Let's talk a little bit about the history of CUI and this really stems from the fact that I don't think it's any surprised everyone. Over time we've had an ever increasing number of cyberattacks, we've had cyberespionage. We've had nation state actors attempting to steal sensitive corporate data and sensitive Government and Military data. In addition to of course classified information, over in the past there were lots of different Government agencies that all sort of did their own thing. And this was an attempt to basically say we understand that different agencies are creating different information, it's not classified information. It doesn't require the same level of protection is classified information, but it does need to be protected. And we want to approach it Government wide in the same way to make sure that this information stays protected. And that's essentially what this long winded explanation from the Nara website is. As I mentioned before, CUI supports federal missions and business functions that affect the economic and national security interests of the United States. And you can see a link there to the NARA website where you can look into the history of CUI. And learn a lot more about how see you I should be marked and that sort of thing. There was a four part plan constructed to protect the CUI, it started out with executive Order 13556, which established a program to manage CUI across the executive branch. There's also the federal CUI rule from 32 CFR part 2002, that establishes the required government wide controls and markings for CUI. Again, a big part of this is you may have see why that's not clearly marked and that can be difficult to track down. So the more you understand about that and how see why should be marked and what to look for and contract related materials, the better off you'll be and one of the things we'll talk about here in a bid is how you can attempt to scope your systems. Such that CUI only exists in a limited number of spaces to make it easier to secure, but we'll get to that momentarily. The DFARS clause 252.204.7008, which requires compliance with NIST 800-171. So again in the DFARS clause it requires your compliance with NIST 800- 171 which defines the security requirements for protecting CUI. So again you can see there's multiple prongs to this, one thing points to another, you've got a lot of what can be confusing terminology into, you kind of get a handle on it. But this really sort of lays it all out for you and it starts with executive order 13556 and ultimately culminates NIST 800-171 which gives you the 110 controls, you need to protect the CUI. So let's take a quick look at Executive Order 13556. This is from 10/01/2010 and established a government wide CUI program to standardize the way the Executive branch handles unclassified information that needs to be protected. Is designated the National Archives and Records Administration or NARA as the Executive Agent to implement the CUI program, that's a direct quote from the Executive Order there. The archivist of the United States delegated these responsibilities to the Information Security Oversight Office(ISOO). Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation or government wide policy may be designated as the CUI. So there are some rules around how you determine that, how the government determines that something is CUI. And again there is a standard for marking that and you can get all of that from the CUI registry at NARA. So here's a little bit of background on the CUI registry. It's the online repository for information, guidance, policy and requirements for handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories and the basis for controls. It has procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using and disposing of the information. And then again there's a link to the CUI registry at NARA. I would certainly encourage you to take a quick look at that, I think it will be quite insightful. So from the Executive Order, they said it's a National imperative to protect Controlled Unclassified Information. And NIST again, 800-171 was created to design the controls to ensure that CUI can be protected by the contractors that have access to it. So I want to come back now and talk about DFARS adequate security, because that's really what gets us to 800-171. Again DFARS ultimately calls for your compliance with NIST 800-171 and it's important to understand how DFARS defines adequate security. They say it's, (a) protective measures that are commensurate with the consequences and probability of loss, misuse or unauthorized access to or modification of information. And, (b) the Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the contractor shall implement, at a minimum, the following information security protections, which is NIST 800-171. If we go a little further here, this is a sub clause. The contractor shall Implement NIST SP 800-171, as soon as practical, but not later than 31 December 2017, for all contracts awarded prior to October 1, 2017, again this is obviously several years ago. Now, there's still a compliance issue which is what ultimately led to CMMC, the Cybersecurity Maturity Model Certification, because this 800-171 is a self attestation model, you go through, you say I comply with this, I comply with that. And that has proven to be inadequate, which has led to CMMC, which is an audit based model. Again, we'll talk a little bit more about CMMC later in the course. And then the second section there, the contractor shall notify the DoD Chief Information Officer, via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171, not implemented at the time of the Contract Award. So this basically says you need to know what controls your in compliance with, what controls you are not in compliance with and you need to report them as a result of the contract award within 30 days. But that has fallen way short and again led to a much more rigorous model with CMMC, so why is all this happening now? I don't think it's any big surprise and I alluded to this before, cybersecurity attacks are on the rise. You have nation state actors out there doing a variety of things trying to cause chaos, trying to steal corporate secrets, trying to steal government and military secrets, cyber attacks continue to rise. The government realized that having over 100 separate departments all sort of doing their own thing was not a good way to go about ensuring that sensitive information was protected. They realized that information was inconsistently marked, making it more difficult to identify and secure. They realized that there was a need for standardized definitions, processes and procedures, and that more transparency is always good.
