Ever since the Department of Defense announced CMMC for DoD contractors, there is a state of confusion in the DIB supply chain. DoD prime contractors and subcontractors are confused over the term “Basic” used for the DoD vendors’ cybersecurity. According to the Federal Acquisition Regulation clause 52.204-21, there are 17 measures that all CMMC government contracting vendors should implement to protect Federal Contract Information handled and managed by them.
Information supplied by or produced for the authorities under a contract is not meant for civic release. However, FCI does not include information disclosed by the government to the general public or simple transactional data required to process payouts. FCI refers to any information about a Federal contract that you wouldn’t disclose to the common public. To safeguard FCI, all DoD suppliers must apply the FAR 17 Basic Safeguards.
What is the Difference between Basic vs. Specified CUI?
Controlled Unclassified Information, or CUI, is a highly sensitive sort of FCI handled by some DoD supply chain members, commonly known as DIB. CUI may be handled as part of the contractor’s job if DoD FAR Supplement clause DFARS 7012 is present in an agreement.
According to the Department of Defense’s CUI Training, there are two primary forms of CUI: Controlled Unclassified Information Basic and Controlled Unclassified Information Specified.
CUI Basic is the subgroup of CUI wherein no explicit handling, or dissemination limitations are specified by the enabling legislation, directive, or government policy.
DoD agencies handle CUI Basic in accordance with the consistent set of rules outlined in the DoD CUI Registry and DoDI.
CUI Specified is a subtype of CUI wherein the enabling legislation, rule, or state policy specifies particular handling restrictions that agencies must or may apply in addition to those required or permitted under CUI Basic.
The restrictions for CUI Specified (SP) data are specified in the underpinning authority. When it comes to labeling CUI, the distinction between CUI Basic and CUI Specified is particularly important for contractors, as some kinds of CUI require special marks as mandated by the DoD. When it comes to CMMC security compliance, IT solutions and services company must be careful in determining basic or specific information.
What is the difference between NIST SP Basic and Derived Security Requirements?
DIB affiliates whose contracts include DFARS 7012 must adopt extra cyber safeguards–to defend the sensitive data they handle, preserve, or transfer. The NIST SP 800-171 lists these protections. NIST 800-171 specifies 110 measures or controls. 17 of the 110 controls are part of FAR 17.
To be DFARS 7012 compliant, DoD suppliers must execute all 110 controls, although certain Primes may urge their vendors to prioritize the execution of the Basic Security Requirements.
There is at least one of these conditions in each of the 14 control groups. FIPS 200 is often used to determine basic security needs. The remaining 79 800-171 controls are “derived” CMMC security requirements developed from the security controls in SP 800-53 and augment the fundamental security requirements.