The CUI Compliance Requirements: A Primer
The National Institute of Standards and Technology (NIST) is generating a subtle stir among existing federal contractors with new requirements for protecting Controlled Unclassified Information (CUI). The stir is a result of the Defense Federal Acquisition Regulations (DFARS) being the enforcement mechanism for NIST SP 800-171. EmeSec has prepared a CUI Compliance Primer to help contractors and federal agencies by highlighting the main requirements, providing an analysis of the most challenging areas to satisfy, and offering insights to help organizations prioritize next steps.
The CUI basic and derived security requirements established by NIST SP 800-171 give contractors a framework for enhancing foundational security and a platform for contractors to evaluate their data protection practices. However, for many small and mid-sized businesses (SMBs), this unwieldy mandate can be a barrier to entry or a regulatory requirement that is forcing their exit from the federal marketplace. Even larger companies may struggle to prepare a compliance strategy and accurately account for the enforcement penalties that may follow.
Compliance is required by December 2017. For some, CUI compliance requirements may come sooner as contracts are renewed or novated and as prime contractors request proof of CUI compliance of subcontractors. The worst impact of non-compliance would be the loss of one or all of the existing federal contracts in your portfolio.
To Adequately Prepare, Download the CUI Primer NOW!