James Goepel’s Post

Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder

If you are following along on the CUI program home game, you know that the CUI program was created to apply a consistent set of requirements across the entire Executive Branch of the federal government which define what is sensitive, unclassified information and how that information should be safeguarded and disseminated. These requirements are defined in 32 CFR 2002, which was published in 2016. When the United States Department of Defense first created DoDI 5200.48 back in 2016 (DoDI 5200.48 defines DoD's implementation of the CUI program), 32 CFR 2002 was pretty new and, understandably, the early version of 5200.48 had some inconsistencies. DoD released an updated version of DoDI 5200.48 about a year and a half ago, and it addressed some of those inconsistencies. DoD recently released an updated policy memo which makes some additional changes to 5200.48. https://lnkd.in/gmsySBBq Those changes have, unfortunately, created a bit of added confusion about when CUI can be disseminated to authorized holders, and especially when: a) the disseminator is a government contractor; and b) the authorized holders are not US persons. The CMMC Information Institute put together the flowchart, below, to try to help walk government contractors through when CUI can be disseminated to someone who is not a US person (or, really, anytime). Hopefully it is helpful!

CMMC Information Institute

1,851 followers

3w Edited

#UPDATE: Final version available from the CMMC Information Institute website (https://lnkd.in/eSN5NEdU) and in the comments below. The United States Department of Defense recently published a memo that updates their Controlled Unclassified Information ("CUI") program, as reflected in DODI 5200.48, to be more consistent with certain aspects of 32 CFR 2002. As you may know, 32 CFR 2002 is the authorizing legislation that created the CUI program and applies to the entire Executive Branch, so removing some of the inconsistencies is a great step toward the agency-agnostic approach envisioned for the CUI program! More specifically, the memo (link below) removes DODI 5200.48's requirement regarding the need for review of CUI before it can be released by a federal agency to a foreign entity. DoDI 5200.48 now (properly) only requires review when the CUI is subject to export controls or a limited dissemination control like NOFORN. The memo can be found here: https://lnkd.in/gbUfrcCX The memo has created a bit of a stir in the government contractor space. Some are interpreting it as applying to government contractors, and that is not the case. The memo applies to the release of CUI by DoD, as an agency of the federal government, to a foreign entity (which has a specific definition in 32 CFR 2002). The unfortunate side-effect of the memo is that it seems to have created much more confusion about how and when CUI can be disclosed to non-US persons. The CMMC Information Institute has prepared the flowchart, below, to help people with this analysis. A higher resolution version will be available on our website tomorrow. Thank you to all those who weighed in on early drafts! We hope it is helpful!

14 Comments

James Goepel

For those who may not see it in the original post, there is an updated version here:

4 Reactions

Brandon A Fausti, Founder, PMP, MBA, GCAcct, ITIL4, PSM, TQL

SBA HUBZone, WOSB & SDVOSB. ISO 9001/20000-1/27001/31000. Seeking PRIME Federal Contractor Teaming Partners in FED Healthcare, PPBE, and IT Service Management.

Would you please DM me the latest copy? I can't seem to download or save the latest.

Ryan Miller

Now we just need to get primes to properly mark CUI and FCI for subs. I've lost count of how many times I've had to go to primes and ask if a document is CUI and they say yes but all it has is the company letter head.

Scott Edwards

CEO at Summit 7, Executive Director at MSPs for the Protection of Critical Infrastructure

James, I am a bit confused by this diagram. Non US Entities and Individuals have access to export controlled CUI (ITAR) data all the time. This chart says that they cannot. They just need the appropriate license from DDTC. Am I missing something?

9 Reactions

Srikant Rachakonda

CEO, SMPL-C: Cybersecurity Compliance SMPLfied! AI Assistant SaaS platform for RPOs and Cyber MSPs.

I know Mary had a little lamb... when did she get an upgrade?? 😅

1 Reaction

Keith Paquette

Raptorguard LLC Cybersecurity and Compliance / Oklahoma State Cowboy

Thank you James Goepel

Charles Denyer

Delivering Innovative Solutions to Businesses & Governments Throughout the World

Thanks for posting

1 Reaction

See more comments

To view or add a comment, sign in

More Relevant Posts

James Goepel

Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
1w Edited
Report this post
I began my legal career in 1999, during the height of the “.com” boom. I watched people rush to embrace, and invest in, the “internetization” of many things. Many of which were poorly thought out, and didn’t survive. I watched the same thing happen with cloud. And with Crypto. And now we’re seeing it again with AI. I do wonder … when will companies and investors learn that rushing to embrace the new shiny and sexy thing without a plan (including how to secure it) is a bad idea? That’s not to say that AI and ML won’t have some value at some point in the future. I just don’t believe that they need to be embedded in every tool or device. Certainly not yet. Or, at a minimum, give users the ability to opt out of or disable AI-based features until they are comfortable with those features and their capabilities and security. There is a great article in Computerworld that talks about this: https://lnkd.in/ezfbq5AF
12 Comments
Like Comment
To view or add a comment, sign in
James Goepel

Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
1w
Report this post
Happy Independence Day!
CMMC Information Institute

1,851 followers
1w

Happy Independence Day America! Thank you to all those who have helped preserve our freedom and independence.
1 Comment
Like Comment
To view or add a comment, sign in
James Goepel

Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
1w
Report this post
If you are a small business and want to get into United States Department of Defense contracting, this is a great resource (and Jim is a great person to follow!).

James Burke

Small Business Professional (SBP)
1w

From the Office of Small Business Programs, the Mentor-Protégé Portal is a new resource to support prospective and current mentors and protégés in the program. Please visit our FAQs page for a deeper dive into the program and for answers to frequently asked questions. Registering with the portal will allow you to apply to be a mentor. Who Can Participate Mentors: Currently performing under an active approved subcontracting plan and eligible for Federal contracts Protégés: - Qualified organization employing severely disabled individuals. - A nontraditional defense contractor. - Entity that currently provides goods or services in the private sector that are critical to enhancing the capabilities of the defense supplier base and fulfilling key DoD needs. - Small Disadvantaged, Women-Owned, or Service-Disabled Veteran-Owned Located in a Historically Underutilized Business Zone (HUBZone). How to Participate STEP 1 Establish a Counterpart: Mentors and Protégés are responsible for finding each other. STEP 2 Determine Agreement Type: Reimbursable, Credit, or Hybrid. STEP 3 Develop the Agreement: Align developmental assistance with the protégé's strategic vision. STEP 4 Submit Agreement Proposal: Contact the component’s small business office for submission requirements. STEP 5 Start the Agreement: Credit agreements start on approval; reimbursed agreements start when funds are obligated. STEP 6 Follow Program and Defense Contract Management Agency (DCMA) Review and Reporting Requirements: These impact the mentor's reimbursement eligibility in the remaining years of direct reimbursement agreements. STEP 7 Ask Questions: Contact the component’s small business office or email osd.pentagon.ousd-a-s.mbx.osbp.mpp@mail.mil for assistance. U.S. Air Force: https://lnkd.in/eGG3UAGg https://lnkd.in/eJS8RHKt

MPP Portal

mpp.acq.osd.mil
Like Comment
To view or add a comment, sign in
James Goepel

Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
2w
Report this post
Congratulations to the Office of the DoD Chief Information Officer's #CMMC #PMO team (including Stacy Bostjanick, Buddy Dees, et. al.) for cranking through the CMMC comments in what feels like record time! I am looking forward to reviewing the Final Rule. Let's see if the Office of Management and Budget's Office of Information and Regulatory Affairs can match DoD's fast pace! #CMMC #Cyber #Cybersecurity #DoD #Defense #Contractors #assessment #assessments #infosec #informationsecurity

CMMC Information Institute

1,851 followers
2w

On June 27, 2024, the United States Department of Defense ("DoD") submitted a draft of the Final #CMMC Rule (32 CFR 170) to the Office of Information and Regulatory Affairs ("OIRA") at the White House. #OIRA has up to 120 days to review the regulation, meaning it should be published as a Final Rule no later than October 26, 2024. There are still at least two other cases pending that must be finalized before CMMC can truly become effective (#DFARS Cases 2022-D017 and 2023-D024), but it is encouraging to see some significant progress being made on 32 CFR 170. To get here, DoD had to adjudicate nearly 2,000 comments from various groups, including the CMMC Information Institute. Congratulations to the #DoD #PMO team for getting this far this quickly! We look forward to reviewing the Final Rule. For more details: https://lnkd.in/eQwVc9cR #32CFR170 #DFARS #DOD #regulations #regulation #OMB #OIRA #WHITEHOUSE #CMMC #CyberAB #Assessments #NIST #NIST800171 #Cyber #Cybersecurity #Infosec #InformationSecurity

CMMC Regulations Move Closer to “Final”

https://cmmcinfo.org

1 Comment
Like Comment
To view or add a comment, sign in
James Goepel

Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
2w
Report this post
A question for my cybersecurity friends: We know that unpatched systems sit out on the Internet for months, and even years, after patches are available. These represent significant threats to our national security. What if the Federal Communications Commission were to pass a regulation that required all Internet Service Providers, like Verizon, Comcast, AT&T, T-Mobile, and others, to: 1) run regular vulnerability scans of the Internet-facing equipment that sits on the networks they manage; 2) provide regular (e.g., monthly) reports of applicable findings to their clients; and, 3) disable Internet access for any Internet-facing equipment that has unpatched vulnerabilities that are older than X period of time (e.g., 6 months for high, 12 months for moderate)? #cybersecurity #informationsecurity #infosec #cyber #regulations #regulatory #FCC #Internet #IOT
24 Comments
Like Comment
To view or add a comment, sign in

3,955 followers

View Profile Follow

James Goepel’s Post

More from this author

On Russia and Ukraine: Don't Delay - Start Patching Today!

CMMC 2.0 Scoping Guides Deep-dive

Explore topics