Frequently Asked Questions

Per the National Archives CUI Program Blog: The CUI Program is a government-wide program that standardizes the way the executive branch manages unclassified information that requires safeguarding or dissemination controls required by law, Federal regulation, and Government-wide policy. This Program replaces existing agency programs like For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Official Use Only (OUO), and others. The CUI Program addresses the current inefficient and confusing patchwork of over 100 agency-specific policies throughout the executive branch that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies.

All categories of information that currently qualify as CUI can be located HERE at the National Archives CUI Registry. Frequently encountered categories of CUI include Privacy – Personnel (e.g., Personally Identifiable Information (PII)) and Controlled Technical Information (CTI) (e.g., source code, engineering data, specifications).

NIST Special Publication (SP) 800-171 provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Department of Defense (DoD) contractors that process, store, and/or transmit CUI are required to implement these security requirements in order to become compliant with protecting CUI. NIST SP 800-171 guidance can be downloaded from: HERE

Additionally, NIST has also released NIST SP 800-172. The current NIST SP 800-171 control set was not designed to address Advanced Persistent Threat (APT).NIST SP 800-172 is a supplement to NIST SP 800-171 that adds additional security controls when Controlled Unclassified Information is part of a critical program that includes both High Value Asset (HVA) & Advanced Persistent Threat (APT). NIST SP 800-172 guidance can be downloaded from: HERE

Any organization that handles CUI data and conducts business with the DoD (either as a prime or subcontractor) are required to comply with Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204.7012 (Safeguarding Unclassified Controlled Technical Information) as of December 2017. Compliance with NIST SP 800-171 satisfies this DFARS clause requirement.

Full compliance with NIST SP 800-171 requires creation and maintenance of the following
documentation (also known as artifacts):

  • System Security Plan (SSP)
  • Plan of Action and Milestones (POA&M)

The SSP illustrates your CUI system environment (to include system description, system environment diagram, and full hardware/software inventory) and details how thoroughly your organization currently implements each of the required security practices.

The POA&M contains a list of all security controls that are not fully implemented within your CUI system environment and includes both associated fix actions and estimated completion dates.

Following initial creation, the SSP must be reviewed and updated at least annually (or as significant system changes occur) to maintain compliance. Further, the POA&M should be updated both quarterly to record progress made towards security controls implementation and annually when updating the SSP.

Finally, all NIST SP 800-171 security controls (currently 110) must be fully implemented within your CUI system environment following assessment and POA&M item resolution.

To address the delay with CMMC implementation, DoD has issued interim DFARS guidance (Case 2019-D041) which took effect on November 30, 2020.  This interim guidance requires that all affected contractors (those who currently must comply with NIST SP 800-171):

  • Create an account on the Procurement Integrated Enterprise Environment (PIEE) Supplier Performance Risk System (SPRS) database https://www.sprs.csd.disa.mil/
  • Enter NIST SP 800-171 Self-Assessment results score (requires updated System Security Plan (SSP) and Plan of Action and Milestones (POA&M))

Additionally, the following DFARS clauses were created to address the SPRS requirement:

  • DFARS 252.204-7019-Notice of NIST SP 800-171 Department of Defense (DoD) Assessment Requirements (SPRS)
  • DFARS 252.204-7020-NIST SP 800-171 Assessment Requirements (SPRS)

Contracting Officer Representatives (CORs) will be required to verify there is a valid NIST SP 800-171 assessment score in SPRS before they issue a contract, option year or extension to any contractor.

While you can use your current SSP and POA&M results, it is very important to review/update these documents to reflect the hard work you have put into becoming more secure, especially since your reported level of implementation can be used as a discriminator.

Further guidance on PIEE / SPRS can be downloaded from: HERE

Corvus can provide assistance on setting up accounts and uploading score into the PIEE_SPRS system.

Our NIST SP 800-171 compliance service is staffed by practicing subject matter experts who currently conduct system audits (Security Controls Assessment), develop SSPs, POA&Ms and implement system security controls (Information System Security Officer / Engineering) for multiple DoD and Federal Civilian Agencies. Our extensive experience helps us fully understand what is required to both achieve and maintain compliance for your organization.

Per the Office of the Under Secretary of Defense for Acquisitions & Sustainment, the Cybersecurity Maturity Model Certification (CMMC) is the unified Cybersecurity Standard for Department of Defense (DoD) Acquisitions to reduce the exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB). CMMC combines various Cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices.

The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.201-7012 and incorporates practices from multiple sources such as NIST SP 800-171 Rev 2. and NIST SP 800-172. CMMC also adds a certification element to verify the implementation of cybersecurity requirements. CMMC is designed to provide the DoD assurance that a Defense Industrial Base (DIB) contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain. The current guidance can be downloaded from: HERE

Level 1 (Foundational) focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 CFT 52.204-21. The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certificated organizations. There are 17 practices that are expected to be performed to include an annual self-assessment.

Level 2 (Advanced) will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 2. CMMC Level 2 indicates an advanced ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 2, organizations will have challenges defending against advanced persistent threats (APTs). There are 110 practices that align with NIST SP 800-171 that are expected to be performed to include Triennial third-party assessments for critical national security information and annual self-assessment for select programs.

Level 3 (Expert) At CMMC Level 3, an organization has a substantial and proactive cybersecurity program. CMMC Level 3 indicates an expert level of maturity, and the organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. There are 110+ practices based on the NIST SP 800-171 and NIST SP 800-172 that are expected to be performed to include Triennial government-led assessments.

If your company wants to continue to bid/work on DoD contracts, you will need to be certified at the CMMC level specified within each contract opportunity.