The definition of CUI, or Controlled Unclassified Information, by the Department of Defense is challenging for most small and medium manufactures to grapple. The NIST Frameworks for Cybersecurity SP800-171 have defined CUI under the context of “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.” The security requirements of 800-171 apply to all components of nonfederal systems and organizations that process, store or transmit CUI, or that provide security protection for such components. I will walk through the various standards and definitions to highlight the specifics that affect our manufacturers who need to meet compliance with the NIST cybersecurity guidelines. As this background currently applies to commercial manufacturing under DOD contracts, the guidance and definitions are in either draft or consideration for other verticals, including financial services, healthcare, food safety, automotive and other related verticals.
What is CUI? According to the National Archives, “Only information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies may be CUI. this excludes all information that is classified under Executive Order 13526 of December 29, 2009, or the atomic Energy act, as amended.” In commercial manufacturing, this would be anything other than COTS (Commercial Off-The-Shelf) and includes modified COTS products. The summary and extension is to any organization that provides a product or solution that is designed for government or modified for government, the information associated with such would be considered CUI. CUI is: (i) provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; falls in any of the following categories: (i) controlled technical information, (ii) critical information, (iii) export control (iv), any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies (e.g., privacy, proprietary business information).
How do you protect CUI? Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network. Adequate security is defined as implementation of NIST SP800-171 that include the 14-controls for cybersecurity and is required by 12/31/2017. Compliance with 800-171 is considered 100 percent complete with any waivers or deviations approved by the DOD CIO. An organization can demonstrate through Plans of Action (POAM) and System Security Plans (SSPs) that they are in-progress as part of a contractor’s risk management decision of CUI protection by their supply chain.
Cyber incidents are another component of the compliance or CUI program. A cyber incident is an action(s) taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. “Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
What steps must be taken if a cyber incident occurs? Affected parties must:
The need for critical infrastructure and supply chain cyber improvement has now become a requirement. We are seeing more and more cyberattacks on this market segment that result in the rapid and “unknown” theft of intellectual property, data and designs. Copied and counterfeit products, parts and infrastructure cause damage to the US economy.
The extension of the standards to other vertical markets is not a question of “if,” but a question of “when.” Prepare to adopt the NIST framework in every vertical market as a measurable, identifiable and comprehensive approach to understanding cyber posture of any organization.
*Nationalarchives.gov
**DFARS Clause 252.204-7012(c)(1)
Cytellix® Cyber Watch Platform (C-CWP™)
C-CWP™ provides value by baselining the truth about the true cyber posture of our customers. We then move towards a cybersecurity mesh architecture of integrated continuous improvement that aligns with business objectives. C-CWP™ is an interoperable and open platform designed for change in posture and threat landscape. C-CWP™ is delivered as a complete “turnkey” outsourced service or in combination with internal teams and previously purchased security capabilities
Cytellix® Endpoint Detection Response (C-EDR™)
Cytellix® Endpoint Detection & Response (C-EDR™) is a flexible solution that can be used standalone, enables bring-your-own-license or can be provided turnkey as a complete managed solution with our C-GRC™, C-MDR™, XDR, SOC 24x7x365 managed Turnkey Solutions. The Cytellix turnkey C-EDR™ is a Enterprise grade solution that is complete and has full integration with the Cytellix platform.
Cytellix® Governance Risk & Compliance (C-GRC™) & IT Risk Management (IRM)
Risk Management requirements are evolving to align to the changes arising from compliance risk shifting towards regulatory impact on business process. The demand on organizations to understand their cybersecurity posture, report status and meet regulatory obligations is driving demand across the enterprise (small>large) for a non-technical, turnkey all-inclusive platform.
Cytellix® Managed Detection Response (C-MDR™)
Patented technology compiles information from the vulnerability's, governance, risk, compliance assessments, event data, and analytics. Delivers real-time analysis, including continuous improvement visualization and scorecard.
Extended Detection Response (C-XDR™)
The Cytellix® Extended Detection Response (C-XDR™) solution leverages our flagship Cytellix Cyber Watch Portal (C-CWP™) as turnkey compliance, awareness and response platform. Our C-XDR™ includes, vulnerability management, devices profiling, network segmentation, asset discover, threat intelligence, leak detection, EDR, pre-defined use cases for log ingestion and correlation of threats and our USA based 24x7x365 Security Operations Center (SOC). The Cytellix platform leverages our in-house AI/ML models for real-time telemetry, threat discovery/hunting and ticket reduction. This is a complete turn-key, affordable XDR solution.
Cybersecurity for Small and Medium Business
Cytellix® has designed its platform to enable the small and medium business to adopt quickly, with low friction at an affordable price. We have found that the tasks of both regulatory compliance with cybersecurity frameworks and building a high quality cybersecurity monitoring and infrastructure is a significant time, resource and expense issue for SMB's.
We will get btackts to you as soon as posTsible.
Oops, there was an error sending your message.
Please try again later.
The Cytellix® team of experts have been delivering cybersecurity for the past 15-years to some of the largest networks in the world. This expertise is delivered to our SMB customers as an affordable, precise, and comprehensive solution designed for organizations who need to comply with Cybersecurity regulatory requirements. There is no other fully integrated GRC, MDR, XDR, EDR single pane of glass solution that is as rich in capabilities, as easy to use and available in production today.
Cytellix® - Patent Pending. All Rights are Reserved By Cytellix®