Everything You Need To Know About Protecting Federal Government Contracts With CUI Compliance

If you’re a Systems Integrator or Subcontractor that wants to work with the federal government, you must understand and comply with CUI compliance requirements. This blog post will discuss what CUI compliance is and how Janusnet can help you achieve and maintain compliance. We’ll also provide a brief overview of our partners data classification suite, Janusseal, which enables organizations to demonstrate their compliance and readiness to adhere to government contract mandates involving the handling of CUI data. Thanks for reading!

What exactly is CUI?

Post-9/11 reviews highlighted the need for a more uniform approach to controlling sensitive materials and sharing information across federal government agencies. The federal government established a program that outlines how they will shield CUI by law, with rules issued in 2017–a milestone on their way towards better protecting all sources of data, as we’ve seen ever since those attacks took place!

Controlled Unclassified Data (CUI) is data that needs safeguarding or dissemination controls in step with applicable laws, rules, and government-wide policies. However, it isn’t classified beneath the federal government Order 13526 “Classified National Security Information” or the Nuclear Energy Act. It wasn’t until November 4,2010 with Executive Order 13556, Controlled Unclassified Information the Executive Branch was required to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government-wide policies.” The National Archives and Records Administration (NARA) was named the Executive Agent (EA) responsible for overseeing the CUI Program.

CUI (Controlled Unclassified Information) is a marking given to unclassified content that must be protected in a very specific manner within federal government information systems. If a law, regulation, or Government-wide policy requires that agencies exercise safeguarding or dissemination controls over certain information, or specifically permits agencies the discretion to do so, then that information qualifies as CUI. CUI is information marked or identified in a government contract or provided to a government contractor by the specific government agency in connection with a contract; however, it can also be content that the contractor develops during the performance of a contract.

Contractor Compliance

When working with the U.S federal government, agencies and contractors must understand these markings on CUI (Controlled Unclassified Information). The challenge lies in one contract having multiple layers of subcontractors who may not be protected by law or even aware of security requirements altogether. This cost billions of dollars due to canceled contracts because there was no proper communication concerning how sensitive material should be handled between all parties involved. The contractor should engage with their subcontractors and vendors early on to properly understand how controlled unclassified information will be identified and what they need to do to comply with the contract requirements.

But how?

There is an easy and cost-effective solution for contractors and sub-contractors alike that are not protected under CMMC requirements to streamline CUI compliance. The Janusnet Janusseal CUI Compliance Starter Kit for Microsoft Office provides fast, accurate marking of controlled unclassified information out-of-the-box. Janusseal adds the correct marks for Office Documents, Outlook email, and calendar items to improve information control and management. RockITek is the leading partner to help get started with Janusseal controlled unclassified information marking quickly and easily.

CMMC, CUI and Banner Marking

The Cybersecurity Maturity Model Certification (CMMC) unveiled by the Department of Defense in 2019 provides a replacement compliance framework for cybersecurity for Department of Defense acquisitions. The model is comparable to management maturity, and the five maturity levels vary from Basic Cyber Hygiene at Level one to Advanced/ Progressive Cyber Hygiene at Level five. Any company handling Controlled Unclassified data (CUI) is needed at a minimum to satisfy the necessities of Level three, Good Cyber Hygiene.

DoDI 5200.48, “Controlled Unclassified Information (CUI)” unveiled on March 6,2020 establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012. Defense contractors that maintain controlled unclassified data (CUI) should meet Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity standards or risk losing their contracts. To accommodates the new cybersecurity standards, contractors and suppliers had to satisfy fundamental necessities driven by Federal Acquisition Rules (FAR) fifty two.204.17, and therefore the executive department Federal Acquisition rules (DFARS) 252.204.2071 clauses with specific steerage from the National Institute of Standards and Technology (NIST) Special Publication 800-171: protective Controlled Unclassified data in Non-federal data Systems and Organizations.

Banner marking is necessary for documents and emails containing CUI. The banner should embody a minimum of one in each of these elements:

CUI Basic: Subject to standard safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Dissemination is permitted to the extent that it is reasonably believed to further the execution of a lawful or official purpose.

CUI Specified: Requiring safeguarding measures that reduce the risk of unauthorized or inadvertent disclosure. The material should contain additional instructions on what dissemination is permitted.

Limited Dissemination: Requiring safeguarding measures more stringent than usual, as the inadvertent or unauthorized disclosure would create a risk of substantial harm. Again, the material will contain additional instructions.

To meet these standards, contractors and subcontractors must position themselves for compliance by taking steps to master the principles of data classification and implement the tools and training that will enable them to enforce a labeling policy accurately and consistently. By doing this, they will be ready to show to the federal government they can recognize and handle any type of marking and produce them where necessary.

How Janusnet can facilitate addressing the CUI challenge

RockITek’s partner Janusnet solutions will assist organizations in applying and managing CUI marking that meet federal government standards and guidelines. The Janusnet suite of products can apply user-driven and automated CUI (and other policy-driven) classification markings over a market-leading range of applications. As a result, Janusseal helps drive consistent implementation of data classification policies across the dissemination, protection, and storage of the regulated data. Janusseal reporting suite enables organizations to demonstrate their compliance and readiness to adhere to government contract mandates involving the handling of CUI data and other associated organizational policies for classifying/marking data.

Janusnet solutions come with ‘Implementation Kits’ with predefined configurations that address any number of data classification regulatory schemes. These configurations are highly configurable and can be easily tailored by the client if required. The ease of data classification implementation and integration with organizations existing IT capabilities lowers the total cost of ownership and increases the value and performance of the portfolio.

To learn additional information, Click Here.

RockITek is a distributor specializing in building and managing purpose-built consortiums that accelerate the adoption of emerging technology in the government space. We collaborate with our partners to create alignment and work together for mutual success. Our portfolio of cybersecurity solutions meet agency mission goals and address government requirements, policies, and processes (e.g., NIST, Zero Trust, GDPR). We are a small business (NAICS 541519) with a GSA Federal Supply Schedule 47QTCA19D0085.

Janusnet is a pure-play, global leader in data classification. Since 2004, governments and commercial enterprises around the world have relied on Janusnet to reduce the risk of data loss and reinforce a strong security-conscious culture. Janusnet is proud of its software’s reputation for reliability, functionality, and ease of use, backed by a highly responsive development and support team.