%20Logos%202022/sharetru-white-logo.svg){kind=logo}
Why Sharetru?
Platform
In the Aerospace and Defense industry, information is a valuable asset that needs to be protected at all costs. The government has established regulations and compliance standards to ensure the safety of sensitive information, known as Controlled Unclassified Information (CUI).
In this guide, we will discuss what CUI is and how it is particularly important in the aerospace and defense industry, as well as how it's regulated by compliance standards such as CMMC 2.0 and NIST 800-171. We will also explore the role of ITAR and EAR in protecting CUI.
Lastly, we will talk about how NAS9933 influences CUI practices, and answer a few frequently asked questions. If you work in the aerospace and defense industry or handle sensitive information, this guide will provide you with a complete understanding of CUI and how to keep it secure.
In the aerospace and defense industry, Controlled Unclassified Information (CUI) is a critical category of data that includes technical specifications, operational plans, and other sensitive information. This information, while not classified, is vital for national security and defense capabilities. It must be protected against unauthorized disclosure, which could compromise national security or defense operations.
The safeguarding of CUI is essential for maintaining the integrity and reliability of defense systems. Unauthorized access or leakage of this information could lead to national security risks, intellectual property theft, or espionage.
To understand the gravity of the situation when dealing with CUI, it is important to distinguish between two primary categories: CUI Basic and CUI Specified:
When it comes to safeguarding sensitive data in the aerospace and defense industry, having an examples is crucial to learning how to spot it. Here, we'll illustrate the difference between CUI Basic and CUI Specified categories, so you can better appreciate the nuances involved in properly handling this information.
Some examples of CUI Basic could include:
Examples of CUI Specified may include:
The examples provided here are generalized. The precise instances of what constitutes CUI Basic versus CUI Specified would be defined in the CUI Registry maintained by the National Archives and Records Administration (NARA).
The key takeaway is that properly identifying and implementing the right safeguarding requirements per the CUI categorization is essential for aerospace and defense companies to avoid unauthorized disclosures that could impact national security.
The complexity of defense manufacturing, involving a global supply chain with multiple tiers of contractors, introduces significant cybersecurity risks. Protecting CUI in such an environment requires a multi-layered approach, including physical and digital security measures, regular training, and awareness programs. To ensure the proper handling of CUI, individuals must complete DoD Mandatory CUI Training, which covers the eleven training requirements for accessing, marking, safeguarding, decontrolling, and destroying CUI. This training also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements. (source)
Controlled Unclassified Information (CUI) is a category of information that, while not classified, is still sensitive and requires protection. It encompasses information that the U.S. government creates or possesses, or that an entity creates or possesses for - or on behalf of - the government.
In the aerospace and defense sector, examples of CUI can vary significantly, but some common types include:
This is a key example of CUI in the defense sector. CTI includes technical data or computer software that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. It is crucial for defense contractors to understand and protect CTI, as it often contains sensitive information related to defense or military technologies. (2)
Data created from existing CUI, such as manufacturing data for defense products, is often considered CUI. This can become complex when the manufactured product is similar to commercial items, leading to discussions about whether the manufacturing data should be classified as CUI. (2,3)
In the past, data might have been marked as "For Official Use Only" (FOUO), "Law Enforcement Sensitive" (LES), "Sensitive but Unclassified" (SBU), or "Unclassified Controlled Technical Information" (UCTI). These are now encompassed under the broader category of CUI. Such information, though unclassified, is vital for national defense and requires safeguarded handling to prevent unauthorized access or disclosure. (1, 4)
Sources:
1. https://www.archives.gov/cui/registry/category-list
4. https://csrc.nist.gov/glossary/term/controlled_unclassified_information
Master the realm of CDI, CUI, and CTI management with this free eBook.
CUI is fundamental for maintaining security within the aerospace and defense industry. The exchange of sensitive data across the supply chain exposes suppliers to potential cyberattacks and intellectual property theft. These risks not only threaten national security but can also cause financial and reputational damage to defense contractors.
The repercussions for the unauthorized disclosure of CUI vary depending on the specific circumstances, jurisdiction, and applicable laws and regulations. But regardless of location, the consequences are nothing pleasant:
In an era where information is both a valuable asset and a potential vulnerability, the safeguarding of Controlled Unclassified Information (CUI) emerges as a critical concern for a wide array of stakeholders. From the corridors of the National Archives and Records Administration (NARA) to the operational bases of federal agencies, and extending to the dynamic world of contractors and subcontractors, the responsibility to protect CUI is a shared responsibility by al those who touch it. This intricate web of responsibilities, guided by stringent regulations and standards, forms the backbone of national efforts to secure sensitive information. Herein lies a detailed exploration of the roles and obligations of NARA, federal agencies, and non-federal entities in the comprehensive protection of CUI, highlighting the unified approach required to navigate the complexities of information security in today’s interconnected environment:
Although protecting CUI is a shared effort, the primary responsibility for securing Controlled Unclassified Information (CUI) firmly rests on the shoulders of contract holders engaged with the federal government. Ensuring compliance with stringent federal guidelines and regulations, particularly those stipulated by the Defense Federal Acquisition Regulation Supplement (DFARS) for Department of Defense (DoD) contracts, and the Federal Acquisition Regulation (FAR) for other federal agreements, is non-negotiable.
Contract owners are tasked with the critical duty of embedding comprehensive security measures across their operations, extending these protocols to include subcontractors and any third parties involved. Key to this endeavor is adherence to the standards set by the National Institute of Standards and Technology (NIST), especially as detailed in NIST Special Publication 800-171, which outlines the requisite security precautions for safeguarding CUI outside of federal systems.
Moreover, the mantle of responsibility includes ensuring that every participant, from employees to subcontractors, is fully versed in their obligations towards protecting CUI. This encompasses a range of activities from rigorous training programs to stringent access controls, all aimed at maintaining the highest level of compliance and security.
In essence, while the task of safeguarding CUI is a collective effort involving various stakeholders, including federal agencies and subcontractors, the onus predominantly lies with the federal contract owners. They are the linchpins in the architecture of security measures designed to shield sensitive information from unauthorized exposure or breach.
Sources:
We’re going to explore the rigid guidelines and compliance standards for protecting CUI momentarily, but to give you a broad overview of what to expect when it comes to what you need to do to handle this data, you can keep the following points in mind.
The physical handling of CUI necessitates secure storage methods, such as locked cabinets or facilities, with strict access limited only to authorized personnel. Similarly, digital handling of CUI requires the information to be stored on secure networks.
The transmission of such information over networks must be encrypted to prevent unauthorized interception. It is also important to notify the Activity Security Manager (ASM) of the removal of CUI from the work environment by email or some other means (e.g., sign-out sheet) to ensure proper tracking and handling of sensitive information.
In terms of security measures, physical security involves the implementation of surveillance systems, access control mechanisms, and intrusion detection systems in areas where CUI is stored or handled.
On the digital front, security measures include the use of firewalls, intrusion detection and prevention systems, performing security audits on a regular basis, and keeping all security software and hardware updated and patched against vulnerabilities.
Access control and dissemination of CUI are also crucial aspects. Access control involves establishing rigorous protocols to determine who can access CUI, encompassing background checks for personnel and maintaining logs of CUI access. Dissemination control is about limiting the sharing of CUI only to those individuals who require it for official purposes and implementing Non-Disclosure Agreements (NDAs) for all individuals with access to CUI.
We also have to note that CUI handling is not just a matter of compliance — it also concerns national security. Mishandling CUI can compromise sensitive information related to aerospace and defense, posing a threat to national security.
To avoid putting your business in an awkward position, it is essential to comprehend and comply with guidelines governing proper CUI handling and implement effective safeguarding measures to prevent mishandling data. Luckily, there are more than a handful of guardrails to keep compliance in check.
Compliance with CUI regulations is obligatory for almost all government industry stakeholders. Adhering to CUI requirements is vital for aerospace and defense contractors.
Implementing effective cybersecurity measures for safeguarding CUI is not a mere regulatory requirement but a cornerstone for ensuring a secure defense infrastructure.
This involves adhering to a lengthy list of specific regulations and standards, which we’ll explore in more detail in this guide:
Sources:
1. https://www2.deloitte.com/us/en/pages/manufacturing/articles/cybersecurity-in-defense.html
Empower your team with 5 insightful case studies on CDI, CUI, and CTI management to help them navigate sensitive data security.
The current Cybersecurity Maturity Model Certificate (CMMC) draft is an evolution of the initial CMMC model, designed to streamline the cybersecurity requirements for defense contractors in the Department of Defense supply chain. Developed by the Department of Defense, the CMMC integrates three levels of cybersecurity, and aligns them with the established NIST cybersecurity standards.
CMMC compliance represents a unified cybersecurity enhancement initiative within the defense industry, aiming to elevate information security and protect CUI. The CMMC, introduced in 2021, refines the cybersecurity certification process for the protection of defense-related materials by streamlining the earlier five-tier system into three distinct levels:
Level 1 of CMMC, termed 'Foundational,’ requires organizations to perform basic cybersecurity practices, possibly in an ad-hoc manner without detailed documentation. It focuses on protecting Federal Contract Information (FCI), mandating 17 security measures from NIST SP 800-171. While there is some flexibility at this level, organizations can perform annual self-assessments rather than undergoing third-party audits. The results must be uploaded to the Supplier Performance Risk System (SPRS). However, this first level of CMMC does not meet the standard for CUI protection. That begins at the next level. (1, 2)
The 'Advanced' Level 2 requires documented processes and adherence to them. It encompasses advanced cyber hygiene practices, incorporating all 110 security controls from NIST 800-171 Revision 2. Assessment requirements vary based on the criticality of the national security information handled, with either annual self-assessments or triennial third-party assessments. This level includes all 110 security controls from NIST 800-171 previously in CMMC 1.02 Level 3 but eliminates the unique CMMC 1.02 Level 3 practices and processes. (2)
Level 3, designated as 'Expert', aims to mitigate advanced persistent threats by requiring a comprehensive management plan for cybersecurity practices. It includes roughly 110 NIST SP 800-171 controls and additional standards from NIST 800-172. Unlike previous levels, assessments at this level are performed by the government, not a C3PAO (Certified Third Party Assessment Organization). (2)
Sources:
NIST 800-171, developed by the National Institute of Standards and Technology (NIST), is a crucial cybersecurity framework in the aerospace and defense industry for safeguarding Controlled Unclassified Information within non-federal systems. (1, 2)
Compliance with NIST 800-171 is not only essential for defense contractors handling CUI but is also a mandatory requirement under the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. (3)
This clause is a regulatory mechanism that mandates all Department of Defense (DoD) contractors to comply with the standards set forth in NIST SP 800-171. Most importantly, it necessitates contractors to report cybersecurity incidents in a timely and detailed manner. To ensure compliance with this clause, contractors are required to submit evidence of their adherence to NIST SP 800-171 guidelines. But primary contractors are not the only ones responsible, their subcontractors are also liable. (3)
A subcontractor is an entity that is hired by a primary contractor to perform part of the work that the primary contractor has agreed to complete for the DoD. Subcontractors are typically specialized firms or individuals that provide specific services or expertise that the primary contractor may not possess in-house.
For example, a primary contractor might hire a subcontractor for specialized manufacturing, software development, IT services, or logistics support. These subcontractors, while not directly contracted with the DoD, are integral to the fulfillment of the primary contract's obligations.
An important aspect of DFARS Clause 252.204-7012 is its extension of responsibility to subcontractors. Contractors must ensure their subcontractors adhere to the same standards of compliance as set forth in DFARS and NIST 800-171. (3, 5)
In instances where subcontractors' practices deviate from these guidelines, they are required to inform the prime contractor. The prime contractor then has the responsibility to establish secure alternative practices before sharing CDI. This creates a cascading effect of security compliance down the supply chain, guaranteeing a uniform standard of data protection.
In the event of a cybersecurity incident, contractors are obligated to report the breach to the Department of Defense within 72 hours. This report must be comprehensive, detailing the affected data and including all relevant information from the 90 days preceding the incident. Additionally, any compromised software must be reported.
Following the incident, a thorough review of the systems is mandatory, aiming to identify and implement measures to prevent future breaches. This process not only addresses the immediate issue but also contributes to the continuous improvement of cybersecurity practices within the defense sector.
The CUI-protection controls in NIST 800-171 are considered the gold standard for meeting this DFARS clause for protecting CUI. The table below will give you a rough overview of the relationship between the two:
|
Framework/Regulation |
Description |
Key Points |
|
NIST SP 800-171 |
Protecting Controlled Unclassified Information |
|
|
NIST SP 800-53 |
Security and Privacy Controls for Federal Information Systems and Organizations |
|
|
DFARS 252.204-7012 |
Safeguarding Covered Defense Information and Cyber Incident Reporting |
|
An important distinction is that NIST 800-171 is more focused on nonfederal entities working with the federal government and handling sensitive but unclassified information. NIST 800-53, conversely, is more comprehensive and geared towards both federal contractors and federal organizations and their information systems, covering a wider array of security and privacy controls to protect against a diverse set of threats and risks. (2, 5)
Sources:
1. https://csrc.nist.gov/pubs/sp/800/171/r3/ipd
5. https://cybersheath.com/resources/blog/understanding-dfars-252-204-7012-and-nist-sp-800-171/
Download our 25-question, expert-designed quiz to elevate your team's understanding.
Critical to safeguarding CUI in aerospace and defense, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) are essential for compliance and protection. Understanding these regulations is crucial for industry stakeholders, as they play a vital role in controlling and safeguarding CUI.
Adhering to ITAR and EAR requirements is fundamental for defense contractors, making sure of adherence to lawful government purpose and oversight responsibilities.
In the aerospace industry, ITAR plays a crucial role in the protection of CUI. ITAR regulations mandate that U.S. companies, research labs, universities, and other entities engaged in the manufacturing, exporting, or brokering of defense articles or services on the United States Munitions List (USML) must register with the Directorate of Defense Trade Controls (DDTC) and adhere to stringent guidelines. (1)
This registration is crucial as it is the first step towards ensuring ITAR compliance, which includes obtaining prior authorization for ITAR-controlled transactions, adopting an ITAR Compliance Program, and implementing robust tracking and security measures for ITAR-controlled items.
ITAR's stringent requirements serve multiple purposes: they prevent unauthorized access to sensitive information, maintain U.S. technological leadership in defense and aerospace, and protect national security. By adhering to ITAR, companies can also avoid severe penalties and negative consequences of noncompliance, such as fines up to $1 million and imprisonment, as seen in cases like Airbus and Bright Lights USA, Inc. (2, 3)
Similar to ITAR, the Export Administration Regulations (EAR) are critical for safeguarding CUI in the defense industry. EAR controls the export of dual-use items – goods and technologies primarily commercial in nature but potentially useful in military applications. Compliance with EAR ensures that sensitive information related to national security and foreign policy interests is securely managed and does not fall into the wrong hands.
For defense industry contractors handling CUI, adhering to EAR involves understanding and classifying items under the Export Control Classification Number (ECCN), securing necessary licenses, and maintaining detailed records. This is vital for not only protecting sensitive information but also for maintaining a company's eligibility to participate in government contracts and other opportunities that demand adherence to these regulations. (1)
The integration of ITAR and EAR compliance is a unified effort that enhances the overall security posture of companies in the aerospace and defense sectors. This involves a thorough understanding of the types of equipment and services subject to these regulations, such as military aircraft, missiles, satellites, drones, and their components.
Companies must also engage in continual education and training for their employees so that everyone involved is aware of and can effectively navigate the complexities of these regulations.
By implementing ITAR-compliant cloud services and adhering to EAR's rigorous guidelines, companies can achieve a high level of data protection, avoid significant penalties, and maintain their competitiveness in the market. These regulations also extend to the entire supply chain, emphasizing the importance of comprehensive compliance across all levels of operation.
We should emphasize that both ITAR and EAR focus on the regulation of defense-related articles, services, and dual-use technologies to prevent unauthorized exportation, thus ensuring national security. These regulations mandate stringent control over the handling, sharing, and exporting of sensitive materials, requiring organizations to obtain appropriate licensing, maintain meticulous records, and adhere to specific procedural guidelines.
In short, ITAR and EAR are geared towards controlling the physical and digital dissemination of defense and dual-use technologies across borders, emphasizing the "what" aspects of compliance.
Conversely, CMMC is designed to enhance the protection of CUI within the defense industrial base's network environments. CMMC requirements introduce a tiered cybersecurity framework that organizations must implement and certify against, focusing on the "how" aspects of safeguarding sensitive defense information from cyber threats.
This framework ranges from basic cyber hygiene to advanced protections, aiming to fortify the defense supply chain against increasingly sophisticated cyber and information warfare tactics. While ITAR and EAR regulate the dissemination of sensitive information and technologies to protect national interests, CMMC compliance ensures that the systems handling this information are secure and resilient against cyber intrusions, creating a comprehensive compliance ecosystem for defense contractors and suppliers.
Sources:
Help ensure your company's information is ITAR, EAR, and DFARS compliant.
.png?width=193&height=250&name=Sharetru%20ITAR%20Guide%20(2).png)
NAS9933 has a significant impact on CUI practices in the aerospace and defense industry. Understanding and implementing NAS9933 is crucial for managing and protecting CUI. Compliance with this standard is essential for all stakeholders in the industry, as it guides CUI protection practices and requirements. Adhering to NAS9933 safeguards sensitive information effectively.
Developed by the Aerospace Industries Association (AIA), NAS9933 is a critical standard for cybersecurity in the aerospace and defense industry. These voluntary guidelines emerged due to the lack of uniformity in cybersecurity practices across the industry, particularly for organizations working with government contracts involving sensitive data.
NAS9933's introduction marks a concerted effort to standardize and elevate cybersecurity protocols so that all aerospace contractors — regardless of their size or the specific nature of their work — adhere to a baseline standard of data protection.
The objectives of NAS9933 are twofold: firstly, to provide a measurable cybersecurity risk profile for companies in the aerospace sector, and secondly, to enable reciprocity across industry and critical infrastructure sectors.
This means that a company's level of cybersecurity, as determined by NAS9933 standards, would be universally accepted and acknowledged. Such standardization not only enhances security but also fosters trust among industry partners and with the government, reinforcing the industry's commitment to national security interests.
The comprehensive nature of NAS9933, coupled with the diversity of organizations in the aerospace sector, presents several implementation challenges. Firstly, the issue of resource allocation is particularly pronounced for smaller organizations. These entities often face difficulties in dedicating sufficient financial and human resources necessary to achieve full compliance with NAS9933 standards. This challenge is not just about the allocation of existing resources but also about potentially expanding capabilities to meet the requirements.
Another significant hurdle is the need for technological upgrades. Many aerospace companies operate with legacy systems, and bringing these systems up to the modern cybersecurity standards set by NAS9933 can be both costly and technically challenging. This process often involves not only software and hardware updates but also a shift in how data is managed and protected within the organization.
Furthermore, a key aspect of successful NAS9933 implementation lies in the training and awareness of all employees. Cybersecurity is not solely the domain of IT departments; it requires a holistic approach where every member of the organization is aware of and adheres to the new protocols. This requires extensive training and a cultural shift towards heightened cybersecurity awareness.
To address these challenges, aerospace organizations can employ several strategies. An incremental approach to implementation allows for the breaking down of the overall process into manageable phases. This makes the transition more feasible, especially for organizations with limited resources. Implementing NAS9933 in stages helps in systematically addressing each aspect of the standard without overwhelming the organization's operational capabilities.
Regular staff training programs are also vital. These programs shouldn't just focus on the technical aspects of cybersecurity but also foster a culture of security awareness throughout the organization. Training sessions and workshops can be instrumental in ensuring that all employees understand their role in safeguarding sensitive data and systems.
Lastly, collaboration and partnerships can play a crucial role. Engaging with other companies in the aerospace sector, sharing best practices, and learning from the experiences of others can provide valuable insights. Additionally, partnerships with cybersecurity experts and consultants can offer the expertise and resources necessary for successful implementation. These collaborations can provide access to tools, knowledge, and support that might otherwise be inaccessible, particularly for smaller organizations.
In the aerospace and defense industry, protecting controlled unclassified information is of utmost importance. Compliance with standards and regulations such as CMMC 2.0 and NIST 800-171 is crucial to ensure data security and safeguard sensitive information. Additionally, understanding the roles of ITAR and EAR in CUI protection is essential. These regulations outline specific requirements for handling and sharing CUI within the industry.
Furthermore, NAS9933 plays a significant role in influencing CUI practices by providing guidelines and best practices for CUI management. By adhering to these regulations and implementing robust security measures, aerospace and defense organizations can effectively protect CUI and maintain the integrity of their operations.
As we look ahead, the future of CUI is poised to undergo significant changes across various dimensions, including policy evolution, technological impacts, and strategies for addressing emerging challenges.
With advancements in technology, particularly in areas like artificial intelligence and encryption, we can expect a significant impact on the management of CUI. These technologies could lead to more efficient classification and protection measures, though they also present new challenges in guaranteeing compliance with CUI handling requirements. Furthermore, as cybersecurity threats evolve, so too will the compliance requirements for CUI handling, likely becoming more stringent.
To prepare for these future challenges, continuous education and training for personnel involved in managing CUI will be crucial. Organizations in the industry will need to stay abreast of policy changes and technological advancements and adapt their practices accordingly.
If you're a company considering sharing CUI, it's essential to be discerning when selecting secure file-sharing software. Selecting the right platform for this purpose is pivotal in supporting security, compliance, and efficient information management.
When considering platforms for sharing CUI, several key features stand out. First and foremost, security is paramount. This includes implementing strong encryption, both for data in transit and at rest. Using robust encryption protocols, such as FIPS 140-2 certified encryption modules can significantly bolster the security of sensitive information.
Alongside encryption, access control plays a crucial role. Role-based access control (RBAC) systems can limit data access based on user roles, providing fine-grained permissions for different levels of interaction with CUI, from viewing to editing and sharing.
Data management features, including automation for backups and disaster recovery capabilities, are also essential. Regular and automated backups ensure that data is not lost, while robust disaster recovery plans guarantee that operations can quickly resume in the event of a system failure or other disruption.
Authentication and identity verification measures are equally important. Multi-Factor Authentication (MFA) adds a valuable layer of security, requiring your users to provide two or more verification factors before accessing sensitive information.
Single Sign-On (SSO) capabilities are also beneficial, allowing seamless integration with enterprise identity providers and streamlining the access process.
Compliance and auditing are other critical considerations. The chosen platform should align with federal standards like NIST SP 800-171 and industry-specific regulations such as CMMC. Furthermore, having comprehensive audit reporting and real-time monitoring systems helps in tracking user activities and identifying any potential security breaches promptly.
If a hacker stole an employee’s login credentials and attempted to use them to gain access to your data, access would be denied because they’re trying to gain access to your solution from a different IP address.
The ease of use of the platform is also fundamental. An intuitive user interface is key for adoption and usage by all of your team members — regardless of their technical proficiency.
The platform should be designed with a focus on simplicity and clarity, making it easy for your users to navigate and perform necessary tasks without extensive training. Ease of use is another important factor that goes hand in hand with an intuitive interface to facilitate quicker adoption across the organization and minimize errors in handling CUI.
Platform interaction is a sizable component of the user experience. This includes support for established protocols like SFTP (Secure File Transfer Protocol), FTPS (File Transfer Protocol Secure), and FTPeS (Explicit FTP over TLS/SSL). These are protocols that are widely used in various industries for secure file transfer and are highly necessary for organizations that have existing infrastructure or processes based on these standards. If you would like to learn more about the relevancy of legacy protocols like SFTP in 2023, check out our deep dive on the subject here.
As part of our commitment to providing valuable resources on CUI management, we invite you to explore our new premium content offerings. This includes a comprehensive guide on CUI, an interactive quiz to test your and your employees’ knowledge, and 5 Case Studies to help participants link specific policies and procedures to different types of data.
The management of CUI is a dynamic field, shaped by evolving policies, technological advancements, and the ever-present need to safeguard sensitive information. As we navigate these changes, it’s essential to rely on reputable sources for guidance and ongoing education.
For official documents and guidelines, refer to:
Experience Sharetru with a risk-free 14-day free trial of our most popular plan!