Treat Your Healthcare Data Like Controlled Unclassified Information Under CMMC

While government contractors must adhere to the Cybersecurity Maturity Model Certification, the truth is that all healthcare agencies would have better data management by adopting CMMC. It offers the most comprehensive framework for organizing, protecting, and sharing your data, whether it’s what the government would consider classified (requiring security clearance), or Controlled Unclassified Information (CUI) as outlined in Executive Order 13556. This article focuses on the CUI level, and how to treat your data accordingly — whether you’re contracting with the United States Government, working for the government with your own contractors, or operating in private sector healthcare.

Please note: most of the feedback we’re about to share comes directly from the Defense Visual Information Distribution Service (DVIDS) as part of an Air Force educational series for CMMC-related materials and updates.

3 Essential Clauses for Data Security

For simplicity’s sake, this guidance is based on small business contracts with the federal government. These contracts contain what are known as FARs (Federal Acquisition Regulations) and DFARS (Defense Federal Acquisition Regulation Supplements) as part of their outline. While there may be several of these regulations depending on the contract, there are three DFARS clauses that you must meet if you want to establish adequate data security.

DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting

This clause highlights how adequate security is defined by implementing NIST SP 800-171, that the controls for this must be addressed in a contractor’s security plan, and how these controls pertain to all information that is “collected, developed, received, transmitted, used or stored by the contractor in performance of the contract.”

DFARS 252.204-7008
Compliance with Safeguarding Covered Defense Information Controls

This clause states that you must have a plan of action in place that presents “an alternate but equally effective security measure” for every NIST requirement you cannot currently meet.

DFARS 252.204-7020 
DoD Assessment Requirements

This clause stipulates that a contractor must complete an assessment from the Department of Defense (DoD) against their own NIST security plan. This may be performed internally, with scores documented in the DoD’s Supplier Performance Risk System (SPRS).

Can the Government Share Data With You, or Can You Share Data With Your Contractors?

Deciding whether it’s appropriate or permissible to share data all comes down to the DoD assessment. If you’re a government contractor, that assessment is required. If you’re working with the government and contracting with other agencies, this assessment will give you guidance on a case-by-case basis. If you’re in private healthcare, it’s still a great litmus test for how likely your data will remain secure across different systems.

Keep in mind that the DoD assessment has 110 security requirements spaced out across 14 categories. Forty-two (42) of these requirements are considered high risk, which means that if you or your contractor have not implemented them, you won’t have the appropriate protection to prevent your data from being compromised or stolen.

The 14 categories include: access controls, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, physical protection, personnel security, risk assessment, security assessment, system and communications protection, as well as system and information integrity.

Let us know if you’d like a full breakdown of the DoD assessment, as well as information on all recommended security controls.

Meeting CMMC Compliance

As we noted recently, CMMC 2.0’s interim final rules are expected to be issued during March of 2023. That means that if your organization must obtain certification, or you want to implement this system because you recognize its value, now is the time to review the changes you need to make in order to qualify.

As a Registered Provider Organization (RPO), HCRS can review your current level of cybersecurity, and provide your team with a list of necessary improvements. While we cannot audit you or grant certification, we can ensure that you have all of the information to succeed.

Please contact us today to learn more, and discuss what data management needs you currently have regarding a CUI program.