The relentless march of globalism has incentivized firms to focus on perfecting a small core competency. In the manufacturing industry, their finished products have components from a variety of sources. Only a few very large companies have even attempted any vertical integration in this space. Most finished products are a combination of efforts from a diverse set of specialized suppliers. But if the product’s design is headed to the Department of Defense, and includes sensitive information, does every downstream supplier have to follow the Pentagon’s information protection regulation?
The short answer is yes, and it’s called the Defense Federal Acquisition Regulation Supplement, or DFARS.
This may be surprising: how would the design of a single, small component of a larger product be classified information? Well, it technically isn’t classified. But, it still may be protected information. This is what DFARS is focused on protecting: what is known as Controlled Unclassified Information (CUI). While not officially classified, secret, or top secret, the government is still focused on securing this information and protecting its integrity. The National Archives and Records Administration (NARA) decides what information falls into the CUI program. Their website describes the program as “standardizing the way the executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.” That broad definition should give manufacturing firms pause.
Controlled Unclassified Information is a relatively new category of classification. Previously, terms like Sensitive but Unclassified (DBU), For Official Use Only (FOUO), and Law Enforcement Sensitive (LES) were used to describe this kind of information. The government can label almost anything as CUI, but they must identify which information is sensitive within the DoD contract. But, while the identification of CUI is the government’s responsibility, the business itself bears responsibility for “determining and dissemination”. An added wrinkle here is that the DoD contract extends to all downstream suppliers. So, if you are the manufacturer party to the contract, you must be compliant AND you must ensure all your downstream suppliers are also compliant with DFARS.
Protecting Controlled Unclassified Information is the heart of DFARS. But, being compliant with DFARS is an ongoing effort for firms doing business with the Department of Defense. One major component of the regulation even includes deploying a CUI Environment Team (CEMT) in addition to developing a System Security Plan (SSP) and a Plan of Action and Milestones (POAM). Getting compliant with DFARS can be a difficult process, but ignoring your, or your supplier’s, obligation can result in hefty fines and loss of government work. As CompTIA Security+ Trustmark holders, Peters & Associates has the experience and knowledge to help any organization become compliant with DFARS. Call 630 832 0075 or email firstname.lastname@example.org today!