A Minimalist Approach to CUI in 2018

A Globalscape sponsored Benchmark study conducted by the Ponemon Institute in December 2017 shows that the costs of non-compliance are greater than the costs of compliance. Although the study looks at global companies, the knowledge that should be taken from this is that non-compliance, no matter the organizational size, was more costly. Some of the specific non-compliance costs in terms of dollars and opportunity costs are:

  • Inability to Bid
  • Revenue Losses
  • Business Disruption
  • Productivity Losses
  • Data Breach Clean Up
  • Data Leakage Forensics
  • Settlement Costs
  • Fines/Penalties

The compliance deadline for meeting the Federal Contractor requirements for Controlled Unclassified Information (CUI) has passed. The deadline was December 31, 2017. If you have not completed your compliance a different approach may be needed to avoid penalties. 

Simplifying What to Do Next

As we often advise our customers, CUI compliance is a marathon, not a sprint. Although every business is unique, there are many lessons learned that we offer to help curtail the time to compliance and save you resources and budget. For those companies just now taking on CUI/DFARS compliance, let’s revisit CUI Compliance and do so with an at-a-glance approach. 

Phase 1: Get Started

The CUI journey begins with your organization’s cyber and information protection baseline. Because each company has unique strategic business needs, the result is different levels of adaptation of resources to meet the requirements in a customized manner. Like any compliance effort, the first steps of the journey are often the hardest – finding the time and the resources. You may also need to secure buy-in from the top since this may impact most aspects of the organization.  

Evaluate your in-house team’s ability to satisfy 800-171 requirements. Walk through the NIST 800-171 Self-assessment Handbook published in November 2017 by EmeSec. If capable, assign the control families to a team of contributors and note any gaps. 

Phase 2: Improving Compliance

During this phase, the available evidence and knowledge of current compliance allows further planning and mitigation of risks and liabilities. Prioritize security control areas of weakness. Identify the most critical security areas as well as the easiest to mitigate. Review your supply chain risks especially in today’s crowded cloud world. Complete the System Security Plan (SSP) and document how NIST SP 800-171, Rev. 1 requirements are being met.

See the extended blog on the EmeSec website, “Succeeding with The Minimalist Approach” at www.emesec.net. 

Ask EmeSec

A recognized leader in CUI and DFARS compliance, EmeSec has issued a number of tools including eBooks and subscription services helping small and medium businesses (SMB) adopt a Do-it-Yourself (DIY) methodology. For more tips, advice and perspectives, contact us at Info@EmeSec.net or call us at 703.429.4492. 

phil cashiola