FCI, CUI, and CMMC
Understanding Federal Cybersecurity Compliance
(This page is under construction as of March 2023. We’ll be building this out throughout the rest of the month.)
Here at Centripetum, we decided to originally create this page to provide honest, unbiased advice on CUI and the future of CMMC efforts under the Department of Defense. The content has expanded slightly since then, but the core discussion is still here.
Basically, we wrote this because we know there are lots of small companies who will NEVER be able to afford extensive consulting services, but still need to at least know where they stand. In the past we’ve worked with companies with a variety of different needs: some of you we spent a few hours with just to get a reality check, some we helped by giving you a push in the right direction over the course of a few months, and some of you we’ve worked with on and off for years.
We would like to help if we can, and while we’d like you to consider using our services, the most important thing is for you to figure out the best way you can protect our nation’s security interests.
First of all, why is your discussion so different than others on this subject?
Like our competitors, we too are a business, but we also have what’s called “integrity”. Novel, we know.
Seriously though, for us CUI and CMMC are particularly sensitive business issues because they directly affect national security. This means we think you have to have honest conversations about it.
In addition, we have a strong affinity for struggling small businesses. It’s not about the dollars. In fact, we really only want to work with clients who are sincerely interested in addressing the root causes of their compliance and security problems to do better in the long-run, and not just slap up some quick fixes to make it ‘go away’.
Just as a reminder, we’re small too – we’re not a must-grow, high pressure company that has relentless investor-demanded sales goals that must be met or else. We choose who we want to work with. If you’re here reading this, chances are you’re more our kind of client.
So in a nutshell, we hope you’ll generally appreciate that we’re not interested in profiting from your misery or failings.
That isn’t true of many others. We peruse the Internet just like you, and we see lots of other blogs and information sites about FCI, CUI, and CMMC that have huge conflicts of interest. Many of them are explicitly trying to baffle you with double-speak and empty threats because they desperately want to sell you some product or service. We’ve found far too many of these threats, scare tactics, and even outright lies out there that have companies like you – and especially small business owners – scratching their heads, wringing their hands in apprehension, or just ignoring the whole situation altogether and assuming (hoping?) that it will all work out in the end. This is not good, and it is not helpful.
If those companies are sincere in their concerns about protecting the United States of America and the Defense Industrial Base (DIB), they shouldn’t care what services you used, how you became secure, or which consultants you pick. Keep that in mind… we certainly do.
Can you explain the difference between CUI and CMMC?
Lets keep it simple:
Controlled Unclassified Information (CUI) is sensitive but not actually ‘classified’ information that is generated by all kinds of government agencies and government contractors. By itself the information is not really damaging, but aggregated with lots of other sensitive-but-unclassified information, and it has a very good chance of telling our enemies a lot about what we’re doing nonetheless.
There are regulations in place RIGHT NOW that require you to provide a set of physical and cybersecurity protections for CUI.
Cybersecurity Maturity Model Certification (CMMC) is an upcoming plan by the DoD to build on and enhance those protections just a bit, as well as require you to have your protection program and compliance independently verified that you are indeed doing what you say you are doing (i.e., a third-party auditing requirement).
Federal Contract Information (FCI) is information that comes about in the normal course of handling a Federal government contract. Its the stuff that isn’t intended for public release, such as non-public contract language, documents, and transactional information (such as that necessary to process payments).
Basically, every federal contract in existence has a clause that requires you to be compliant with FAR 52.204-21. There are 15 controls that must be in place for any systems that store federal contract information (a combination of physical and cyber protections).
NOTICE: if you’re not implementing these cybersecurity controls on FCI right now (many of which your operating systems can do almost by default), you have much bigger problems, as you likely have little or no security program AT ALL. Call us, and let’s pull together a program that is simple enough to implement at a nominal cost.
If you are doing these, the most common deficiency we find is not in the performance of the 15 controls, but in having written policy and procedures that prescribe how to ensure they are always followed and are maintained, and some means of producing evidence that proves you perform the work consistently.
Many businesses are baffled at the idea of wasting time on written policy and procedures… until the government asks for a copy of one or more of them as part of a pre-contract assessment. For some agencies, not having them is considered an automatic fail on that element, and more and more agencies seem perfectly willing to completely disqualify a company if you aren’t doing this work.
For further emphasis, let’s also remember that because this is for more general contract information, these controls typically need to be applied at the enterprise level and your more general IT systems, as well as your accounting/contracts department. Some bigger companies have successfully segregated FCI, but in most shops FCI controls are applicable to the whole business network… so just keep that in mind.
If you’ve finished reading those 15 controls at the link above, however, and your eyes glazed over at what they mean, give us a call. We will be happy to start with a basic education on them, and make sure you get the minimums taken care of with the least amount of hassle. If you’re doing them, but need policy/procedure documents or evidentiary processes to backstop your existing efforts, we can help there, too.
Let’s get back to the CUI/CMMC show.
So then, is CMMC really a big change from the 'status quo' like everyone keeps harping on?
It comes down to if you’re doing (or attempting to do) CUI cybersecurity honestly right now, or if your a lying weasel.
(Oh yes, there are plenty of lying weasels out there, and recent government spot checks have found that the situation is quite the mess. We KNOW why companies having been lying – we’ve even had some clients who have admitted as much to us – but it has to stop.)
We don’t feel like any new protection controls that may be added or amended should be very onerous at all if you are properly implementing the NIST SP 800-171 controls. Technically no one actually knows for certain yet what those enhancements will look like until Spring or Summer 2023 (because the DoD ‘clawed back’ its original plans and is reworking them in-house), but the prior iterations of CMMC 1.0 and 2.0 gave us a good idea of the handful of additional requirements beyond 800-171 we can expect to see.
Moreover, we already know what the third-party auditing is supposed to look like (as the DoD outsourced that to Cyber-AB), and they don’t look much different than any other assessment that we’ve experienced. Of course, if your smaller we’ll grant that third-party assessments might be something new to you and your company, so that makes some people a little nervous.
The only question for you there is: do you have something to hide?
OK... then why is there all this 'buzz' about CMMC?
We don’t know, except for one reason we just alluded to: we frequently find a lot of companies have been lying through their teeth for years about being compliant with FAR 52.204-21, DFAR 252.204-7012, and NIST SP 800-171.
They’ve been doing this because they’re desperate for that government contract, and when you know the government isn’t likely to verify your self-assessed claims… well… maybe you just ‘fudge’ the truth a bit.
THIS MUST CHANGE.
The hard and depressing truth is that most companies have not taken these regulations seriously, and are doing somewhere between a horrific job and absolutely nothing to properly comply with NIST SP 800-171. We’re not being cynical, either. Government procurement offices have been doing their own spot-audits, and found essentially the same situation, even including the supposed CUI protection programs that fall under the government’s own responsibility!
THIS IS THE PRIMARY IMPETUS FOR CMMC.
So why the spin-up? Let’s say you’ve been one of these less-than-earnest companies. Think about what’s going to happen under CMMC:
- A costly third-party auditor shows up,
- Subsequently laughs at your program and rakes you over the coals,
- Reports your abysmal results to the DoD, and
- Sends you a fat bill for their work.
But that’s not the scary part. If you do not have a piece of paper showing a successful audit of compliance, the DoD has already said you basically run a very high risk of losing your existing DoD contracts, and becoming INELIGIBLE for any more.
OK, now you can panic.
Of course, this is about the only discussion that seems to actually pull that band-aid off and acknowledge this VERY real problem. And if we want to pile-on, let’s just say there’s a minor secondary legal concern called the False Claims Act that provides the government with allowances for up to 100% claw-back of all contract payments AND millions of dollars in penalties to lying weasels. Read more about one company’s multi-million dollar run-in here.
So – besides that little issue – there is nothing to worry about.
So you're saying to stop worrying about CMMC right now?
Look, from our perspective, considering that CUI compliance is the current law of the land, CMMC finalization is probably two years out or more (as of Spring 2023), and that most companies are – for the most part – doing CUI compliance terribly already, panicking about CMMC is a bit like either:
- A 16-year-old worrying about qualifying for their Formula 1 super license before they’ve even enrolled in driver’s education.
- Worrying about the speeding ticket you got on the way to your prison sentencing for felony embezzlement.
… depending on your circumstances.
Right now, if your company is in fact:
- Doing most of the NIST SP 800-171 controls reasonably well
- Continually improving your compliance efforts and address deficiencies
- Properly maintaining an up-to-date SSP and POA&M
- Honestly reporting your SPRS score to the government
You probably don’t have much to worry about, since that means you already have a functional superstructure in place of policies, procedures, cybersecurity controls, risk management procedures, incident response plans, etc. Anything else CMMC eventually adds to the mix will simply be enhancements to your existing program, and if you’re more broadly doing cybersecurity well, you’re probably doing many of those already.
Maybe we have CUI... maybe not; we're not sure yet. Should we focus on any of this at all?
Well, yes, depending on what your organization’s plans are:
- If you have or want DoD contracts… YES to ALL THREE (FCI, CUI, and CMMC).
- If you have or want other Federal agency contracts… YES to FCI and CUI, but NO to CMMC.
- If you never intend to work as a contractor -or- subcontractor on a federal government contract… NO.
OK, so this is the last we’ll discuss of CMMC for now. We consider focusing on it mostly pointless and too premature. Let’s worry about properly doing FCI and CUI compliance, and once you have that nailed down, we can worry about the CMMC enhancements and the audit.
I know other people want to keep scaring you about the CMMC boogeyman, but let us assure every person reading this that – once you properly have CUI compliance in place – CMMC compliance will look like a minor exercise.
Got it. So... do you think it's likely we actually have any CUI?
So… you have to go and look.
Quite frankly, you’re only going to have CUI in your possession one of two ways:
- Someone gives it to you. (e.g., a government entity or a company you’re a sub-contractor for)
- You make it yourself. Pragmatically, this means you have a contract which explicitly says that when you create certain new information it will need to be classified as CUI.
Let’s start with #1. There are two things to consider here…
- The SEARCH (or “dealing with now”): The fastest way to find out here is to read the contracts you have and see if they spell out whether you’ll be given and be responsible for CUI. Next, take a look at all the files they’ve sent you, and double-check those. If you don’t see any contract language or concerning markings (e.g., CUI-related or the older “FOUO” markings), you’re probably safe. If you do see markings, you’re ALREADY in-scope.
- The PLAN for the FUTURE: If you’re the kind of business that regularly engages in government contracts, then there’s a good and increasingly likely chance going forward you will be asked to manage CUI (even on a contract renewal), and that’s where you can lose your contract or quickly become unqualified for any future ones. If this is your situation, keep reading, but for the sake of discussion you should assume you’ll be in-scope and start getting ready NOW.
If you’re in-scope for #2 and don’t know it (or just realized it), you’re probably in serious trouble. Our best answer is to call us immediately.
So we looked. We actually found some stuff with FOUO or CUI labels on it, but it doesn't seem to meet the definition of CUI.
If we had a nickel for every time…
If you received information from the government (or one of its prime contractors) that is marked as FOUO or CUI, then it *IS* CUI. Period.
We know the government has all kinds of formal methodologies for assessing whether something should be CUI, but at the end of the day there are no formal requirements to mark a document one way or another (believe it or not). Some paper-pushing bureaucrat can decide they need (or want) to classify something as CUI before they send it to you (e.g., just in case to cover their own butts), and then saddle you with the burden of handling it accordingly. What’s worse, though, is that some are REALLY bad at it, which means you can get stuff that has NO BUSINESS being marked as such.
And we REALLY know. We’ve watched irrelevant documents get slapped with CUI in real-time, and they wouldn’t back down.
NO, there’s almost no point in trying to argue with them. If you have a strong relationship with the person who made the determination… maybe, but we’ve still never found a document re-classified (or companies who are willing to openly challenge the government or their primes).
Look, we work in the real world, and in the real world we have to deal with reality. We’ve already worked with companies that have been building CUI-compliant systems and programs in order to protect information that has NO BUSINESS ever having been classified as CUI. It stinks, but in the end your opinion of this situation doesn’t really matter.
You – the small business – aren’t going to win this argument, and as we already alluded to, it probably isn’t one you want to pick with the people signing your contracts and paying your bills anyway.
So we're on the hook. Now what?
This is where our services come into play, because this is where we must introduce the ineffable “IT DEPENDS”.
Every company, business owner, Board of Directors, IT manager and staff, C-suite, etc. is different.
For example, we’ve had some CEOs and VPs that were positively motivated, ready to make changes, and jump right in. We had another CEO who declared their imposed cybersecurity requirements were actually (and we must quote) “part of a broad, deep-state Chinese conspiracy to bring down the country”. So there’s that.
THIS IS NOT A PROJECT. If you treat it like a project, you will fail. Milestones can be set for getting things initially into place, but ultimately there is no terminus to this effort. It goes on forever.
In simple terms, you’re going to need to do the following major tasks:
- Decide at what level you want to use, manage, and store CUI. Is it spread across the network, or do you build an enclave where all CUI-related work gets done? A lot will depend on how you do business, how you are going to change your organizational culture (which WILL/MUST change, one way or another), and how much money/resources you are committing to cybersecurity to a.) make the initial changes and then b.) sustain the program for the rest of time.
- Write and adopt policies. As a best practice, you seriously need to have policies signed by the Board of Directors or owner(s). C-suite-approved policies don’t carry as much weight in an audit, and they typically encourage auditors to dig deeper when they can see that the BoD may not be as committed as they say they are.
- Write procedures. You need to have procedures that explain how a control is implemented, how it is maintained, what evidence is generated during the work process to prove the work is done, and how ‘proper’ implementation should be assessed by an assessor when the time comes. Expect procedures will affect EVERY DEPARTMENT in your organization. This is not just an “IT thing”.
- Procure resources to implement the procedures. Hire people, reassign work, employ contractors on a maintenance basis. With the exception of VERY small companies and systems (or nominal CUI to protect), consider 2 FTEs (or the cost equivalent) solely dedicated to cybersecurity/risk management as the barest minimum (you won’t be able to just append this to someone’s existing job). Remember to front-load these expenses (people and tools) into your government contract bids.
- Follow the procedures; implement the controls. Do what you say, say what you do. Easier said than done in some cases.
- Do the maintenance work. These controls need to be maintained, updates need to occur, testing of procedures and people is necessary, and evidence must be constantly collected and updated. The first half of FTE #1 in Step 4… they burn a lot of their time looking over other peoples’ shoulders, since humans are prone to skip steps and cut corners.
- Do the security monitoring work. Assessing deficiencies, discovering new vulnerabilities, developing fixes, scanning for possible intrusions. These are vital but highly-skilled tasks… and FTE #2 from Step 4. Strongly consider using a shared-services MDR if you don’t have or cannot afford that skillset in-house.
- Assess your compliance and update reports and recordkeeping regularly. The other half of work for FTE #1. Paperwork is a huge part of compliance, and complaining about it won’t make it go away. The more you spend time complaining the longer it will take.
Yes, that’s the simple version.
If you find all of that too daunting, let’s talk.
We help you understand the dynamics of what needs to happen, the benefits and pitfalls of different choices, the requirements behind the requirements (yes, it’s a real thing), and can work with you to get every one of these activities done and/or rolling. Note that we can’t do it alone (UNLESS you thought you were going to contract with us full-time), so you will need to at least have staff ready to get things started.