1. The FAR rule requires contracting officers to include FAR 52.204-21 in all solicitations for contracts that may require federal contract information to be processed, stored, or transmitted through a covered contractor information system, which includes those maintained or operated by a subcontractor

 

  1. The clause in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that affected nonfederal organizations implement the CUI security requirements no later than December 31, 2017

 

  1. There is an additional regulation imposed on DoD contractors to notify the DoD CIO within thirty (30) days of the award of the contract regarding any NIST SP 800-171 security requirements that are not implemented at the time of award

 

  1. CUI is defined by NARA as the information that is created or possessed by the government or information that is created or possessed by an organization for or on behalf of the government that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

 

  1. Applicable nonfederal organizations are required to meet at least the basic CUI protection level established within NIST SP 800-171.

 

  1. Number of NIST SP 800-171 security controls for non-federal organizations is 62

 

  1. Number of NIST SP 800-171 security controls for non-federal information systems that process, store or transmit CUI is 123

 

  1. If a nonfederal organization is unable to satisfy a particular security requirement, a compensating security control or alternative implementation can be used, but it must be equally effective to satisfy the CUI security requirement