1 / 14

The Program, Implementation, and Features

Get latest updates on CUI program, agency implementations, Federal Acquisition Regulation, and security safeguards. Learn about controlled environments and electronic barriers for protecting CUI.

odessaj
Download Presentation

The Program, Implementation, and Features

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Program, Implementation, and Features

  2. Outline • A brief overview of the CUI program; • An update on agency implementation efforts; • The status and plans for a CUI Federal Acquisition Regulation Rule; • CUI Industry Day; and, • Time for Questions and Answers.

  3. Information Security Reform • Clarifies what to protect • Defines safeguarding • Reinforces existing LRGWP • Promotes authorized information sharing

  4. Implementation Efforts • Implementation is underway. • Most agencies will publish policy in the next 12-18 months. • After policy is published implementation will happen more quickly than prior to publication. • Pending Actions by CUI team: • Creation of CUI position description (PD) • Creation of CUI Registry Committee • Creation of new Training Videos

  5. Federal Acquisition Regulation (FY19) “This FAR rule is necessary to ensure uniform implementation of the requirements of the CUI program in contracts across the government, thereby avoiding potentially inconsistent agency-level action.” –Unified Agenda Certification = Asserting compliance Documentation = Describing compliance Validation = Verifying compliance

  6. Controlled Environments • Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers and managed access controls) for protecting CUI from unauthorized access or disclosure. Reception Area used to control access to workspace.

  7. Assessing physical environments • Going beyond gates, guns, and guards: Internal security • Who works in the space? • Who has access to the space during and after business hours? • Do individual workspaces (cubes & offices) have adequate safeguards to prevent access (locking cabinets, drawers, or overhead bins)? • Suitable for sensitive discussions?

  8. Assessing electronic Environments Limit and control access to CUI within the workforce by establishing electronic barriers.

  9. The New CUI Coversheet Changed from OF 901 to SF 901 This does not make the coversheet mandatory. It means that if you use a coversheet you must use this one (unless there is a specific one authorized or required by Law, regulation, or Governmentwide Policy) https://www.archives.gov/cui/additional-tools https://www.gsa.gov/cdnstatic/SF901-18a.pdf?forceDownload=1

  10. Legacy Information and Markings All legacy information is not automatically CUI. Agencies must determine what legacy information qualifies as CUI Contractors do not have “legacy information” as such. Contractors should protect all information they have received in accordance with the contract that covers that information.

  11. NIST SP 800-171 Rev 1 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

  12. DOD Procurement toolbox https://dodprocurementtoolbox.com/site-pages/cybersecurity-dod-acquisition-regulations

  13. Q6: When must the requirements in DFARS clause 252.204-7012 be implemented? A6: The requirements in DFARS clause 252.204-7012 must be implemented when covered defense information is processed, stored, or transits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support. The solicitation/contract shall indicate when performance of the contract will involve, or is expected to involve, covered defense information or operationally critical support. All covered defense information provided to the contractor by the Government will be marked or otherwise identified in the contract, task order, or delivery order.

  14. Upcoming CUI Events Next Webinar: CUI Program Update for Stakeholders July, 17 2019 (1-3 pm) Online If you missed it: NIST CUI Security Requirements Workshop • Recording can be found at: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

More Related