With the rise of the COVID-19 virus outbreak companies are now urging employees to telework. This model and mindset is truly a Win-Win-Win. Your client still moves forward on mission delivery, your employee is allowed to still earn a paycheck and keep busy during these times, and your company is able to maintain it's cash flow. However, there may be underlying risks that we are completely missing. 

​

Controlled Unclassified Information (CUI) is information provided to contractors that needs special protection but below the need for classified storage. If you are a cleared DoD contractor you have received a DD-254. Your DD-254 is marked FOUO and all FOUO and Distro-D marked documents are considered CUI. A full list of CUI categories can be found at the national archive page HERE. 

​

Executive Order 13556 "establishes an open and uniformed program that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended."

​

These requirements have been implemented into contracts via Federal Acquisition Regulation Clauses (FAR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. These clauses set the requirement for companies to establish good cyber hygiene, processes and procedures for handling CUI, steps in place to audit, track, and report incidents, and establishes ownership of controls within an organization.

 

While teleworking is fantastic to stay agile, responsive, and continue moving critical missions forward, the risk of compromising information becomes exponentially higher when users are outside of a controlled environment. There are many options and services available depending on your organizational size and need. This could range from utilizing a Microsoft Office 365 FedRAMP moderate solution, Amazon Web Service solution, or even a locally managed and controlled option at your own location. 

​

While it is extremely important to understand and protect CUI, it is also a contractual obligation. And with the Government continuing to move forward with the Cyber-security Maturity Model Certification (CMMC) program it will be critical to your business to become certified just to re-compete for your existing work and to go after new work.

​

DoD Agencies and Contractors have been subject to many cyber attacks from hostel actors. Phishing, Spear-Phising, Whaling, Malware, and insider-threats all pose potential risks to CUI. the DoD had a compromise of Personally Identifiable Information (PII) through it's Defense Travel System (DTS). This system held credit card information and banking information and roughly 30,000 people were impacted.  

​

A contractor had unclassified information compromised by Chinese hackers which resulted in a loss of data when aggregated became classified. (Sea Dragon Hack) 

​

Protecting CUI is not just a "good practice", it is the legal responsibility of all DoD contractors and protects our war fighters. 

​

There are a-lot of good resources available regarding CUI, CMMC, and the requirements put forth in the FAR and DFARS. If you have specific questions or concerns regarding your posture regarding CUI and CMMC, please feel free to contact ADPC. 

​

ADPC, LLC. does not sell solutions regarding CMMC nor are we a certified auditor. We do however have experience establishing plans and implementing process and procedures regarding CMMC and CUI.