Www.dau.edu



from UrbanAre FCI = CUI because it was said FOUO was FCI?Thought FOUO = CUI and FCI is an own classification?RESPONSE: Great question and I need to investigate. I even caught myself saying the same thing (FCI = CUI = FOUO).from RyanDoD threw OTA/SBIR folks for a loop in December, when they published DoDI 5852.01 and defined "unclassified nonpublic defense information." Now that I look at it: it's a twin brother to Federal Contract Information. Same basic criteria.Is the DoDI 5852.01 similar?RESPONSE: DoDI 8582.01 is a twin brother of DFARS 252.204-7012 that:1) Applies to all unclassified non-DoD information systems (to the extent provided by applicable contracts, grants, or other legal agreements with the DoD) that process, store, or transmit unclassified nonpublic DoD information. 2) It is DoD policy that non-DoD information systems provide adequate security for all unclassified nonpublic DoD information. Appropriate requirements must be incorporated into all contracts, grants, and other legal agreements with non-DoD entities3) Non-DoD information systems processing, storing, or transmitting DoD CUI must be protected in accordance with NIST SP 800-1714) Also addresses cyber incident reporting and compliance requirementsfrom Jean Can you provide a link to the new DoD CUI registry for attendees? The only link I have seen was in an NDIA new article that required a CAC card to accessRESPONSE: The official DoD CUI registry cannot be access without a CAC. However, the DoD CUI Registry mirrors the National CUI Registry, but provides additional information on the relationships to DoD by aligning each Index and Category to DoD issuances. Sorry about that.from Saundra[Question for Chris] What is the difference in the NARA CUI Registry and the DOD CUI Registry?RESPONSE: (pg. 13) The DoD CUI Registry provides an official list of the Indexes and Categories used to identify the various types of DoD CUI. The DoD CUI Registry mirrors the National CUI Registry, but provides additional information on the relationships to DoD by aligning each Index and Category to DoD issuances.from Saundra[Question for Christ] What are the access requirements to view the DOD CUI Registry? Will the DOD CUI Registry be made available publicly as the NARA Registry is available by website?RESPONSE: I do not know. The national registry has always been used as a point of reference for industry.from ScottIs the old Essential Elements of Friendly Information (EEFI's) now considered DoD CUI?RESPONSE: I did the research and I would say yes, but trying to understand the relationship with the DFARS Clause, CMMC, and having this information reside on a contractor's network and/or system. This seems to be OPS information that resides within a command and/or command center.from UrbanShould I interpret it as frequent CUI is not marked ?RESPONSE: Need further information to properly respond.from Ryan Bonner DoD CUI Registry is also adding an "OPSEC" category, for information that's sensitive but too difficult to provide a blanket definition for.RESPONSE: Ok.from JeanFor Chris' reference, this is the ndia article that provides the CAC access link to the DoD CUI Registry on the DOD Intelink Website. : Ok.from Scott Swanson to all panelists:DoD defines EEFI as critical aspects of a friendly operation that if known by the enemy, would subsequently compromise, lead to failure, or limit success of the operation. Again, EEFI evolve from facts, assumptions and key tasks of the mission.RESPONSE: Concur but does not relate to DFARS, CMMC, and information that may reside on a contractor's network and/or system.from holly For audit compliance - Is there a list of when a contract modification is required?RESPONSE: No but really depends on the command and/or procuring activity as well as how many mods are processed during a month or year. There is always a fee associated with each mod processed.from UrbanWe have problem to understand with own IP and if it will be under CTIRESPONSE: IP will only relate to CUI/CTI if the government buys the IP. This is very expensive and probably will not happen. IP is usually contractor owned, not government owned.from Scott SwansonWill the DoD CUI rules apply to Non-FAR type contracts actions such as partnership Intermediary agreements (PIA) ?RESPONSE: I do not know until the DFARS/CMMC rule making process is complete. However, I'm making an assumption that DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information will still apply.from MarthaSo, if I issue an RFP with CUI that I have made public for the purpose of the solicitation open to public, once I award the contract, that info is then FCI or is it still CUI?RESPONSE: Basically yes.from Ryan BonnerSo this is why DoD's emergency Office 365 environment is only cleared for IIL2, while GCC Hig is cleared for IIL4/5. Lower-impact data vs higher-impact data.RESPONSE: This is beyond this scope of the webcast and you need to forward to your CIO office rep for the official response. Sorry.from Urban Is IIL level something new or related to the CMMC level 1-5?from Urban to all participants:Because CUI can only be Basic or SpecifiedRESPONSE: IIL is defined from the Cloud Computing Security Reference Guide (SRG). I was only using the SRG for a comparison/illustration to help define the different information types and how to distinguish where applicable information should reside based on CIA impact.from Maria did you say level 3 is for classifiedfrom Ryan Bonner to all participants:IIL 6 is for classified. IIL 4/5 is for controlled unclassified (CUI).RESPONSE: That is correct.from Patrick In terms of FCI, what is to prevent a malicious foreign actor from just gathering FCI while it’s still public, building their own database, and then correlating and aggregating information based on who was awarded the contract?RESPONSE: The current DFARS or future CMMC process does not prevent this from happening.from Saundra [Question for Chris] Would Slide 20 on the Key Security Requirements Summary be for Federal Systems Only since DFARS 252.204-7012 requires FedRAMP Moderate for Nonfederal Systems?RESPONSE: That is correct. Slide #20 relates to DFARS 252.239-7010.from JANETso...I understand we should no longer use FOUO. We should now use CUI and/or CDI?RESPONSE: Per DoDI 5200.48, CUI markings for DoD CUI documents will include the acronym “CUI” in the banner and footer of the document (FOUO not valid for new documents).from Erik So a company's IP developed specifically for a DoD contract (technical drawings, specifications, test data) is not CUI unless the contract specifies the DoD will own the design / information?RESPONSE: That is correct.from Tom Coradeschi to all participants:CTI is fundamentally defined as anything which requires a Dist B, C, D, E or F marking per DoDI 5230.24. That instruction applies to Technical Documents. One of the reasons such a marking can be applied is due to Proprietary Information.RESPONSE: Agree with the first statement but disagree with the second statement regarding proprietary which usually applies/relates to "contractor-owned" information. The distribution statement would only apply is the government purchased the rights. Sometime there are cases that the contractor improperly mark the drawing as "proprietary".from holly When is it mandated (by what date) that CUI be used and replace the usage of FOUO (Speaking from an awarded contract that mandates FOUO)RESPONSE: This depends on the command/procuring activity; similar to the RMF implementation and execution. This did not happen overnight and at certain commands, they are still trying to implement this process.from RyanThis explains why NARA's CUI co-mingling courses (sadly) don't cover co-mingled CUI and FCI. It's a separate type of information, governed by FAR 52.204-21 instead of DFARS 252.204-7012.RESPONSE: That is correct.from UrbanThis is an important question for us from abroad to understand. If we sell military COTS to DoD. The IPR is the owner of the COTS and protected as desired by the owner. If DoD buy the COTS is the technical drawings and production data than CUI and must be protected as required for CUI?RESPONSE: That is correct but such a small percentage. The COTS TDP is very expensive and not cost effective. Most COTS procurements have logistic support packages and warrantees.from Erikbut what about earlier posters question about technical information submitted as part of RFI RFP process, is that FCI until contract is awarded or is it always classified as CUI in so far as level of protection required?RESPONSE: The information can be either FCI or CUI and depends on what the acquisition activity; SBIR, STTR, RFQ, etc. Once the contract is awarded, that information is no longer available to the public. Again, DFARS or CMMC does not address this issue.from Darren non-traditional DoD companies, especially small businesses, will be challenged to understand and implement CMMC, I'm afraid it may restrict eligible vendors. RESPONSE: That is correct. It will be up to the acquisition workforce to identify the challenges that effect medium to small business and incorporate methods to help protect their information by becoming a MSP/MSSP via GFE/GFI/GFM and/or cloud services.from Wesley Asking this to ensure my understanding is correct. . . Getting assessed at a level is required to bid once CMMC is fully implemented. Upon award, it is equally important to ensure your information is categorized and safe guarded at the appropriate level for both protection, damage assessment, etc. - correct?RESPONSE: That is correct.from Joseph Question: How is it envisioned that a Prime can delegate a lower CMMC level to a Subcontractor and remain compliant to the Prime Contract?RESPONSE: The prime can always use the process of obfuscation and only send segregated technical information to its subs.from ErikIf they are only supplying COTS items, CMMC will not apply. If they are non COTS, they will have to adapt to the required CMMC controls. Keep in mind, this is being phased in over the next ~5 years, but agreed, it will eventually potentially result in a reduced DIB.RESPONSE: That could happen. Again, it will be up to the acquisition workforce to identify opportunities for medium to small business to participate in their acquisition plans and contractor strategies.from Shawn will the acquisition workforce reimburse vendors/contractors for their CMMC efforts (win or lose on the award?from RyanShawn, SOCOM has included a $6,500 line item reimbursement for CMMC level 1 in their SBIR boiler plate for RFP's. Just an example, not a standard.RESPONSE: Concur and doesn't hurt. Don't know until OSD A&S and the CMMC AB identify and complete the certification process time-line and funding fee structure.from Erikper recently revised FAQs on CMMC page, if purely COTS supplier, no CMMC audit and certification is required. Question 2 is good, though.RESPONSE: Concur.from Jeff Rick: for the second question, if the modification is done just for the DOD activity/contract, it is no longer COTS therefore needs to be treated as DoD CUI and yes, could need level 3RESPONSE: That is correct.from RickI have two question to the panel:1. If a contractor to DoD only deliver COTS which CMMC level would be applicable?RESPONSE: Not applicable and not FCI and/or CUI.2. If the contractor after the contract award modify the COTS to DoD specification does the technical information related to the modification of form, fit and function be CUI and therefore needs to be at least protected in information system CMMC certified as at least level 3?RESPONSE: That is correct.from Jeff Are you expecting to see a revision to 7012 this year that will officially rename CDI to DoD CUI?RESPONSE: I do not know. Hopefully that will happen in the rule making process; for clarification. This will have to be in addition to DoDI 5200.48.Erik and will 7102 be revised to call CMMC as a requirement in place of 800-171.RESPONSE: I do not know until the DFARS Clause rule making process is complete. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download