ASIS NCC August Chapter Meeting

ASIS National Capital Chapter

Controlled Unclassified Information

Over the last decade, there has been a dramatic convergence of hostile criminals operating online, rapid technological advancement, increasing digital government-industry communications, insider threats and other persisting threats of espionage to government and industry. The news is full of stories about information being stolen from private citizens, corporations and governments around the world attributed to external and internal bad actors. From a government perspective, these threats will remain an ongoing concern thereby fueling their efforts to lock down and protect sensitive government information and having Industry ensure they are accountable for government information they are charged to work with.

First and foremost, the Controlled Unclassified Information (CUI) Program is about doing what’s right, due care, and good business practices.  Correcting information security weaknesses and maintaining adequate cybersecurity is critical as the US Government has become increasingly reliant on cyberspace to enable and perform its operations. Attacks to US Government and Government Contractor information systems are ranging from denial of service, espionage, theft, manipulation of data, and more.  Cyber criminals and hackers are actively seeking to compromise many systems related to US Government activities.

This past year, the US Government implemented significant policy changes that impact DoD Government contractors with how they protect their own internal networks and compete for DoD contracts. The US Government response resulted in a change to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  The National Institute of Standards and Technology (NIST), Special Publication 800-171 (NIST SP800-171) was published in June 2015 and has been made a rule for the DFARS in May 2016.  According to the rule, NIST SP 800-171 “defines the requirements necessary to protect CUI Basic on non-Federal information systems” and agencies “must use NIST SP800-171 when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems [.]” The rule confirms that contractors dealing with CUI will be required to comply with some subset of the standards outlined in NIST SP800-171, depending upon the classification of the information maintained. The rule became effective in November 2016. (81 Fed. Reg. 63,324, 09/14/16).  NIST SP800-171 includes controls that span information systems, physical security, and personnel security for the protection of information, thus information security is more broadly assessed inclusive of cybersecurity. 

The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.  The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.  It has already been adopted by the DoD and is in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.  The rule is expected to be adopted imminently for the Federal Acquisition Regulations (FAR).


Continuing Professional Education (CPE)

Each 50-minutes of instruction is worth one CPE. CPPs®, PCIs®, and PSPs® earn 1 CPE for attending this event.

Outlook Outlook
iCal iCal
Google Google
Yahoo! Yahoo!