Controlled Unclassified Information (CUI) is at risk and the US Government is getting serious about protecting it. All contractors and sub-contractors that are in the business of providing goods and services to the government need to get serious too. Starting with Executive Order 13556 in 2010 and emphasized with the 2014 Federal Information Security Modernization Act (FISMA Reform) the government recognized problems in the supply chain that place Controlled Unclassified Information (CUI) at risk. NIST Special Publication 800-171 r1 (December 2016) addresses these risks with 14 information security families and 110 information security controls that draw heavily from NIST 800-53. The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) now imbed mandatory information security requirements directly into contracts with critical compliance dates as early as December 2017.

Join Dave Gray with CyberDefenses to review these new federal requirements, discuss approaches to completing the initial assessment, address requirements and achieve compliance. Successful completion of all four 90-minute sessions will provide you with a certificate of attendance worth 6 CPE credit hours. Courses maybe attended live or on-demand. Students will be able to access the on-demand for six months after the live program.

Part 1: CUI – Brace yourself for the new federal contract cybersecurity reality

Part 1 includes understanding what Controlled Unclassified Information (CUI) is, why it’s important, the consequences for non-compliance and the multiple timelines for Federal and Defense focused contracts. Understand the compliance process starting with self-assessment, actions to achieve compliance and the new reality of maintaining compliance in the future.  Learn to document your status with self-attestation.

Part 2: Build cybersecurity into your bottom line and keep your federal business

Part 2 includes a detailed review of the NIST 800-171 fourteen security families including 110 basic and derived security requirements. We’ll analyze how this specification matures your organization’s culture into a trained, policy and procedure driven workforce that protects the confidentiality of CUI you’re entrusted with.

Part 3: Conduct NIST 800-171 CUI Self-Assessment and create your POA&M

Part 3 includes procedures and analysis for the assessment process, including comprehensive underlying requirement details mandated by appendix D and the CUI specific categories and sub-categories in the CUI Registry. Analysis includes identifying compliance/non-compliance and understanding your security maturity relative to industry standards. Procedures include documenting your findings (i.e. non-compliant controls) and developing your Plan of Actions & Milestones (POA&M) to implement corrections. 

Part 4: Build your CUI Self-Attestation and CUI Deliverables

Part 4 includes discussion of the multiple products and deliverables built into NIST 800-171 compliance. Each of these deliverables requires planning, people and resources. In addition to the self-attestation and POA&M, requirements include the Written Information Security Program (WISP), Configuration Management Plan (CMP), Information Security Continuous Monitoring (ISCM), Information System Contingency Plan (ISCP), Incident Response Plan (IRP), Security Awareness Program, Security Assessment Plan (SAP), Security Assessment Report (SAR), and the System Security Plan (SSP).

These sessions were recorded live using the ON24 platform. You can still take this course with the on-demand recordings through December.

Course price: $495 (includes all four parts)

Attendees will earn 6 CPE credit hours. Each session will be approximately 90 minutes.

If you have any questions, please contact Tom Bechtold, at or 503-303-7871.

speaker photo
Instructor: Dave Gray
CyberSecurity Senior Analyst , Texas Comptroller of Public Accounts

Dave Gray is a CISSP, CAP and PMP certified CyberSecurity Leader skilled in securing information systems to achieve information Confidentiality, Integrity and Availability. Dave’s focus is Governance, Risk Management and Compliance (GRC) using information security frameworks established by the National Institute of Standards and Technology (NIST) and the Center for Information Security (CIS) 20 Critical Security Controls (CSC).

Dave retired in 2011 from the Texas Army National Guard as a Lieutenant Colonel where he managed Information Security and IT Operations for 5,000 network users spread across Texas. Dave established one of the first Computer Emergency Response Teams (CERT) in the country for the National Guard and conducted multiple information security assessments for the National Guard and the active Army. In addition to his role as a CyberSecurity Senior Analyst for the Texas Comptroller of Public Accounts, Dave teaches local community college classes for the CISSP and ITIL certifications and volunteers as a board member for the ISSA Capitol of Texas Chapter at Austin. Dave continues to provide NIST 800-53 and 800-171 consulting in his spare time.