DFARS 252.204-7012 (Implementing NIST 800-171) is a hefty regulation to wade through on your own. That’s what we’re here for! Let’s start with the first question burning in your mind, “What is UCTI?”
There are two terms thrown around that are synonymous with contact-sensitive, but unclassified information — UCTI (Unclassified Controlled Technical Information) & CUI (Controlled Unclassified Information). Whether the contact-sensitive information is at rest in your network (data stored in files, databases, emails, etc.) or in-transit (being sent through your network). New contracts will have markups that identify your DFARS compliance requirements, but some older ones that have not been modified and re-issued may not. Either way, you need to be proactive in treating all contracts as having this requirement.
From the CUI Registry website, under the Controlled Technical Information category, example of this data include: “…information including research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.”
“But I use a government computer:”
To clarify an important point, if you have employees that work on government-supplied systems, then the computers themselves are the government’s problem, not yours (smile/deep breath!). BUT if those employees that work on government-supplied systems copy or send the data they are working on to your company’s non-government-supplied systems, then those target systems must meet compliance. Unless your computer systems live in a bubble, it is very likely that at some point, UCTI transited through your systems and is likely stored there – somewhere. That means you DO have a DFARS requirement.
Lastly, READ YOUR CONTRACTS:
If there is one thing you HAVE to understand about the DFARS 252.204-7012 (Implementing NIST 800-171) regulation,
It is in your contracts — if not now, soon.
The same deadline applies to you regardless of the time or manner in which the regulation appears in your contracts. Read your contracts or have your contracts administrator review them for some of the terms and language that was described above. It is likely there in some form or fashion. If not, the next proposal your company teams up for is sure to have DFARS 252.204-7012 (Implementing NIST 800-171) compliance language as a condition of the contract. Most importantly, contractors must understand that any new contracts will definitely carry DFARS statements.
Contractors must understand that any new contracts will definitely carry DFARS statements. Assuming you, as a defense contractor, wish to stay in the defense contracting business, you must get compliant ASAP.