An explanation of CUI, ITAR, CMMC, FOUO, NOFORN and U-NNPI
As many of our customer relationships have evolved into strategic partnerships, and our customers place increasing levels of confidence and trust in Bloomy, security has become critically important. Many of our engagements serve highly-regulated applications and industries including aerospace, government and defense. In order to protect our customers’ sensitive information, data and property, we built the infrastructure and processes necessary to handle a wide range of Controlled Unclassified Information (CUI). For example, our 30,000 ft2 headquarters in South Windsor, CT contains dedicated and secure spaces for manufacturing, test and integration. Our processes, network infrastructure, training, and facilities, satisfy the requirements of ITAR, CMMC 2.0 Level 2, and NN-801, and qualify us to manage CUI including FOUO, NOFORN and U-NNPI.
Bloomy has been International Traffic in Arms Regulations (ITAR)-registered with the US State Department for more than 12 years. Administered by the Directorate of Defense Trade Controls, ITAR is a set of regulations governing the control of products on the United States Munitions List (USML). ITAR makes illegal the export of these items and associated technical data, software and services to foreign countries or people. Many of our customers’ products are on the USML and, consequently, Bloomy has protections in place to safeguard these items and their technical data.
Cybersecurity Maturity Model Certification (CMMC) is a relatively new Department of Defense (DoD) initiative to validate safeguards and practices that ensure basic protection of CUI across the Defense Industrial Base (DIB). The CMMC program combines aspects of other cybersecurity standards established by NIST and contained in the FAR and DFARS, and as these standards apply to our customers, they apply to us as well.
In 2021 Bloomy achieved an uncertified security posture score of 82 out of 110 under the CMMC 1.0 program. This score qualified Bloomy at CMMC Level 4 which demonstrates proactive cybersecurity and has been recorded in the Supplier Performance Risk System (SPRS) for DFARS compliance. The effort required to achieve this level of compliance in a short period of time demonstrates our ability to be nimble and adaptable to new government regulations and certifications.
Later in 2021, the DoD announced CMMC 2.0, comprised of an updated program structure and require-ments which resulted from a comprehensive programmatic assessment of CMMC’s implementation and more than 850 public comments. The new CMMC was introduced to address the assessment’s primary goals:
- Safeguard sensitive information to enable and protect the DIB,
- Dynamically enhance DIB cybersecurity to meet evolving threats,
- Ensure accountability while minimizing barriers to compliance with DoD requirements,
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience, and
- Maintain public trust through high professional and ethical standards.
In early 2022, Bloomy achieved the goals of CMMC 2.0, attaining Level 2 - Advanced.
FOUO, NOFORN, U-NNPI are specific types of CUI designations. For Official Use Only (FOUO) protects information that “may be exempt from mandatory disclosure under the Freedom of Information Act (FOIA)” according to DoD Directive 5400.7. No Foreign Dissemination (NOFORN) materials may not be disseminat-ed to anyone who is not a US citizen. Lastly, Unclassified Naval Nuclear Propulsion Information (U-NNPI) is a designation that is used for the sensitive information associated with the nuclear reactors which propel the US Navy’s fleet. Bloomy’s infrastructure, security plan and practices, created in accordance with the guidelines of NN-801, enable us to control and protect these various types of CUI appropriate-ly.
Bloomy is committed to maintaining and enhancing our security infrastructure and practices in accordance with customer as well as government and industry requirements. We have implemented company-wide data and risk management processes to meet the increasingly-stringent security needs of our customers. In addition, we are flexible and nimble to adapt quickly to customer-specific security plans, providing a tailored, secure experience for customers with special security requirements.
For more information on how Bloomy can collaborate with you on sensitive programs, please contact us. We're eager to hear from you!
Office of the Under Secretary of Defense, Department of Acquisition and Sustainment
Small Business Innovative Research (SBIR) Introduction to ITAR and the US Munitions List (Tutorial)