On Thursday, the Government Accountability Office published a report on “Defense Cybersecurity Protecting Controlled Unclassified Information Systems” (GAO-22-105259). The report looks at how well the DOD is doing in their efforts to get their CUI programs into regulatory compliance. The short answer, according to the GAO’s look at four basic program measures, it that DOD still has a way to go.
The four measures used by GAO to evaluate the DOD’s implementation process are:
• Categorize DOD CUI systems accurately (80 to 89% complete),
• Implement Cybersecurity Maturity Model Certification’s 110 security requirements (70 to 79% complete),
• Implement 266 security controls for moderate confidentiality impact systems (80 to 89% complete), and
• Authorize system to operate on DOD network (90% plus complete).
While this GAO Report just looks at the DOD, the CUI program under 32 CFR 2002 applies to all branches of the Federal Government and their contractors (and in some instances regulated entities). Some common federal information protection schemes that fall under the CUI protection regulations include (but are certainly not limited to):
• Chemical-terrorism Vulnerability Information (CVI),
• Critical Energy Infrastructure Information (CEII),
• Protected Critical Infrastructure Information (PCII), and
• Sensitive Security Information (SSI)
It would be interesting to see how other federal agencies (DOE and DHS for example) fair in their implementation of the §2002 regulations.