Beyond CMMC. Why You Should Develop an Information Control Plan




 The Opportunity

Defense contractors fulfilling CMMC requirements should also consider developing an information control plan. While the CMMC certification evaluates systems, the plan will address information residing on the systems and networks.

Where NIST provides technical guidance and NISPOM might address the protection of classified information, there is still a need to address adequate protection of other information such as TAR, CUI, FGI and proprietary.

The Problem

Take a look at this paraphrase from Allen Dulles' book The Craft of Intelligence:

In the 1950's the US Congress was concerned that there was just too much technical information available on government programs. From that concern, they commissioned researchers to assemble as much information from public domain about a particular program as they could. The group scoured libraries, newsstands, TV, radio and other media common to the decade and provided a report. As a result, the government determined the information to be classified, safeguarded the information and disbanded the group. The lesson; intimate program details were not properly identified, marked and protected.

Here are a few examples of where this happens today.

  1. CMMC ratings evaluate a contractors ability to protect data that resides on networks, devices and computers. However, the data residing on protected networks and devices is not marked. CMMC measures technical countermeasures to protect the data. However, the additional requirement is to "Develop a CUI program or information control plan complete with methods, policies and training. This is usually an area that falls under the IT manager, an expert at countermeasures, but not intimately knowledgeable of the information being protected.
  2. An employee is required to provide white papers, pamphlets, or technical drawings for public event such as a conference or publication. While the employee is an expert on their information, they may not understand which products (drawings, technical references, research results, etc.) are CUI, ITAR or proprietary. This is usually an area controlled by a compliance officer, FSO, or other employee, who may not be familiar with the technical information. When the employee uses technical drawings to provide required products, and reviews are not in place, there is a potential CUI or ITAR violation.
  3. Employees create work products, deliverables, purchase orders, etc and is distributed through shared drives, emails or other public facing method. This becomes an issue where reference documents such as technical manuals, statement of work, or other source documents and products are marked CUI, export controlled, or proprietary information, but not identified in derived products.

There are so many situations, too many to put into one article, on how vulnerable technical information can be. The above three situations can lead to information and data release violations if the correct measures are not taken.

Don't believe the hype

Let's use CUI as an example of what should be part of an information protection plan and how to apply it. There is bad advice going around that says: "contractors are not authorized to determine CUI". or "contractors are not authorized to mark CUI on documents". Don't fall for this, it's your responsibility to identify, document and control information.

How to implement your own program

For example, while it is true is that the government determines what information is CUI, contractors can derive CUI in products created from CUI source documents. Further, if a contractor is creating blueprints or providing a product using a source document marked CUI or export controlled, then anything produced from that source should carry over the new creation.

Unfortunately, sensitive information derived by contractors is not always carried over into work instructions, purchase orders, technical drawings, or other products. The solution can't be only technical controls found in NIST, rather is should include the other requirements for applying an information control plan with the following objectives:

  1. Identify or recognize source products
  2. Train employees to identify protected source documents
  3. Label and catalog decisions
  4. Develop public release review process to ensure protected information is not released
  5. Publish policies and training to ensure it is complete
  6. Implement self-inspection

The work effort is huge, but rewarding. It involves working groups, records and accountability.

However, you might consider getting assistance. Where third party services ensure NIST compliance and perform CMMC reviews, they do not create CUI programs or information control plans as described above. If you need assistance with developing your program, please reach out to us.

Contact us for CMMC and CUI Protection Resources

Comments

Post a Comment

Popular posts from this blog

Appointing the Threat Program Senior Official (ITPSO)

Image
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2 .   Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).   As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat . Question: Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)? NISPOM Reference: 1-202b, 1-202c, 2-104   1-202b. The contractor ...
Read more

How Contractors Get Facility Security Clearances

Having a Facility Clearance (FCL) makes a business attractive, but that desire does not provide the needed justification for obtaining a security clearance. The FCL is strictly contract based and demonstrates an enterprise’s trustworthiness. A company is eligible for a facility security clearance after the award of a classified contract. The FCL is a result of a lengthy investigation and the subsequent government’s determination that a company is eligible to have access to classified information. A company can bid on a classified contract without possessing a facility clearance, but is sponsored for a clearance after the contract is awarded. The interested company cannot simply request its own FCL, but must be sponsored by the Government Contracting Activity (GCA) or a prime contractor. Once the need to conduct classified work is determined, the next requirements are administrative. The company has to submit proof that they are structured and a legal entity under the laws of th...
Read more

Protecting CUI on work Computers

Image
It’s a common practice to allow employees to use enterprise computers outside of the enterprise. This has become more common where employees are increasingly working at home. Though a common practice, these occurrences are not always best practices. Anytime an employee leaves work with a company computer, the expectation is that all information is vulnerable. Malware, ransom ware “supply chain attacks”, hacking and other threats are prevalent. In many cases this can be controlled through applying NIST standards and strong cybersecurity measures. This article will focus on limiting use of loaned laptops and not on technical cybersecurity application. The organization should assign a strong risk assessment based on use prior to assigning company computers for at home use. This risk assessment should limit the information to be provided and for specific purposes. For example, if a user works on a specific project, then the laptop might only contain information for that specific use. The l...
Read more