A recent FCW article, GSA signals new cyber rules for contractors, examined GSA plans to further bolster cybersecurity protections and reporting requirements for contractors.

Currently, the new NIST specification NIST 800-171 provides guidelines for all DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts.

CUI refers to information that is unclassified but that requires protection for reasons other than national security– such as privacy, proprietary concerns, law enforcement sensitivity, and so on.

The article described how under a new GSA Acquisition Regulation, contractors will be required to further “protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities, and threats” in accordance with FISMA and other federal laws and rules. It means they will now have to start reporting breaches and incidents within certain timeframes or face significant fines and/or loss of contracts.

Ultimately, this is all about data protection, which is a good thing. Whatever cyber protections the FISMA act requires are now also required by contractors.

But what the article did not address is the growing confusion around what constitutes CUI.

Established by Obama in 2010, CUI was intended to simplify, standardize and streamline that profusion of security policies for unclassified information. But in the past few years, more than 100 separate and sometimes conflicting policies for such information have been put in place.

Earlier this month, officials from several large agencies — including CIA, DOJ, DHS and DOD — raised a series of objections to the CUI program related to many unresolved issues that must be addressed before CUI implementation can go forward.

These are said to include inadequately defined governance of the program, financial costs thought to be in the billions of dollars, gaps in coverage affecting certain types of information, and commingling of CUI and classified information that will make proper marking of documents excessively long and complicated.

For the contractors, who do not understand what constitutes CUI, and who are now required to begin reporting incidents and breaches, it means they do not even know where to begin and what to monitor for.

The whole issue of CUI raises an interesting comparison to the advent of the General Data Protection Regulation (GDPR) in Europe.


GDPR is sweeping new legislation designed to strengthen and unify data protection for all individuals within the European Union

GDPR aims to give people more say over what companies can do with their personal data and to simplify the regulatory environment for multinational companies by unifying the regulation within the EU. By making data protection rules more or less identical throughout the EU, and backed by tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.

In a nutshell, GDPR requires businesses to “prove” that the user has given consent to store their data and has the ability to move or release the storage of their data at any time.

GDPR law applies specifically to the “controllers’ and ‘processors’ of data that businesses utilize to abide by the GDPR. The controller defines how and why personal data is processed and provides the proof of consent to use the EU citizens data. GDPR compliance hinges upon the “controller” that ensures personal data is processed lawfully, transparently, and for a specific purpose. Non-compliance results in fines and may disallow the organization from doing business in the EU.

Is the new CUI requirement like GDPR for contractors? Could it be a first step toward broader GDPR like controls for the US?

Only time, and the success or failure of GDPR in Europe, will tell.