What does CUI mean for government agencies?
Adam Strange, global marketing director at Titus, by HelpSystems, discusses what Controlled Unclassified Information (CUI) means for government agencies
In recent months, we have witnessed a number of high-profile security incidents where the absence of adequate broader cyber security measures and appropriate data classification tools have wreaked havoc for government agencies and private industry alike. These highly publicised cases are likely to shape cyber security policy for years to come, and we can expect to see more rigorous scrutiny of government supply chain considerations around Controlled Unclassified Information (CUI), and for cyber security standards for contractors to become more demanding. In fact, we are already seeing additional compliance legislation expedited.
The recent Consolidated Appropriations Act requires government agencies to conduct “an assessment of any risk of cyber-espionage or sabotage” associated with the acquisition of any high-impact or moderate impact information system. Further, the Department of Defence’s interim rule for its Cybersecurity Maturity Model Certification (CMMC) Program, which went into effect November 30th, 2020, outlines that registration and reporting of assessment scores (per the program) are now required of all DoD contractors and subcontractors. Also, that the first “pathfinder” contracts requiring CMMC review means that contractors will need CMMC certification by the date of award in order to participate.