AND WHAT DOES IT ATTEMPT TO DO ANYWAY?
The last blog we wrote about NIST 800 Compliance was an overall view of compliance and why the federal government has decided that it is important. It really is a good thing, even if it is one more of those government policies that cost us time and money. For far too long, some businesses have done as little as possible, and quite often not nearly enough, to keep their data secure. There have been tons of cybersecurity incidents that exposed data of one kind or another. The federal government, with NIST 800 Compliance, aims to at least protect the data that is important to the country in one way or another. That data is called Controlled Unclassified Information.
What this compliance model is meant to protect is “CUI”. CUI stands for Controlled Unclassified Informaiton. It is defined as “information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” Quite clear, right?
Controlled Unclassified Information is that information that does not have an otherwise classified category assigned but is nonetheless important to protect. In other words, the exact dimensions or makeup of a propeller on a Navy ship might not be classified information. Neither may be the makeup of fuel tanks aboard or the breaking point of the catapult. However, we really don’t want a foreign entity to get hold of all that information and build their own Ford class of air craft carriers or otherwise use it against us in any way, including economically. The examples I used are very generic and overly simplistic of course, but should give you an idea of what CUI might be.
Why and where did the federal government come up with the CUI designation? In 2008, President George W. Bush wrote a memo that created this new class of information. Before that, there were various categories of unclassified information. Then in 2009 President Barack Obama wrote another memo that allowed the National Archives and Records Administration to establish handling guidelines for this new class of information.
Do you do business with the Federal Government at all or subcontract for someone that does? If the answer to that is Yes, then Yes you have CUI and a whole bunch of compliance work to get started on. CUI really is everywhere if you deal with the federal government, or if you subcontract for another company that does.
NIST 800 Compliance and CUI is not just about Cybersecurity. In fact, much of it is not. There is a whole host of things to be concerned about from physical security to cybersecurity, procedures and policies, to ongoing documentation and assessments.
If you subcontract for one of the big defense contractors, you may have already had to fill out a couple of questionnaires. If you haven’t, you should figure out if you have CUI. Refer to two paragraphs above. If you do, you have to go through all the compliance steps by 12-31-2017 or, well, ….. that’s not really said. However, if you are not “compliant” or have a plan to be compliant that satisfies the federal government by that time, you have a real risk of losing that business. At this point in the year with all the work it will take, you really do not have much time. You should put a team in place now, get to work and be able to show some real progress.
Do you need help with compliance and demystifying the whole NIST 800 requirements? Fill out the form below for a true partnership to help you through this process and into the future.