to work much better if people can get the information they need when they need it. I mean, you and I see Tracye throw her laptop out her office, at least once a week out of frustration, and you know, if she had better access, maybe she’d be better able to follow our controls.
Tracye Howard
That’s true.
Craig Smith
Then you’ve got the system set up, but then what comes next? Is there documentation?
Gary Ward
Exactly. That comes to the third question, the system security plan. If we’re having this discussion at a nontechnical level with any of the stakeholders on your CMMC cybersecurity issues, I would ask, do you have a system security plan in place is the first question, and hopefully the answer there is, yes, and then I take a look at it. The system security plan can come in all shapes and sizes, they can be very technical, but here’s two things that I think anybody who picks up a system security plan can look at and answer are we at least headed in the right direction? First is, does that plan identify the resources that are included? The scoping conversation that we just had, can you look at, and if you use the NIST template for the system security plan, there’s Section 2, where you include a diagram of your information system. Now we can get into a detailed discussion about is that boundary right? But for purposes of this initial conversation, I think anybody should just look at their system security plan and say, has a decision been made? Has a boundary been drawn? Then the second, really the lengthy, what makes these system security plans so lengthy, is you have to go through each of the substantive security controls. In NIST 800-171, there are 110 security controls, and you have to provide a description that shows unambiguously how you implement that security control across your entire information system. So, think about that in terms of everything you’ve shown within your boundary, have you provided an explanation for how what you’ve done fulfills that requirement across all of your different IT resources?
Craig Smith
That sounds like something with, as much as technology evolves, that like, that needs to be a living document.
Gary Ward
Oh, exactly. NIST has a template system security plan, but the NIST guidance emphasizes, the plan doesn’t have to be a single document. It doesn’t have to be one created specifically for NIST 800-171. It can include extensive cross references to other existing documents. You can keep the sort of version control or keep that living in its other area, so that the organization that’s in charge of that particular control, maybe it’s not the same person as the one who initially drafted the system security plan, there’s got to be some coordination between them, but you can distribute this plan into various documents and where it lives.
Craig Smith
I’m going to throw you a curveball here with a fourth question that I think will be pretty easy though, so maybe not a curveball, a hanging slider. It seems like these questions would also be important to ask and could be asked, by let’s say a due diligence team in an acquisition of a government contractor, so that there aren’t surprises down the line. Am I thinking about that the right way?
Gary Ward
Yeah, that’s exactly right. One of the things we would often ask in a due diligence project is, this gets outside the three questions, but have you also submitted a self-assessment? That’s where a company is making representations to the government, A, that they have a system security plan in place. Because you cannot do a self-assessment unless you have a system security plan in place.
Craig Smith
Just remind some of our listeners, who are coming to this a little bit as a new responsibility, the self-assessment is for?
Gary Ward
That is for, I guess I’ll call it Step 2 in DOD’s rollout of the cybersecurity requirements. We had the 7012 Clause, that’s really been effective since 2017. DOD IG did a review and said, hey, contractors might not be fully complying with this. DOD’s next step was, yes, we have this CMMC 1.0 that’s very ambitious, we’re eventually going to roll that out, but in the meantime, let’s have contractors do a self-assessment of their compliance. This is now what’s in the DFARS 7019 Clause 252.204-7019, and also in 7020. This has three tiers of assessment. One is, contractors have to go in and conduct a basic assessment of themselves, the basic refers to the level of confidence that it gives DOD, and then DOD reserves the right to conduct medium and high assessments. Think about a medium assessment as DOD coming and looking just at your system security plan, or a high assessment, looking at the underlying implementation, a lot more like DOD would do, in a CMMC type of review.
Craig Smith
That’s just DOD, and something that I think to bear in mind is probably, Gary and Tracye, the clients you work with are experiencing, not only did I mention the whiplash earlier, but then there might be DHS requirements or other agencies. It sounds like it’s not getting any easier to manage these cybersecurity requirements, even if at least CMMC might finally have a defined form coming at some point this year.
Tracye Howard
Yeah, that’s right. But they are all based on these NIST standards, and so these questions that Gary’s been talking about are going to apply even if, the clause that you have is from DHS and it looks a little different than CMMC, but it’s still going to be relying on those same NIST standards, and so these fundamental questions are going to be the same for you.
Craig Smith
Well, Gary, Tracye, thank you so much for joining us. Really appreciate it, and we’ll look forward to hearing more once the final rule is upon us.
Tracye Howard
Sounds great, thanks for having us.