The critical role of CUI in federal supply chain security

Written by FedScoop Staff
NOV 4, 2020 | FEDSCOOP

As federal IT supply chains increasingly depend on contractors of all sizes to store, transmit and process sensitive information, the concept of controlled unclassified information has evolved as the leading standard to put all parties on the same page.

The intent of controlled unclassified information, or CUI as it’s most often called, is “to standardize and baseline security for the variety of unclassified information types that the government is required or permitted to protect,” Devin Casey, implementation lead for CUI oversight at the National Archives, said during a recent SNG Live event focused on the Cybersecurity Maturity Model Certification.

“So everything from tax information, personally identifiable privacy Information, health information, all the way to unclassified naval nuclear information falls into this huge umbrella of controlled unclassified information,” Casey said. “The CUI program standardizes the safeguarding, marking, handling and baseline requirements to identify and protect that information that is being used throughout the entire executive branch, as opposed to agencies having all of their own programs and markings and different standards.”

Jim Richberg, CISO of Fortinet Federal, said CUI helps to “rationalize the alphabet soup” of acronyms used across the federal government in managing this sensitive information.

“There’s a truism in cybersecurity that you can’t protect what you can’t detect,” Richberg said. “And I’d say there’s a corollary to that, and it’s hard to protect what you don’t understand. So if you don’t genuinely understand the sensitivity the government ascribes to a given piece or category information, it’s really hard to know how to treat it.”

Richberg went on to discuss the importance of agencies and contractors both grasping the concept of CUI, particularly as it plays a role in the Pentagon’s forthcoming cybersecurity standards all defense contractors will be required to meet under the Cybersecurity Maturity Model Certification.

Prior to CMMC, contractors could self-certify that they were meeting standards in any non-federal systems that handled CUI. “But when you actually went in checked, there was actually low accuracy in the certifications,” Richberg said.

He continued: “And so I really think a large part of the impetus for the creation of CMMC was really CUI. The government had created this rationalization of the data … But left to its own devices, the private sector is not able to effectively implement those controls.”

View the full video recording on FedScoop.

This article was produced by FedScoop and underwritten by Fortinet.



5 Comments

Leave a Reply