While no regulations concerning CUI (controlled unclassified information) have come out yet, they are expected in 2017. Agencies like Homeland Security are already changing their own acquisition regulations. From our perspective as, not only a Defense Contractor but a Compliance Provider, there are certain things we expect to see in those forthcoming regulations.
Our expectations are based on a September 2016 National Archives final rule that established a baseline for how contractors and agencies are required to treat CUI. For example, one function of the rule is to ensure that contractors and agencies are marking and handling unclassified information the same way. This means that documents which may have previously been marked as “proprietary” or “for official use only (FOUO)” will now be marked as CUI.
Now, you may be thinking, “What does this mean for my business?” Good question, but the answer is a bit vague. Without knowing what the regulations will include, we cannot know the effort it will take to get compliant with them.
BUT based on our knowledge of the DFARS 252.204-7012, safeguarding UCTI (unclassified controlled technical information), compliance process, we can tell you the process for CUI compliance should be very much the same.
CUI and UCTI are pretty much synonymous. UCTI and CUI both refer to contract sensitive, unclassified data. While the data may be unclassified, the government still wants it to be protected whether at rest in your network (data stored in files, databases, emails, etc.) or in transit (being sent through your network).
Most importantly: while older contracts may not have markups that identify your compliance requirements regarding UCTI/CUI, new contracts will. You have to be prepared no matter what.