.jpg?ext=.jpg)
How do I know if I have CUI
With mandatory NIST SP 800-171 compliance on the horizon and CMMC coming on its heels, questions about CUI are increasing in number. The ultimate question remains, however, “How do I know if I have CUI?”
There are three primary ways to find out this important information.
Are There DFARS Clauses in My Contract?
The first is to look in your contract for one of five DFARS clauses. What is DFARS? The Federal Register defines DFARS as follows: “The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) is administered by the Department of Defense (DoD). The DFARS implements and supplements the FAR. The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public. The DFARS should be read in conjunction with the primary set of rules in the FAR.” What is the FAR? The FAR is what federal agencies use to regulate the acquisition of products and services with allocated funds. The three agencies in charge of the FAR are the Department of Defense, GSA, and NASA.
Within the DFARS, there is a section called “Safeguarding Covered Defense,” and that is where the clauses in DoD contracts come from.
The following are the five clauses potentially in your contract that would mean you are handling or storing CUI:
- 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
- 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
- 252.204-7020: NIST SP 800-171 DoD Assessment Requirements
- 252.204-7021: Cybersecurity Maturity Model Certification Requirements (this is pending the final release of the CMMC rule)
- 252.2040-7024: Notice on the use of the SPRS (Supplier Performance Risk System)
Did Your Contracting Officer Say You Have CUI?
Sometimes knowing you are handling CUI is easy. A contracting officer or a contact from the prime or the government may simply inform you that the contract you are undertaking will include CUI. At that point, you may be able to ask for more details to know for sure what type of CUI you will be receiving.
Another way the government may inform you of CUI is via security classification guidance. This guidance will indicate that there is CUI in your contract and how you are expected to handle that CUI.
Finally, the government may make it very simple for you and will mark CUI on the contract itself. It is important to note that “for official use only” does not necessarily mean the contract has CUI. It may, but that is not enough to verify 100% whether there is CUI or not.
Can You Ask If You Have CUI?
If you have reviewed your contract and have not received explicit directions from anyone, it is acceptable and even desired that you ask your contracting officer if there is CUI. It is always best to be certain than to hazard your company’s success on a guess. Make sure. You are well within your rights to do so.
Questions
If you would like to discuss your company's current situation regarding cybersecurity and CUI, contact us today. Now is the perfect time to wrap your arms what CUI you are handling and how best to protect it.
Common Questions for C3PAOs
What is 32CFR?
Understanding CMMC first means understanding 32CFR as well as 48CFR. Learn more about 32CFR.
What is the difference between CUI and PII?
NIST SP 800-17r2 and, therefore, CMMC, deal strictly with protecting CUI. Why are people talking about PII? Learn more about CUI and PII.
Check out the Department of Defense CIO CMMC FAQs!
About Smithers
Founded in 1925 and headquartered in Akron, Ohio, Smithers is a multinational provider of testing, consulting, information, and compliance services. With laboratories and operations in North America, Europe, and Asia, Smithers supports customers in the transportation, life science, packaging, materials, components, consumer, cannabis, dry commodities, and energy industries. Smithers delivers accurate data, on time, with high touch, by integrating science, technology, and business expertise, so customers can innovate with confidence. Smithers is an authorized C3PAO and can be found on the CyberAB Marketplace.