Although Controlled Unclassified Information (“CUI”) isn’t super-secret national security information like classified information, CUI still needs to be protected. This can make sharing (also called “disseminating”) CUI tricky, especially if you are a government contractor. For example, 32 CFR 2002.16(4), which is part of the regulation that establishes the federal government’s CUI program, requires you to have a “reasonable expectation” that the recipient of CUI understands how to, and can properly, safeguard the CUI you intend to share with them before you give it to them.
How do you do this effectively?
The best way is for the recipient to have a CMMC certification or a letter of attestation from a Cyber AB authorized C3PAO or FedRAMP Authorized 3PAO. Unfortunately, since the United States Department of Defense (“DoD”) has not authorized CMMC certifications to be granted yet, that’s not an option. Similarly, since letters of attestation are a relatively new concept in the CUI world, most contractors won’t have them.
What other alternatives are available to contractors?
One alternative is for every contractor to send their own team of experts to the potential recipient and conduct a full-scale audit. While this certainly gives a higher degree of confidence in the results, it’s not economically feasible, and it would create a lot of distractions for both the recipient and the disclosing organization.
Another alternative is to simply ask the intended recipient “Do you understand how to protect CUI, and are you prepared to properly protect this CUI?” Of course, the issues with that level of self-attestation are what caused DoD to create the CMMC program in the first place. So this is also not a particularly suitable alternative either.
Two other alternatives are to create a detailed questionnaire that addresses all of the requirements in NIST SP 800-171 or to request a copy of the recipient’s System Security Plan (“SSP”). The highly sensitive nature of the information in an SSP, and even in a questionnaire addressing all of the requirements in NIST SP 800-171 make the recipient less likely to want to share this information unless they know that the organization requesting the information can be trusted with it. Still further, the requesting organization needs a team of people who can review and analyze the information in the SSP or answers to the questions. Again, this is not economically feasible for many organizations, especially smaller government contractors.
Short(er), Pointed Questionnaires: A Practical Alternative
That’s where our simplified questionnaire comes in. The goal of this questionnaire is to establish a standardized set of questions that can be asked of most CUI recipients that gives the requesting organization a reasonable level of confidence that the intended CUI recipients understand how to, and can, protect CUI. The hope is that contractors can answer these questions once and, much like the IRS’s W9 form, they can be provided upon request to anyone who wants to send them CUI.
The questionnaire seeks to ask a few, pointed questions that can only be answered if the potential CUI recipient has conducted a self-assessment of their cybersecurity program under NIST SP 800-171 (as required by 32 CFR 2002) and is, at a minimum, closing any shortcomings identified in their program. At the same time, with the exception of the encryption modules used to protect CUI at rest and in motion, the questions do not ask for specifics. The questionnaire asks abstracted questions that help safeguard the potential CUI recipient’s system-specific information while still allowing the CUI disseminator to have a reasonable degree of confidence in the recipient’s ability to protect CUI.
Our Ask of the Community
Version 2023.06a of the questionnaire is being published as a “discussion draft”. We hope it will be valuable to everyone and prove useful right away. But we also want feedback about how we can make it better, consistent with our goals of keeping it short and standardized.
If you have any comments, please provide them to us either in the comment field below or via E-mail (the E-mail address is in the questionnaire).