What CUI means for DoD Contractors and Subcontractors

Aug 24, 2018 | Compliance

SOCSoter wrote the following information regarding their service offerings in CUI Compliance.  Duffy Compliance Services, LLC is a premier value-add partner on the SOCSoter products and know the value they bring to meeting the security controls described in this article for CUI compliance.  You can learn more about DCS and CUI compliance by visiting our CUI Compliance page.

CUI Compliance Background

Defense Federal Acquisition Regulation Supplement: DFARS 22.204-7012 is a cybersecurity rule issued by the Department of Defense (DoD) titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The DFARS clause requires all DoD contractors and subcontractors, regardless of size, to comply with two key information security requirements: (1) Adequate Security and (2) Incident Reporting. This impacts every DoD contractor and subcontractor, in high and low tech environments, regardless of the nature of the work so long as “covered defense information” (CDI) is involved.
DFARS clause 252.204-7012 clarifies what CDI is. It is defined as any unclassified information that is provided to the contractor by or on behalf of DoD in connection with the performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. The DFARS clause 252.204-7012 also clarifies the categories of information comprised of “covered defense information” and defines Controlled Unclassified Information as described in its registry: https://www.archives.gov/cui/registry/category-list.

What are the requirements?

NIST SP 800-171 defines 110 controls in 14 security requirement categories, which includes both cyber and physical security standards. Some controls may be met through process or policy; some will require a technology solution.

The cost of not complying with the CUI Compliance requirements may cause a breach of contract, termination for default, termination for convenience, and a listing of poor past performance rating. Additionally, if a cyber-attack or data breach does occur and you are not compliant then there could be liquidated damages up to $5,000 per affected individual. Contractors and subcontractors struggling with cyber and IT requirements should be mindful of the government’s broad suspension and debarment powers.

SOCSoter services specifically help with CUI Compliance

Using SOCSoter’s CYBERDEFENSE, Advance Threat Detection, Compliance, Vulnerability Monitoring, and Professional services, we can help DoD contractors directly comply with the following security controls outlined in NIST SP 800-171 for CUI Compliance:

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.