A lawsuit filed against Penn State University by the U.S. Department of Justice illustrates the challenges the government faces in instituting effective protection of data. The suit filed under the False Claims Act (FCA) alleges, that the university misrepresented its adherence to required cybersecurity protocols in the handling of Controlled Unclassified Information (CUI) required.
Specifically the U.S. Government contends that the university presented false evidence of compliance to Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, DFARS 252.204-7019, and NIST 800-171 in its submission of Department of Defense’s Supplier Performance Risk System (SPRS). The lawsuit further alleges that internal complaints made to upper management at Penn State were repeatedly ignored.
U.S. Government Requirements for Data Protection
The Department of Defense (DoD) has implemented, under executive orders, cybersecurity requirements for organizations that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Under these DFARS, contractors are required to implement specific cybersecurity controls. These include the encryption of sensitive data, restricting access to sensitive systems, and conducting risk assessments.
- As defined in 48 CFR 52.204-21, FCI refers to information provided or generated by the U.S. government that is not intended for public release. This information is generally created in the development of a contract for a product or service.
- CUI as defined in 32 CFR 2002.4, is information that the U.S. government creates or possesses, or any information created for the Government, that is controlled by a law or regulation. The CUI definition does not include classified information. It would therefore include, unclassified information that falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).
At a minimum, current security requirements include the implementation of NIST 800-171 as a condition of receiving a Department of Defense (“DoD”) contract. All contractors must carry out a Basic Assessment of NIST 800-171 and submit their score to the DoD. While there is no official audit procedure to determine compliance, contactors must conduct a self-assessment and make an attestation to its compliance.
The Federal Government has outlined further requirements for contractors under Cybersecurity Maturity Model Certification (CMMC) 2.0. CMMC 2.0 has three different levels of CMMC compliance. While Level 3 compliance is reserved for programs that the DoD considers of high priority, Level 1 and 2 determinations are based on the type of information an organization is using, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
- Level 1 (Foundational) applies to organizations that deal solely with FCI. Level 1 requirements for cybersecurity are based on requirements detailed in FAR 52.204-21. These 17 controls protect contractor information systems by limiting their access to authorized users.
- Level 2 (Advanced) applies to organizations that work with CUI. Level 2 requirements include the 14 levels and 110 controls contained in NIST 800-171.
- Level 3 (Expert) applies to organizations working on high priority projects critical to U.S. national security. Level 3 will include the controls for Level 2 along with additional controls that have yet to be announced. These controls will be designed to reduce the risk from Advanced Persistent Threats (APTs).
CVG Strategy Cybersecurity
As the lawsuit filed against Penn State shows, the U.S, government is serious in its pursuit for protection of CUI. CVG Strategy information security consulting services help organizations develop comprehensive programs to meet U.S. government cybersecurity requirements. We can assist in establishing customized programs to address:
- NIST 800-171
- CMMC 2.0
- NIST 800-161
- NIST 800-53
We can also provide training to make your entire team aware of cyber threats, keep them informed on best practices, and the specific policies of your organization. Additionally, we can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.
CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk-based management systems, we understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.