Can I Give my Contractor CUI?

OH, UNITED STATES

03.03.2022

Video by Dave Pope 

Air Force Research Laboratory

✔ ✗ Subscribe

38

Hello my name is Kelley Kiernan and I'm here representing the department of the Air Force Chief Information Security Officer. This is installation #4 in the Blue Cyber education series. It's called Can I Give my Contractor CUI?

The answer to this vital question can I give my contractor CUI is found in three of the DFAR clauses in your small business contract. Let's take a look at the DFAR clause 252-204-7012, DFAR clause 252-204-7008 and DFAR clause 252-204-7020 and see how they affect the answer.

Let's talk about the DFAR clause 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. This DFAR reminds us that the definition of adequate security is the full implementation of NIST SP 800-171. It then goes on to explain that it is the system security plan created by the contractor which will address how each of the NIST SP 800-171 controls is to be implemented and lastly it reminds us that Covered Defense Information is that information or data which is collected, developed, received, transmitted, used or stored by the contractor in performance of the contract.

It’s also important to understand that the DFAR 252-204-7008, Compliance with Safeguarding Covered Defense Information Controls comes into play with the system security plan and the plan of action to implement any incomplete items. It says that, with regard to that list of incomplete items, for any of those items, you need an alternate but equally effective security measure to compensate for the inability to satisfy a particular requirement in the NIST SP 800-171.

The final DFAR to talk about as we answer the question “can I give my contractor CUI?” is DFAR 252-204-7020 DoD Assessment Requirements. This DFAR calls for the contractor to conduct a self-assessment of their NIST SP 800-171 system security plan using a DoD assessment methodology and then to document that self-assessment score in the SPRS system.

As you answer the question “Can I Give My Contractor CUI?” you're going to want to consider the DoD assessment methodology. This methodology risk ranks all 110 security requirements in the NIST SP 800-171. Forty-two of those requirements received the DoD’s highest risk ranking and if those 42 are not implemented, it could lead to significant exploitation of the contractor network or exfiltration of DoD CUI. You're going to want to understand if the contractor has implemented these 42 high risk security controls.

The answer to the question “Can I Give my Contractor CUI?” is you need to ask. The decision to share CUI is a risk-based decision based upon a conversation with the contractor regarding if they are ready to provide adequate security protections to DoD CUI. There is not a cut and dried rubric. The CUI protection is a shared responsibility between the DoD and industry. If you need help with this decision, please contact your program or wing cyber security office and be sure to keep your contracting officer informed of your activities.

Here’s some help for that conversation where you discuss with the contractor their readiness to adequate protection for DoD CUI. As you review the contractor system security plan and associated plan of action, ask:
if all 42 five point weighted security requirements have been implemented?
are all 14 of the three point weighted security requirements implemented?
is the CUI that you're considering sharing of a sensitive nature?
is the CUI that you're considering sharing absolutely necessary to share?
Have you considered sharing artificial data instead of CUI?
And lastly be sure to apply these questions to both contractor created CUI and DoD supplied CUI.

Be aware using the DoD SAFE application that it can create potential exposure. The DoD SAFE application will let a CAT cardholder send DoD CUI to anyone. It is incumbent upon you to be sure that when using the DoD SAFE application, any CUI being sent is sent to a party that is ready to protect it. Contractors who are not ready to protect DoD CUI should not accept CUI.

Thank you for joining me today. My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and AFWERX. There are more Blue Cyber Education Series presentations on the Department of the Air Force Chief Information Security Officer’s website. And a reminder that this talk today is not a substitute for reading the FAR and DFARs in your small business contract. So long.