Defense groups raise concerns to ONCD over CUI in push for regulatory harmonization

By Sara Friedman  / November 7, 2023

Industry groups representing the defense industrial base are highlighting inconsistencies across the federal government over regulations addressing the handling of controlled unclassified information and potential impacts from the Pentagon's Cybersecurity Maturity Model Certification program, in filings to the Office of the National Cyber Director.

National Institute of Standards and Technologies Special Publication 800-171 establishes requirements for contractors handling CUI on nonfederal systems. While the NIST guidance is the foundation of the CMMC program, the Department of Homeland Security has a different interpretation, and a requirement from an Obama-era executive order to establish CUI regulations across the federal government for contractors remains in limbo.

“In 2010, President Obama issued Executive Order 13556, Titled ‘Controlled Unclassified Information (CUI),’ and started the process to ‘establish an open and uniform program for managing information that requires safeguarding or dissemination controls,’” the National Defense Industrial Association writes in its comments to a request for information from ONCD.

NDIA says, “The Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA) was set as the executive agent for this process and has been working with other agencies to create a consistent and uniform methodology for identifying, marking and protecting CUI for both government entities and contractors.”

“In 2016, ISOO published 32 CFR Part 2002 to establish regulatory controls for CUI and DOD, DHS, and other agencies have been working to align their practices with that ISOO CFR publication,” NDIA writes.

ONCD issued the request for information on July 19. The RFI asks for feedback from stakeholders on how to approach harmonizing cybersecurity regulations, including addressing conflicting requirements and the use of common guidelines. The comment period closed on Oct. 31.

“Unfortunately,” NDIA says, “DHS has chosen an alternative set of definitions and requirements regarding CUI with their publication this year of a final rule that sets inconsistent requirements for contractors compared to the guidance and requirements that DOD has been developing to control CUI.”

NDIA continues, “Of note, the rule requires an Authority to Operate (ATO) from each vendor to handle CUI encountered in its engagement with DHS. This requirement goes far beyond other agency requirements, including the DOD requirements that are moving along a promulgation pathway that includes some self-certification and separate third-party certification for handling CUI in the defense industrial base.”

NDIA explains how companies are “already struggling” with compliance for Defense Federal Acquisition Regulation Supplement requirements for NIST 800-171 and the “the associated initial and annual costs for achieving and sustaining compliance.” Specifically, NDIA argues that the costs can be “prohibitive” for small and medium-sized businesses who want to work with the federal government.

“ONCD should examine the final DHS rule, which was written some years ago and not updated to match the latest National Cybersecurity Strategy, other current policy considerations, or evolving threats and innovations in the space to seek to align the requirements with DOD and ISOO requirements,” according to NDIA.

In a separate comment submission, the Professional Services Council urges ONCD to use “NIST SP 800-171 standards as the baseline standards for federal contractors to correctly implement basic cybersecurity hygiene standards across both defense and civilian contracts.”

PSC represents the federal contractor community and is a key player in the development of the CMMC program.

When it comes to reciprocity, the contracting group says, “PSC recommends that ONCD engage DHS officials on the Department’s cybersecurity self-assessment effort, particularly on the question of potential inconsistencies with DOD’s CMMC program; ONCD should maximize reasonable reciprocity to reduce costs to federal contractors that currently perform, or plan to perform, under contract with both DOD and civilian agencies.”

The handling of CUI is also addressed in separate comment submissions from the Aerospace Industries Association and the National Defense Information Sharing and Analysis Center.

Tiered model

The ONCD RFI raises the prospect of using a “tiered model” based on risk to develop cyber regulations across multiple sectors.

“Different levels of risk across and within sectors may in part be addressed through a tiered model (e.g., low, moderate, or high risk), potentially assisting in tailoring baseline requirements for each regulatory purpose. Tiering may also help smaller businesses meet requirements commensurate with their risk,” the request for information says.

AIA responded, “To allow a common tiered model to exist across regulated sectors, efforts must be made by regulators to ensure that the definition of terms across those tiers are consistent and agreed upon, otherwise significant variances will occur.”

“Also, to coincide with those definitions the data being stored, processed, or transmitted needs to be clearly marked in a consistent, repeatable, and predictable manner to allow for placement and/or identification within the proper tiers of protection or when it is being moved internally and externally,” according to AIA.

AIA and ND-ISAC both point to the National Security Agency’s “Top Ten Cybersecurity Mitigation Strategies” as a potential baseline if ONCD decides to move forward with a tiered model. They also propose using level one of the CMMC program as an option, which is focused on federal contracting information and not CUI.

ND-ISAC writes, “Level one still requires 17 requirements across multiple NIST 800-171 Families. Again, it will allow for better cyber hygiene while not introducing significant cost and labor on small and mid-sized suppliers who don’t process, store or transmit CUI.”

PSC told ONCD, “For a tiered system to work, a federal contractor would have to understand what is being measured/ranked. . . . As data or CUI can often be unmarked, overmarked, or mismarked, ONCD should consider that federal government officials might also have difficulty identifying CUI -- and this misunderstanding could spread to the contracting companies that support them.”

PSC says, “For a successful tiered model, the federal government should consider that CUI data may have been, and may continue to be, mismarked. PSC recommends that ONCD consider how best to harmonize regulation for ongoing projects that do not meet stringent handling.”

In addition, PSC wants ONCD and agencies to “consider what few cybersecurity practices would have the biggest impact and drive those handful of practices as harmonized regulations to small businesses.”

The practices should include: “(1) identification and inventory of software, hardware, people, data (within the organization); (2) multifactor authentication where applicable; (3) endpoint detection & response; and (4) having, and testing, air-gapped backups to ensure resiliency.”

Incident reporting

All four groups address incident reporting in comments to ONCD, highlighting the complexity of multiple reporting regimes.

NDIA says, “Federal incident reporting efforts are inconsistent and offer multiple, often conflicting, requirements that only make compliance more challenging for the federal industrial base. There is no coordination or logic consistently applied across the government when it comes to incident reporting.”

NDIA says, “Many reporting requirements pose various stages of discovery, identification, or remediation as the initiating point for reporting deadlines, but there is no harmonization of common identification of the initiation point.”

“There are also differences in the actual reporting deadline timeframe, ranging from as little as 8 hours in the recent FAR Case 2021-017 to a more frequent, but sometimes unworkable, 24 to 72 hours,” NDIA says.

PSC asks ONCD to work with the Cyber Incident Reporting Council and federal agencies to “streamline and coordinate approaches” on incident reporting “so federal contractors are not subject to multiple (and costly) reporting structures for different customer agencies (across sectors and agencies) as they respond to an incident.”

“PSC also recommends ONCD consider harmonizing thresholds that trigger an incident report for agencies or across sectors,” the filing says.

ONCD received a wide range of responses to the RFI including stakeholders representing the communications, information technology, pipeline, healthcare and insurance sectors.