3 Common Questions Regarding the Handling of CUI: Part 1
When considering RegDOX’s patented cloud solution for ITAR and DFARS compliant handling of federally defined Controlled Unclassified Information (CUI), many companies come to us with a series of questions that can be summarized in three general categories:
- What are the regulations that cover CUI?
- Can you give us a brief review of how the RegDOX secure data room solution enables compliance with those regulations?
- How can RegDOX assist in achieving full compliance for organizations handling CUI?
This is the first part of a three-part series that will briefly and separately answer those questions.
Question 1: What are the regulations that cover CUI?
Any company seeking secure, compliant, and collaborative storage of CUI should begin with an understanding of ITAR, EAR, and DFARS regulations. While this is not the entirety of the relevant rules, regulations, and statutes affecting CUI, they are the key elements for most companies to address compliance. Here’s what they are:
The International Traffic in Arms Regulations (ITAR)
ITAR regulates the export of “defense articles and services” with the objective to keep those materials out of the hands of foreign nationals unless properly licensed. In addition to physical items (“hardware”), ITAR also controls technical data and sometimes specific services. These regulations apply to government contractors and subcontractors, and the articles and services covered by these regulations are outlined in the United States Munitions List (USML). The USML currently covers 21 different categories of products, services, and technical data.
It’s important to understand that ITAR controls more than just exports. Re-exports, temporary exports, and temporary imports also fall under this regulation. Furthermore, an “export” can occur by a U.S. Person intentionally or unintentionally disseminating controlled information to a foreign person without a proper license – even if that transfer occurs within the same company and within the United States.
Finally, the Directorate of Defense Trade Controls (DDTC), which enforces these regulations, addresses a critical concept it identifies as “Deemed Exports.” Deemed Exports define and address the “mishandling” of ITAR technical data in a manner that could result in a prohibited export to an unlicensed non-U.S. Person, even though the actual disclosure might not have occurred. For example, if technical data is exported, even though the intended recipient is a permitted recipient, if the export is handled in a manner where it could be exposed, an ITAR violation can exist. Similarly, if ITAR technical data is handled in a manner in which it could be readily exposed to non-U.S. persons, an ITAR violation will be found.
The Export Administration Regulations (EAR)
Generally, the EAR covers the commercial components of imports and exports. It normally applies to dual-use items – items that are available both for commercial and government use, like GPS systems. Items subject to EAR are listed on the Commercial Control List (CCL) in product or service categories.
Both ITAR and EAR regulations have the same goal: “To protect the national security of the United States by preventing the unauthorized export of controlled items to foreign persons.” Or, in other words, to protect sensitive materials or items from falling into the wrong hands.
The Defense Federal Acquisition Regulation Supplement (DFARS)
The DFARS is the Defense Department’s supplement to the Federal Acquisition Regulations (FAR). This supplement requires direct and indirect defense contractors to comply with specific cybersecurity requirements governing CUI, Controlled Technical Information (CTI), or Covered Defense Information (CDI).
Those requirements involve adherence to the 14 families of controls found in the National Institute of Science and Technology’s (NIST) special publication, NIST SP 800-171, although there are separate requirements found in the DFARS themselves, such as DFARS section 252.204-7012.
In February 2021, NIST issued an additional publication, NIST SP 800-172, which has enhanced requirements for some of the specific controls found in ten of the 14 SP 800-171 families of controls. With this new publication, the reference standards for DFARS compliance exist in both SP 800-171 and SP 800-172. They both detail how system administrators should best configure networks and which security practices provide additional protection from advanced persistent threats (APTs).
SP 800-172 itself codifies cybersecurity requirements that have been introduced by another initiative of the Defense Department: The Cybersecurity Maturity Model Certification (CMMC). Requirements of the CMMC include the assessment of organizational cybersecurity practices and processes through five CMMC levels, established in January 2020, while SPs 800-171 and 800-172 concentrate on the assessment of contractors’ technical systems and practices.
Cybersecurity compliance for the Defense Department extends beyond SPs 800-171 and 172, DFARS, and CMMC publications. The Cloud Computing Security Requirements Guide (CC SRG), published by the Defense Department in March 2017, remains in effect and covers any cloud service handling CUI. The CC SRG expressly includes ITAR/EAR-controlled data, referred to in that publication as “export-controlled information.”
The CC SRG describes four impact levels of cybersecurity and operational compliance for defense contractors, subcontractors, and their cloud vendors. Those levels are identified as levels 2, 4, 5, and 6. Level 4 applies to most CUI and contains restrictions that go beyond what is required by ITAR and EAR. For example, a 2020 amendment to ITAR allows certain unlicensed transmissions of encrypted export-controlled data outside of the U.S. but this remains prohibited by the CC SRG unless explicit authorization is granted.
It’s Just The Starting Point
For prospective DOD contractors, the regulatory apparatus they are required to comply with can be daunting at first glance. ITAR, EAR, and DFARS are the key pieces of that regulatory machinery. While this article only scratches the surface of each regulation, it should serve as a starting point for those new to complying with federal export and DOD regulations. In our next article, we will cover the ways RegDOX can provide secure data room solutions that allow you to achieve that compliance.