The Edison Electric Institute is making recommendations for how controlled unclassified information should be addressed in Defense Department contracts with Cybersecurity Maturity Model Certification requirements in a manner that aligns with current practices for sharing sensitive data in the electric sector.
“Electric utilities have a unique relationship with CUI inverse to that of many other DOD contractors. Specifically, unlike DOD contractors who receive information that the government expects the contractor to safeguard as CUI, electric utilities far more often provide critical infrastructure information that they expect the government to safeguard as CUI in instances when such information is designated as such by DOE or FERC,” EEI writes in a Feb. 26 filing to DOD on the CMMC program.
EEI members see CUI as “not a single class of information to be safeguarded but rather a diverse set of designations with various protections applying to different entities,” the filing says. “Electric utilities do not create CUI as part of the various services they provide to DoD. DoD’s current guidance on CUI within electric utility data does not, in practice, identify any electric utility data as CUI.”
EEI argues that electricity utility contracts should not be subject to CMMC requirements, or only at level one when it comes to solicitations involving federal contract information.
The filing says, “With that in mind, the Proposed Rule raises serious concerns that it could be inappropriately applied to EEI members. If DOD anticipates that it will identify electric utility data as CUI in the future, then uncertainty over what constitutes CUI should be clarified now, and the lack of DOD guidance on what it expects to be treated as CUI should be addressed. EEI members additionally have concerns regarding the inflexibility in CMMC implementation.”
The Pentagon issued a proposed rule on Dec. 26 to implement its Cybersecurity Maturity Model Certification program. Nearly 800 comments have been filed on the proposed rule from a broad range of sectors including defense, technology, communications, gas and international bodies.
The filing offers several recommendations for DOD to consider when crafting the final rule:
- DOD should clearly specify that only information created or possessed by a contractor specifically for the performance of a DoD contract can be considered CUI under the Proposed Rule.
- DOD should clarify where a statute or regulation requires CUI to be safeguarded by private-sector entities so that contractor CUI can be efficiently identified and, thus, better protected.
- DOD should dialogue with EEI members to affirmatively identify electric utility data that DoD considers Controlled Technical Information (CTI), categorized either as Operations Security (OPSEC) or Vulnerability Information, and to assess whether making the Proposed Rule applicable to such information would best safeguard it.
- DOD should limit the forward-looking CMMC Certification to only those contractors who require certification under the Proposed Rule. CUI and FCI safeguarding by other contractors, including electric utilities, should continue to be governed under the existing DFARS 7012.
- A CMMC Level 2 or Level 3 conditional assessment, initial assessment, or closeout assessment period for achieving the assessment requirement for a final certification and Plan of Action and Milestone (POA&M) should be 1 year, not 180 days (as proposed in the subject rulemaking).
- DOD should clarify the timeline for this rulemaking in order to ensure this proceeding is meaningfully informed by public comment.
EEI provides an overview of the current regulatory environment in which the electric sector operates, with the North American Electric Reliability Corporation Reliability Standards and Critical Infrastructure Protection Reliability Standards.
The trade group also highlights voluntary commitments including NERC’s bi-annual GridEx, work through the Electricity Subsector Coordinating Council, the public-private partnership Cybersecurity Risk Information Sharing Program and DOE’s Cybersecurity Capability Maturity Model (C2M2).
The Energy Department published a guide in February comparing C2M2 with the CMMC model. The guide includes mappings and was sponsored by DOE, the ESCC and the Oil and Natural Gas Subsector Coordinating Council.
EEI writes, “EEI and its members remain committed to working with our federal partners to ensure that our companies’ respective proposed cybersecurity and voluntary standards are in harmony with NERC’s CIP Reliability Standards. We look forward to continuing this partnership to enhance the efficiency and effectiveness of controlled unclassified information (CUI) safeguards, including the CMMC.”