CUI on the Peripheral of CMMC
Allison Giddens
President, Operations (SMB Manufacturing) | Community Volunteer | Humorist
As many manufacturers continue to make improvements to their cyber posture, CMMC changes are on the horizon. But even as CMMC evolves, manufacturers have a responsibility to consider CUI and where it moves outside of the typical day-to-day happenings.
For a while now, I've been wondering how many non-cyber-related business practices will change due to CMMC. Here are the three that I've been mulling over.
To my fellow small business manufacturers: Are these concerns on your radar? If so, how are you handling them?
Tax Accountants
If you are a manufacturer taking advantage of the R&D tax credit, chances are, you share a substantial amount of data with your accountant. Have you checked to see what type of data that is, by chance? ITAR? FOUO? ...CUI? Do they require you to send prints and specifications, along with projects and details on your processes? What type of notes are they taking when you talk?
Chances are (or at least, I hope) you send them data to them via secure file share - but mainly because of the proprietary data and business purpose. How are they storing the data? Where are they storing it? Who is analyzing it? When they come up with the data and summary, what information is shared with the IRS?
...does your accountant plan on pursuing CMMC? Or will you move to one who is? How much will that cost?
Or will you need to start removing any projects related to CUI from your R&D reports?
How much will this affect the tax credit you claim?
ISO, AS, and NADCAP Assessors
Assessors and auditors must collect objective evidence as they assess compliance across industry standard certifications like ISO 9001, AS9100, and NADCAP. There's little way around that: This helps provide them with justification for recommending certification (or not).
So, what's the risk of incidental exposure to CUI? Or even the handling of and copying of the data for such objective evidence?
In an email to the DIB CS Program on this very subject, the response received was:
If the audit your company is undergoing has to do with DoD, or any executive branch agency, and they’re assessing you to requirements and controls, then the auditors have a lawful government purpose and are authorized to see CUI. All auditors with a lawful government purpose should have received the proper DoD training on the handling of CUI prior to reviewing any CUI information.?
The assessors in my inquiry are on the outskirts of that answer. What about your third-party assessors who are serving as "internal auditors" before your actual audit? Have you checked their credentials lately?
"All auditors with a lawful government purpose" - does this include international accrediting bodies like DNV, BSI, etc.? And is the onus now on the manufacturer to confirm that those individuals (often contractors) have received the proper DoD training on the handling of CUI prior to contracting with the manufacturer?
领英推荐
Or will this be yet just another cost of doing business?
Media & Marketing
While we don't really know what CUI is, we kind of do know what CUI is. When someone asks me to define it in laymen's terms, my response is: "Any government information you wouldn't want the bad guys to have." A horrible oversimplification, but until CUI is marked as CUI, I think it's as good of a definition as any.
So, what things are out there that the "bad guys" already have? And what do we need to stop advertising?
What CUI do we as manufacturers have on our websites, proudly boasted in our marketing?
It's not all on us, you know.
What CUI do news media articles feature, whether it's in a crisp up-close shot of an F-35 component, or a detailed text description of the next stealth bomber?
Who polices that?
Or, do we just all assume that anything designed prior to a certain date is already "out there" and instead stay focused on the non-spoiled CUI?
Whatever the answer is, I don't believe it means we change course on prioritizing cybersecurity in our own organizations.
And none of this is meant to say that manufacturers should not take advantage of an R&D tax credit, or use outside assessors to help them prepare for an industry-standard assessment [that isn't CMMC related]. This brain dump simply suggests that manufacturers should analyze exactly what it is they are sharing now as a part of doing business and how that may change in the months to come.
Do you think these costs are expensive now?
Just wait.
----
Allison Giddens is the President, Operations of a small aerospace machine shop in the Southeast. She over-plans and she's proud of it.
Cybersecurity professional supporting the mission to prevent activities of consequence that impact national security;
3 年Allison Giddens, I really like where your brain is regarding this article. These are all valid points and good things to think about despite the gray areas.
Director/CTO at Nupress Group
3 年As a manufacturer outside of the USA it is even tougher for us. We handle CUI as part of the global supply chain for US Primes and are required to have cyber security systems compliant to NIST 800-171 and eventually CMMC. However at this point there is no auditing body for CMMC in Australia and no plans at this stage of how audits will happen for global supply chain partners. As for Quality auditors they cannot have access to the CUI. They are there to assess a companies ability to execute processes that are part of the configuration management plan or generic to AS9100. Access to CUI is only available to those specifically listed as a sub-licensee on the MLA or TAA. The biggest cost that I see is in the audit and assessment of logs. This is a very expensive process for an SME particularly when a MSP is used.
Global VP Cybersecurity Risk Management | European Deputy General Manager | Counsel Appointed Cyber Adviser | U.S DoD CMMC AB Plank Member | Founder and Partner | Chartered Security Professional and Assessor
3 年If FAR regulation develops and covers CUI the challenges faced by Federal government increase significantly
Strategic Alliance Manager @ NeoSystems LLC | Co-Founder CMMC Advisors, Inc. | DDN Board Advisor | CMMC Provisional Assessor, CCA, and CCP
3 年Allison, very nice article. It really highlights the importance of CUI marking, data classification, and applying the least privilege best practice of providing only required information to organizations suppliers and vendors to provide their product or service. There will be potential liability for the supplier if their tax accountant, janitor, or other vendor that have access and shares the CUI with unauthorized users. This will be a huge challenge for every supplier to identify and verify their own suppliers security and compliance. So tax accountants, janitors, and outsourced service providers who achieve CMMC certification will be seen as lower risk and will create their own competitive advantage to win more business with DIB.
Ain’t Nobody Got Time for Data Breaches!
3 年What would we do without Allison Giddens and Jacob Horne ?