With the new year, there is another Cybersecurity requirement that is focused on all businesses, large or small, that are prime contractors or sub-contractors to the federal government. The requirement is known as CUI (Controlled Unclassified Information). Essentially it is an update to the classification for information that was called SBU (Sensitive but Unclassified). Controlled information is the Unclassified Information, that is related to your work as Federal contractor. This can be engineering drawings, reports, assessments, etc. It is information that you need to protect, for some this definition can include PII (Personally Identifiable Information, i.e. tax identification numbers, addresses, names, SSN, phone numbers, etc.), PHI (Protected Healthcare Information), credit card information or what is called PCI (Payment Card Information), the list goes on. The intent of the regulation is to ensure the confidentiality of the information that resides on non-federal information systems.
As a federal contractor the controlled information that you receive or have, should be plainly marked as CUI or Controlled, by a banner or other marking. So as the recipient, you have a clear understanding of what is CUI. In addition to what is clearly marked as CUI, there are other types of information that you may have as a result of your federal contract. This could be the information or the product you produce as a result of the contract. The reality is that CUI will not always be marked, nonetheless, the requirement is to protect CUI data.
As the title of this article implies no matter your type of business you must be compliant with some set of regulations that are designed to protect information; this is your personal information, it is your employees, and it is your customer’s information. To add to the confusion there are a number of different regulations, that require compliance. There are the federal NIST (National Institute of Science and Technology) 800 standards, the ISO (International Organization for Standards)/IEC (International Electrotechnical Commission) 27001 standards. In addition, there are state, municipal, industry standards, and there are standards for business insurance.
The good thing about this mass of different compliance requirements is that they all address the same general threat, and at their core, the requirements are all about the same. No doubt one can argue that in detail the cybersecurity requirements for an electrical utility are vastly different from a bank. However, the principals of cybersecurity are universal in their application and implementation.
In terms of a business, the first thing is to have is a written cybersecurity policy. The plan does not need to go to the level of a utility or a bank, it needs to provide a common-sense approach to protecting information and reducing risk. Second, there needs to a cybersecurity culture. Cybersecurity is like an industrial or construction safety program, it is the safety culture that is established before the project and it lasts throughout the project. Third, there needs to be a program management approach to cybersecurity in that it is built into the system, it is built around standard requirements, and complements the company’s business strategy. It is also a plan that changes and evolves over time as the company changes and the threats evolve over time.
In terms of writing a cybersecurity plan, a good starting place would be the fourteen security families from the CUI requirement (NIST SP 800-171). As with most things every expert in cybersecurity will have a list of requirements and recommended best practices. Nevertheless, these requirements cover the same ground. Using the NIST CUI requirement as a general outline is a reasonable point of departure.