Insights from Bob Metzger: CUI, CMMC, and the importance of cybersecurity
Bob Metzger chats with C3 CRO Bill Wootton about controlled unclassified information (CUI), who's responsible for it, who marks it, how do you handle it, and its role in both CMMC and cybersecurity in general.
The information provided in this video does not, and is not intended to, constitute legal advice; instead, all information, content, and opinions expressed in this video should be considered discussion for the purposes of public interest only.
Bill Wootton: Hi, I’m Bill Wootton, Chief Revenue Officer of C3 Integrated Solutions. And recently, I had the pleasure of sitting down with the legendary Bob Metzger, a well respected authority on government security laws and regulations related to the defense industrial base, as well as CMMC. Now, as a member of CMMC, C3 Integrated Solutions Board of Directors, Bob’s already provided us a tremendous amount of value towards our strategy and direction.
And we thought it would be great to give him the opportunity to do the same for you. Let’s listen in on what Bob had to say about controlled unclassified information, who’s responsible for it, who marks it, and how do you handle it.
So Bob, CMMC is all about protecting controlled unclassified information. One of the questions we get all the time is who’s responsible for marking CUI?
Bob Metzger: I get this question all the time too, and it drives me nuts, and it has for years. You know, I have some history here. I mean, I’ve been involved in this issue, I think, since the time of the draft of what became 7012.
And I’ve worked with people at NARA over years, you know, on the CUI program and regulations. I have always thought, and this reflects a legal background, that CUI was stuff that the government has to designate. The underlying law, regulation, and policy that, that determines what is CUI, those are things that apply to government agencies.
It’s not the job of individual contractors to look across the landscape of their present and historical information and try to guess themselves whether this, that, or the next piece of data conforms to something in the NARA CUI registry. If you actually get into the NARA program, and you look at the registry, and you look at the CIA and the CUI initiatives of different federal agencies, including DOD, there’s an enormous amount of obligations, process, policy, and training that’s expected of federal personnel to know how to identify, designate CUI, mark it, communicate it, and transmit it and protect it.
What that suggests to me is that it’s their job, but no one has ever made that completely clear to defense contractors. And I suspect this is a kind of a form of benign but knowing neglect. I have no doubt that people in DoD recognize that contractors are uncertain what is CUI they must protect and what isn’t.
And they probably figure that it’s better overall if contractors who are in doubt decide to protect more. Well, I agree with that from a sort of a security standpoint. What I advise real clients in the real world is this. It’s the government’s job to identify and designate CUI and when they communicate it to you to inform you that it is CUI.
There should be the proper markings or attached descriptions. The government can, by special contract terms, shift that responsibility to you, but the DFARS Clause itself is not such a term. I’ve said that legally, I don’t think the government can enforce a position that you, contractor, have to figure out what is their CUI.
I’ve also said to every contractor for years that if your organization can accommodate treating all sensitive information as though it were CUI and raising the bar of security so that more information is better protected, you should. But there’s a difference between what you should do, even if it’s in your business interest and what you must do legally.
But here I want to add one more point that’s critical. At one time, Bill, you and I have asked the question, well, what can the government enforce? Well, could the government today enforce a claim against a contractor who didn’t designate CUI, which it had created or received, but where the government had not made such an identification?
I don’t think they can enforce that. But contractors are now looking towards a required assessment. And some are going through the Voluntary Joint Surveillance Assessment program now. Well, if an assessor or DIBCAC decides that a company hasn’t properly reached to cover CUI, even if the company objects that the information wasn’t properly designated by a government official, there we have a problem.
Because a company conceivably may or will fail an assessment. If some assessor decides that, well, CUI is anything that looks, feels, smells, or sounds like any one of the NARA categories, I don’t like this. I believe it’s much better for companies to focus their resources, especially security resources, on information which the government has identified as CUI.
I don’t believe companies should be put through the hunt, search, and guess effort that inevitably accompanies trying to do it yourself. I believe that the confusion over what is CUI and the uncertainty as to whose responsibility it is to decide, I think that wastes money. This is an elevation of bureaucratic process over the achievement of the important desired results.
Bill Wootton: Such a great perspective on all of that. What should a contractor do if they receive information that they believe very well could be and should be marked CUI, but it’s not. What should they do in that situation?
Bob Metzger: Well, the easy advice is to call your contracting officer [corrected] or get in touch with your prime contractor and ask them for clarification.
But we have a problem here, Houston, if you will. DOD is seeking to improve the training of its contracting officers so that they’re better able to make the CUI decisions. Credit to them. Maybe some of the primes have done a good job at teaching their own subcontractor purchasing administrators. But, you know, more often than not, when you ask those kinds of questions of people who might have some responsibility but don’t have a lot of training, you know what the default is.
Well, if you’re asking the question, it must be CUI. That’s not really helpful. You know, the, there are a fair amount of nuances that go into just deciding who has the responsibility. And there’s an awful lot of nuance that can be included in making the determination decision. Legally, CUI is information which a federal agency must protect under FSMA or by operation of other statute, regulation, or government wide policy.
Well, just how many contractors out there are fully familiar with statutes, regulations, and government wide policies that might apply? If you remember that, what, there’s something like 21 major categories of CUI. I mean, the proposition that any contractor would be especially familiar with what might be transportation security information is pretty unlikely.
Now, in contrast, most defense contractors should be able to readily identify two types of information which they should protect. One is controlled technical information of military and space significance, and another is export controlled information. You’re already subject to independent sourced obligations for export control. If you’re in the defense business, you ought to know what is CU… CTI and both of those are among the categories of CUI.
So what I tell when I have conversations with clients where we’re focusing upon the best outcome, also try to be compliant, what I typically say is let’s make sure that we do identify CTI and where in doubt, if we can, let’s protect that CTI using the same measures that we would protect controlled unclassified information.
Same as to export control, but not to overcomplicate this, Bill. Many contractors have export controlled information for products or services or technology that they do not in fact export, which they have never shared with the government and for which the government has paid nothing.
If a company develops a propeller, and it only sells the propeller to the government, the underlying design information would be export controlled, but it’s never been exported. And so there’s no obligation other than not to export it without a license. Is that CUI? Well, I mean, I could make a good argument that if the government didn’t create it and they haven’t legally and properly designated it, even though it’s information that absolutely should be protected, it’s not CUI. And by the same token, many companies will have, you know, technologies, which they may create, employ and improve over time in which they contribute to the performance of their government contracts. Well, if that represents your independent research and development, or the accumulation of your expertise and know how over time, absolutely you should protect it for the sake of your business.
To protect the value of your owners and shareholders, to keep Chinese from getting it, or ransomware attackers from stealing it, you should protect it. But is it CUI if there’s no connection to the government other than your employment in the course of performance? I don’t think it’s CUI legally.
Bill Wootton: So it’s such an interesting concept and an interesting view on that because there are certain controls, certain requirements around protecting export controlled data around data residency, data sovereignty that effectively run parallel to the C U I conversation.
And to your point, even in parallel to the intellectual property, there are three different categories with three different maybe requirements or things that you’re trying to protect. Don’t necessarily overlap or mean one equals the other on that.
Bob Metzger: Right. Now look, not to lecture here. I was, I’m a lapsed academic, although it was a long time ago.
Export control is a very important obligation. It existed before CMMC. It still does. It has its own enforcement regime. It’s the obligation of contractors who have information that would be subject to USML, the EX, or the EAR and the commerce control list. It’s your obligation not to export that or make it available to foreign persons except in accordance with a proper license, and that obligation exists completely independent of CMMC.
You don’t need CMMC to make companies protect that information, they have to already. And as to intellectual property, this is a matter of business prudence. It’s if a company is creating innovative technology, especially in some of the new and emerging technologies of greatest interest to the U S as well as to China, your leadership would be foolish if they were not to take powerful measures to protect it, because it is an inviting target.
People do and will and have stolen information just like that to essentially bypass your advantage and create competitors or defeat you in the marketplace. That’s a matter of business prudence, but it’s still that business prudence and the common sense of protecting your valuable assets does not need CMMC for that information to be protected.
Bill Wootton: That’s a great point that it’s, it is the business interest of protecting this data. Unfortunately, we do see times where a very innovative company, maybe they’re in the SBIR program isn’t yet subject to some of the rules and therefore they’re not paying attention to it. We wind up having to coach them and talk to them about just exactly your point that there is business value to that data beyond what maybe the government’s requiring is a minimum at that point.
Bob Metzger: Right. You know, I know that the department is concerned that its cyber rules may deter innovators and non traditional companies from coming into the defense industrial base. I think they will be looking at ways to solve that. And it’s important to solve it. We absolutely need to identify and harness the innovation in many sectors of American technology.
We also need to protect it. I mean, the last 10 years are vividly painful. And the evidence that China has huge resources to ferret out, find, compromise, not find and steal, hack and steal information. And you know, no one who is developing technology that is relevant to these emerging areas of importance, no one should think that they are immune from the interest or won’t be found by China or other hostile actors, and no business should think that it’s outside the potential reach of a ransomware actor. So wholly apart from CMMC, there is a long list of really important reasons that companies need to protect their sensitive information. Some of that is CUI. And if you’re a defense contractor, your CUI is going to make, is going to be subject to the CMMC requirements.
But security includes CMMC and it includes CUI, but it’s broader and ultimately different than just CMMC.