Protecting controlled unclassified information (CUI) has had the spotlight for a while now, primarily as an extensive focus of the Department of Defense (DoD) for the past several years. In November 2010, the White House issued Executive Order (EO) 13556. This order established an open and uniform program across Civilian and Defense agencies for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulation, and Government-wide policies.
The problem that the Executive Order was trying to solve was that departments and agencies were employing ad hoc, agency-specific policies, procedures, and markings to safeguard and control CUI.
This inefficient and confusing patchwork led to inconsistent, unclear, or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. Inefficiency in itself is a shame. In this case more so, since CUI is sensitive information that often impacts privacy and security concerns, contains proprietary business interests, and is critical in law enforcement investigations.
The NIST Special Publication 800-171 requirement was developed to ensure that those working in conjunction with Department of Defense would adhere to DFARS 252.204-7012, which requires have methods in place to protect sensitive information.
The regulatory document published by the National Institute of Standards and Technology and the Under Secretary for Defense Acquisition states that “protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.”
It was published as a Defense Federal Acquisition Regulation Supplement, or the cyber clause DFARS 252.204-7012.
In Translation... the Department of Defense made DFARS Compliance required by any company that generates DoD-related revenue to protect its sensitive data that lies within its supply chain from being compromised.
Key Takeaway: If your company generates any DoD related revenue regardless of size, or if you want to generate revenue selling to DoD-related businesses in the future, you MUST be compliant with DFARS to win or maintain those contracts.Complying to NIST 800-171 and DFARS 252.204-7012 ultimately gives you organization the upper hand amongst the competition the quicker you get it done. If a supplier is non-compliant with the NIST cybersecurity controls outlined in the cyber DFARS clause 252.204-7012, then the supplier must notify the DoD CIOs office within 30 days of contract award of the areas of non-compliance. Filling out and submitting the questionnaire you may have received doesn't count as compliance, and will not allow you to prove compliance either.
More background on the DFARS cyber requirements:
NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Article: Information Security Magazine: Small Defense Contractors Get Ready to Meet New NIST Standards
Blog: DFARS Compliance and Why It Might Matter to You