Balancing CUI compliance and cyber protections [Commentary]


The Microsoft Chicago Data Center Container Bay, as big as 16 football fields, is one of Microsoft’s data centers worldwide that manages cloud computing services for more than 500 state and local governments. (Photo Credit: Microsoft)

Cyber risk management is a complex problem and growing more complex as new technologies, new forms of data information and managing extended third parties are more and more the daily operations norm.

For CEOs and CISOs, understanding business mission information, data and devices is the foundation of meeting cyber and compliance requirements. As C-level executives determine the policies, processes or practices that are appropriate for their organization, the 2017-2018 challenge is successfully determining the acceptable level of risk exposure. For some organizations this will be determining the criteria for that acceptable level of risk exposure.

In recent years, organizations have constructed their policies and procedures to address cyber and privacy protection programs. Today, a new reality is settling in. The mandate for controlled unclassified information (CUI) clauses referring to NIST 800-171, Rev. 1 is due by December 2017. The underlying tenet is assuring confidentiality to government information by federal contractors including accountability for their supply chain. The level of accountability is multi-layered and extends through the decision criteria and evaluation of independent contractors and the associated small business programs of larger contractors.

Data flow in CUI is not just data in the IT system. (Photo Credit: EmeSec)

CUI compliance risks include physical and virtual components, insider and external personnel, and associated complexity risks of voice, print and data handling across the business space.

The constant flow of little and big data makes meeting the CUI and defense federal acquisition requirements supplement (DFARS) requirements a bit more difficult than just “whipping up” the paperwork.

Seeking consultation and assistance in meeting compliance is smart and provides an excellent due diligence look at your organization. When seeking consultation, consider how your commercial organization is and is not like a government organization bound by NIST or FISMA. Those decisions can have lasting implications. For some of our customers, this has involved discussion and thought from the executive and leadership teams across the organization as to the best business operations decision including expenses and opportunity costs for now and into the future.

Organizations should consider a more holistic approach.

Here are some strategic recommendations for organizations looking to comply with CUI data protection mandates:

  • Understand the Impact of Non-compliance – Along with the risks of falling behind industry peers, non-compliance risks could range from lost revenue to potential liabilities for lost or leaked data and any remediation efforts forced or enforced at your cost.
  • Think about Supply Chain Risk – Understanding the extent of information sharing inside and outside your organization. CUI requires documenting your business and security capabilities from teleworking to mobile phones.
  • Budget additional dollars for 2018 – Compliance requires strategic review of security controls and practices. It’s always beneficial to have a third-party conduct an independent readiness assessment.
  • Plan to evolve your CUI/cyber balance – Due diligence demands the start of CUI compliance work, but the results of your first efforts will also evolve your corporate cyber strategy. This will benefit your organization and your customers in a dollar cost averaging mentality improving both compliance and cyber as you generate revenue.

Maria Horton founded EmeSec in 2003 after retiring from two decades as a Navy officer, where she rose to the rank of commander. Her last assignment was CIO for Bethesda Naval Hospital, now known as Walter Reed. As a hands-on cybersecurity expert, she grew EmeSec to become a leading provider of cloud security and engineering services for the government and private sectors and a third-party assessment organization under the FedRAMP program.