The National Institute of Standards and Technology recently published a new rule that imposes certain obligations aimed at protecting controlled unclassified information (CUI) that resides on nonfederal systems. This new security rule applies to all contractors that do business with the United States Government. Although there is no enforcement mechanism that measures compliance with this new rule, contractors are on the honor system, and do not want to bear the consequences of noncompliance.
CUI is defined as any information that is required to be safeguarded by law or regulation. This includes personal information such as court records, patents and financial data. Often, non-governmental entities or contractors will encounter this information in the course of their work with the federal government.
These new rules assumed increased importance, as all companies that do business with the Department of Defense must be in compliance with these rules. Additionally, these companies’ subcontractors are also required to comply with the new rules. The Department of Defense spends the lion’s share of federal contracting dollars, with an annual budget of over $700 billion, so non-compliance will lock companies out of an important market. In other words, any company that has a contract with Department of Defense must have a system in place to ensure compliance with these rules, requiring a form of cyber security military certifcation. Contractors will have to prove that their certification program exists.
Each contractor’s information systems must be tested and assessed against the standards that are included in the new rules. Contractors are responsible for limiting and controlling access to the CUI to avoid any kind of costly or embarrassing breach. The first steps towards doing this are locating systems that house CUI and categorizing files that contain CUI. Then, the contractor must take steps to limit who has access to this information. Even with access limited, contractors should use some method of encryption to prevent easy access to the data. Also, access to this information should be tightly monitored and tracked so the contractor knows always who is seeing this information.
Compliance with this new rule is not easy, nor is it cheap. While contractors may rely on systems that are already in place, there are various technological solutions that are available to contractors to assist them with their compliance with this rule. In many instances, contractors’ existing systems will require some sort of a boost to run all the new tests and controls required. First and foremost, existing systems need processing power to run the various tests and controls necessary for compliance. There are printed circuit boards that are available to help follow the new rules.
Beyond the hardware that is necessary to upgrade systems to ensure compliance, there are also software packages that are available to contractors to assist their security programs. Implementing 110 security practices required across 14 different categories relies upon automation in addition to professional services. Purchasing a programmed solution may be the most cost-effective and easy way to meet the requirements.