Skip to main content

Complying with the Controlled Unclassified Information Executive Order 13556

Mueller Prost

February 03, 2020

Is Your Organization Compliant with DFARS Policy?

Is Your Organization Compliant with the FAR Policy?

What About Compliancy with Executive Order 13556?

Even if DFARS & FAR Policies do not apply, you may still be required to comply with Executive Order 13556.

What is Executive Order 13556?

On November 4, 2010, Executive Order (EO) 13556 was signed by President Barack Obama. EO 13556 calls for the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations. EO 13556 authorized the National Archives and Record Administration (NARA) and the National Institute
of Standards and Technology (NIST) to define and develop guidance for protecting CUI.

What organizations need to comply with EO 13556?

If your organization stores, processes, or transmits data that is listed as a category on the NARA CUI
registry, you also have to comply with EO 13556. The following is a short guide to determine if your
organization needs to comply.

  • Is your organization directly contracted to manufacture a product or perform a service for any federal entity?
  • Is your organization a subcontractor for a federal government contractor?
  • Is your organization a downstream supplier to any federal government contractor or subcontractor?
  • Does your technology systems or nonelectronic systems have any CUI as defined by NARA?

If you answered ‘yes’ to any of these questions, then your organization needs to comply with EO 13556, and the NIST and NARA guidance will be immediately applicable to your organization.

A Guide to Compliance – NIST SP 800-171

The National Institute of Standards and Technology (NIST) developed Special Publication (SP) 800-171, ‘Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations’. This document, first published in December 2016 and currently in revision 1, as of June 7, 2018 outlines the steps for compliance.
This document was published in response to further statutory responsibilities for NIST under the Federal Information Security Modernization Act (FISMA) of 2014.

Protecting CUI directly impacts the federal government’s missions and operations. There are exponentially increasing threats against CUI maintained by federal agencies as well as nonfederal organizations. The focus of NIST SP 800-171 is CUI which was codified into law effective November 2016 via 32 CFR 2002. CUI
is information that law, regulation, or government wide policy requires to have safeguarding or disseminating controls.

If you’re still undecided regarding compliance with EO 13556, NIST SP 800-171 applicability, consider adopting it from a ‘good business practice’ perspective and in doing so, minimize your risk for non-compliance.

Image of a woman at a computer with the words "Put our expertise to work. We combine deep industry knowledge, experience and innovation to solve your company's most complex problems." Click to talk to an advisor.

Unlock industry secrets.

Mueller Prost insights, delivered right to your inbox.

Sign Up.

Related Insights