When it comes to meeting the compliance requirements for NIST, CMMC, and DFARS, safeguarding Covered Unclassified Information is crucial. The new CMMC cybersecurity requirements have made it clear that anyone who is a part of the defense Industrial Base supply chain should take necessary measures to protect CUI. However, DoD has not yet made it clear how to protect the CUI.
There is confusion amongst DoD contractors as to how to protect CUI. In this blog, we have cleared some myths that surround CUI protection and cybersecurity compliance.
Myth 1: If a contractor handles CUI, the entire IT infrastructure and environment must be CMMC level 3 compliant.
According to the CMMC model v1.02, during the implementation of CMMC, the DoD contractor can achieve a specific level of certification for the whole IT network or particular enclaves. The decision will depend upon where you are storing the covered unclassified information. It’s worth mentioning that the Department of Defense has approved the CMMC compliance for the enclave model.
Myth 2: Defense contractors are obligated to use Microsoft GCC High since most DoD enterprises use it.
Agencies that are under the Department of Defense do not typically use GCC High. They usually have their DoD-only cloud storage for CUI.
Besides this, the DoD has not made it mandatory for the DIB supply chain members to use a particular solution for storing and sharing CUI. The DoD has only mentioned that the contractors at all levels should comply with the regulations set out by them to safeguard the CUI within the supply chain.
Myth 3: Cloud Service Providers appointed to handle CUI must have accreditation from FedRAMP.
Only those service providers are included in the FedRAMP marketplace with the Authority to Operate with the federal government. FedRAMP members are sponsored by the Federal agencies and appointed by them. However, an Authority to Operate is unnecessary if the cloud services provider is hired by a private enterprise that has taken federal government contracts.
Myth 4: Cloud Services Providers should accept the DFARS 7012 flow downs
Department of Defense has released a procurement toolbox that addresses the concern of the DFARS flow-down clause. While a contractor doesn’t usually flow down the DFARS clause when it comes to cloud services providers, however, if the CSP is hired as a part of the CIS, they should meet DFARS compliance requirements.
Myth 5: It’s a data breach if a DoD user sends an unencrypted email with controlled unclassified information to a DoD contractor.
Such incidents are termed as security incident and not a breach. The subcontractor or DoD keeps a record of the incident internally and looks for any residual information. Additionally, such incidents don’t prevent one from bidding for government contracts.
Myth 6: Since proper marking of controlled unclassified information has not been done yet, subcontractors should consider all information at CUI.
While it’s true that proper marking of CUI has not been done in the past, initiatives are underway to ensure an appropriate system for making emails containing CUI. All contractors and subcontractors should do the proper marking of the CUI that has come down to them under the DoD programs that follow CMMC compliance.