CUI Compliance 2017

Frequently Asked Questions (FAQ) About Implementing Compliance Now


Controlled unclassified information (CUI) along with controlled technical information (CTI) are the newly coined terms that every federal contractor is whispering, cringing and thinking about.

In 2017, some contractors are attempting to understand why they should care.  Others, are wondering how best to interpret and implement the technical, administrative and inferred perspectives of the guidance provided in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision (Rev.) 1.

The government’s enforcement and implementation begins with the Defense Federal Acquisition Requirements (DFAR) 252.204.7012 and Federal Acquisition Regulations (FAR) 52.204.21.

Why should Federal Contractors Care about CUI? 

Most federal contractors will find themselves dealing with or responding to questions about their corporate or organizational CUI, DFARS or NIST SP 8000-171 compliance.  Educational organizations, non-profits and public – private partnerships that receive federal funding will also find the requirements will face them this coming year.

Although the negative impacts of non-compliance aren’t yet front and center, at EmeSec we have anecdotal information from customers on the following:

  • Larger prime contractors inquiring, inspecting and insinuating that without compliance, specific contracts and tasks will be delayed or removed until compliance is demonstrated.
  • From the NDIA conference held on DFARS in December 2016, comments made by speakers suggested that the potential for false claims or attestations of compliance.
  • IT 70 GSA Schedule Mass Modifications asked holders to attest to CUI compliance (not specifically, but listed the FAR clause(s)).

Although we have additional examples of the ad hoc concerns for federal contractors of all sizes, the reality is that your answer to the CUI compliance questions in the very near term may determine whether you have the opportunity to earn revenue as a Federal Contractor (whether prime or sub).

The deadline for meeting compliance is December 2017 or within 90 days of a signed contract containing the clause.  In some instances, that window of compliance could be shortened to 30 days if you count having to report to the contracting officer (or a prime contracting officer).

What are the requirements? And, have they changed?  

The CUI requirements apply to all components of federal and non-federal information systems and organizations that process, store, or transmit CUI/CTI, or provide security protection for such components.  The FAR and DFARS clauses also cover subcontracts at all tiers, as the clauses require contractors to flow down the safeguarding of federal information and systems.

 If you have been following the CUI, DFARS discussions, the obvious answer is NIST SP 800-171.  Early on, most folks considered the distinction made by the guide between basic and derived requirements to indicate that the basic requirements might be required first.

When GSA published the IT 70 Schedule Mass Modification, it became clear that the government was going to identify and specify individual security controls for the initial CUI requirements.  The specific requirements identified in the Mass Modification included both basic and derived security controls identified in NIST SP 800-171.

Government contractors implementing CUI and CTI protections require specific technical security and compliance documentation consistent with the 14 security control families in NIST SP 800-171.

The 14 security control families for CUI are shown in the graphic here.

In December 2016, NIST SP 800-171, Rev. 1 was published and one obvious change was the requirement of a System Security Plan (SSP) and Plan of Action and Milestone (POA&M) requirement for Federal Contractors.

It’s already 2017, how do I get started on CUI compliance?

Compliance preparation includes a number of document and technical components including system and communications protection, incident response, training, configuration management and more.  In our experience with some clients, this has meant learning what they have that can be re-used, identifying what they want to practice that meets the requirements and learning some new practices related to comprehensive information security.

Risk based decisions and business calculations along with technology implementation always take more time than anticipated.  Remember CUI is not just a cybersecurity framework.  Information protections spans your entire organization.

EmeSec Tools & Strategies

EmeSec released a number of educational and training resources to help contractors get started without huge upfront costs in 2016.  We offer customers a do-it-yourself (DIY) option to help reduce or offset the costs of CUI compliance.

Ask us about our training and consultation package.  See our educational eBook, titled Simplifying CUI, available an Amazon at: The original EmeSec CUI Primer is available at the company website:

Finally, join and participate in the CUI discussion on best practices and exchange of practical tips via the #SimplifyCUI Group on LinkedIn or follow #SimplifyCUI on Twitter.

Begin now, it’s already January 2017.  Plan your compliance and protect your contracts.