CUI PROTECTION
To enhance the security of Controlled Unclassified Information (CUI) in the hands of contractors (non-DoD entities), the Government requires private sector companies to be compliant with DFARS 252.204-7012. What does this mean?
That DFARS clause relates to 'Safeguarding Covered Defense Information and Cyber Incident Reporting'. What does that mean?
It basically means that if you store or process (or could store or process) any information that your government client deems sensitive, you should review your infrastructure and policies to make sure they comply with NIST Special Publication 800-171, 'Protecting Unclassified Information in Nonfederal Information Systems and Organizations'.
What to expect:
Since compliance is self-reportable, your assessment can be mundane or it could be very thorough. There are some unsavory characters out there who promote DFARS compliance for a few thousand dollars. What do you get with these guys? A form letter and maybe a few teleconferences. Since DFARS compliance is a contractual requirement, this is probably not the best way to handle it. That being said, the 'best' differs from organization to organization. Where does that leave us?
You should look at DFARS/171 compliance from a risk/reward perspective and allocate the appropriate amount of funds toward it. If you have one, small contract with some Federal entity, don't plan on having any more, and a good handle on your network security ad configuration management, maybe you can save some dough and do a cursory review of the requirements. Most likely, this isn't the case. So, evaluate how much Federal business you have or would like to have (or would lose if CUI data was compromised), and set aside some cash to protect your business.
We've covered the one end of the spectrum - minimum effort, let's look at the other end. If you want to go full-bore and hire an independent validator, the compliance assessment would look like this:
Categorize your system and identify where CUI resides (or could reside)
Select your security controls (DFARS clauses, NIST 800-171)
Select your control enhancements (NIST 800-53, ISO 27001)
Initial assessment (interview, test, documentation review)
Implement missing/weak security controls (people, process, technology)
Final testing and risk assessment
3fold can work with your leadership team to scope an appropriately-sized CUI compliance assessment that will help protect your Federal business as well as your customers' information.