What is this CUI Thing, and Am I Too Late?

In 2016, the National Institute of Standards and Technology (NIST) published a mandatory guideline for Federal Contractors based on the Executive Order that established a Controlled Unclassified Information (CUI) Program. The compliance deadline for meeting the requirements of NIST Special Publication (SP) 800-171 was December 31, 2017. This means the deadline has passed and potential enforcement efforts are beginning.   

Although as a Federal Contractor, your organization may not yet have received a contract with the clause included or the assigned Contracts Officer may not yet have deemed specific information as CUI, there are some things you should know:

·      The Contract or the Contracts Officer may request a copy of your System Security Plan and an associated plan of action for any non-compliant elements.

·      The request may also include an attestation that you are compliant.

Most contractors have probably already at least started the process of an assessment related to the overall posture on CUI compliance. Companies that have not or cannot demonstrate CUI compliance may face disqualification from contract participation, be withheld from a subcontractor role or be ineligible to submit a proposal for some opportunities.

Over the past 18 months, EmeSec has contracted with customers ranging from light manufacturers and traditional IT companies to Federal Contractors with unique specialties. We have also worked with organizations of starting at varying degrees of readiness and security maturity. Our CUI services for SMBs earned two (2) national awards – but more importantly, we were able to assist our customers with their CUI journey.

So if you are wondering, am I too late?  The answer is no, not yet.  

EmeSec has been working with several clients that had this on their calendar but didn’t have the budget until 2018.  As we often advise our customers, CUI compliance is a marathon, not a sprint. So, your company can be compliant and accomplish it in 2018.

More specifically, the CUI journey begins with your organization’s cyber and information protection baseline. Because each company has unique strategic business needs, the result is different levels of adaptation of resources to meet the requirements in a customized manner,  and thus, control compliance spending. We have most recently trademarked our approach for this Strategic Measures for Adapting Resources and Technology Systems.  It’s called SMARTS™.  SMARTS™ addresses the entire organization because CUI is not just about cyber. 

Steps to Take Now

Like any compliance effort, the first steps of the journey are often the hardest – finding the time and the resources. 

There is also the buy-in from the top since this may impact most aspects of the organization. If you’ve been assigned the role of CUI Compliance “Deputy” here are some initial steps that we recommend:

·      Conduct a Risk Assessment

·      Use Multi-Factor Authentication

·      Complete a System Security Plan

·      Provide Information Security Awareness and Training

·      Establish an Incident Response Capability for Information and Data

A recognized leader in CUI and DFARS compliance, EmeSec has issued a number of tools including eBooks and subscription services helping small and medium businesses (SMB) adopt a do-it-yourself (DIY) methodology. It is  more cost-effective and efficient and helps establish a long term practice within your organization. 

Ask us about CUI/DFARS.  We can provide a variety of solutions to reduce the workload of becoming CUI compliant.  We are the low cost/low risk solution.  

For more tips, advice and perspectives, contact us at Info@EmeSec.net or call us at 703.429.4492.