Federal Government: "Put CUI controls in place so we can give you a contract."
Federal Contractors: "No. Give us the contract and tell us exactly what CUI we have, where, then we will tell you how we are doing against your controls."
Federal Government: "But why would I give it to you until you put the controls in place?"
Summary
If you do not have any CUI, and therefore no requirement for compliance with NIST 800-171, then you do not have to submit an assessment to DoD on your cyber controls. This is what the DFARS rules say. Easy day. Everyone go back to sleep. What is CUI anyway, and my client has not asked me about it, so it is another of the one million pages of unending DFARS drivel that no one reads unless there is a problem, right? Even the government ignores its own rules. On with business.
But wait. What is this I hear? Contracting officers are requiring submission of self assessments even when I have no idea what CUI is? Even when they have no idea what CUI is? How can I have any and not know it?! Shocking, truly shocking. That rule is "self deleting!" i.e. we have decided unilaterally that we can ignore it until and unless we have CUI in our possession.
The Catch-22
I submit respectfully to the community, that this is not the way this is going to work out, not because of government overreach, but because of the Catch-22.
Let me put on a theoretical government program manager hat. I am issuing a contract and I know cybersecurity is really important. Our stuff is getting stolen right and left, so I want to make sure the cyber clause is in my contract. We put in there 7012,7019, and 7020. The contractor signs the contract, so I know he has, in accordance with the clause, "the Offeror represents that it will implement the security requirements specified by..." NIST 800-171. Awesome. We are covered.
Meanwhile, at the Contractor, the lawyer has said, "Don't worry, this clause is "self-deleting" because we don't have any CUI. We have no CUI program, no CUI plan, no CUI training, and no idea what it is, but we don't have any. Don't worry about those expensive controls."
Meanwhile, it has been six months, and I open a portal to my contractor so he can download the FOUO slides from the latest program brief to better understand what is expected. I know they have to be encrypted so I don't email them. This is sensitive CUI information, but that is fine, the contractor is good to go on cybersecurity. It is in the contract. Next year we are going to implement the new CUI marking system to make it even more clear, but this is fine.
The contractor, excited to have better info on his customers' needs, downloads the info and opens the slides..... Let's see, how do you spell B R E A CH again? At least S P I L L?
Let's take that a step further then and suppose for the sake of argument, not reality, that this contractor decides to throw themselves under the bus, and dutifully reports this fact to their PM.
What does the PM say? "What the heck do you mean you have no CUI program, no CUI plan, and I just caused a breach/spill when YOU decided that this was a "self-deleting," clause!!!!" That is not going to be a very good day for business development on future contracts at the very least, and probably the start of the Term for Default discussion.
The point being that you cannot have a system where you do not prepare to handle CUI, until you actually have CUI in hand. This fundamentally does not work. If done right, the government cannot provide you CUI until you have the means to protect it, and if you say "the clause is self-deleting" so we are not going to have that expensive program until you actually have CUI in hand, then there is a Catch-22. The government can't give it to you, because you don't have a program, and you won't build a program because the government won't give it to you.
Now I 100% agree with the majority of folks saying that the rule says, you do not have to have a program until you actually have CUI present. That you can effectively in the strictest reading ignore the requirement until CUI is actually present in your systems. That is correct. But unfortunately, this system is just not workable in a real-world execution sense. The system will NOT work like that because it can't and that is not government overreach or contracting officers not knowing their business. Their job is to put the clause in, and it is the contractor's job to be prepared as needed to execute the clause when CUI arrives or is created. There really is no other way to do this.
Paul Harvey and "the rest of the story...."
So, of course, there is a LOT of context around this discussion and for the most part we all know it. Tons of CUI flows out from the government every day. Tons of CUI is created on behalf of the Federal government every day. NARA has 100 categories of CUI and a lot of government information falls into those controlled categories. Most of it is not marked, and not many people are actively looking for the chance to mark it. Requires work and in turn, means once marked, we have to do even more work to protect it. It is so much more efficient to order laptops for Amazon, put whatever we want on them, and have a free flow email exchange on the latest R&D thing with our government partners. Man, that is easy.
The government is often the worst offender in trying to make this work. Unmarked and improperly handled items from our customers is a terrible burden. It puts contractors in a real fix on how to proceed. Ignoring it and saying "no Cooey here" is much easier. I had a discussion about some PM's with that approach just this morning. I get it.
It doesn't matter. In order to stop the bleeding, we must start this journey somewhere, and the flag has been planted to start it here. It is hard. It has a huge impact on business, especially small business. It is going to continue to be hard for a number of years. We have to start somewhere. Start by turning in your homework. If you are a DIB contractor or subcontractor, get your self-assessment going. What you find about the delta between what you are doing today, what you should be doing today, and what you need to do tomorrow will be shocking. Turn your real score into DoD so that you are eligible to receive your next award. This will help DoD better understand the daunting challenge we face. Look to a future where you know you will need to be at least CMMC Level 1. That means 17 fundamental security controls, and if that sounds easy, probably half the DIB is not even covering those. We need to stop discussing where this is not applicable, get serious, and start the journey to defend our nation. The loss of this critical information, the hacking, and the influence operations are literally killing us. Move out.