Recently I participated in the National Defense Industrial Association (NDIA) Cyber Division’s Cyber Law and Policy Committee tabletop exercise on the identification and treatment of Controlled Unclassified Information (CUI) for purposes of compliance with DFARS 252.204-7012, Safeguarding covered defense information and cyber incident reporting, and the new Interim DFARS rules, 252.204-7019 and 252.204-7020, on Basic Assessment and Cybersecurity Maturity Model Certification (CMMC).
Co-chair Rolando Sanchez and I wrote the following article on CUI identification and handling which was published in the April 7, 2021 National Defense Magazine: https://www.nationaldefensemagazine.org/articles/2021/4/7/controlled-unclassified-information—the-devil-is-in-the-details .
We are planning another NDIA exercise on cyber incident handling for the late April/May timeframe. Cybersecurity is an evolving area and government contractors at all tiers have become targets of cyber criminals, terrorists, and nation states. Staying ahead of the curve, knowing what data you have and your requirements to protect that data, and taking steps to ensure compliance, make for sound cyber hygiene and good business.
This article was published in NDIA Defense Magazine and reprinted here with their permission. Rolando Sanchez is co-author.