CUI Program Update

The new CUI FAR will not be published until the beginning of FY ’19, but begin working on your plans now to get ahead of your competition!

Defense contractors are already on the hook for meeting NIST SP 800-171!

The federal government has responded to concerns over a growing number of cyber threats by pushing out more cybersecurity regulations. These regulations point to NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations as the primary standard that nonfederal entities should strive to meet. Currently, the only government agency requiring that contractors follow NIST SP 800-171 standards is the Department of Defense through their Defense Federal Acquisition Regulation Supplement (DFARS) subpart 204.73 and 252.204-7008 (read more here), but soon it will be expected of all executive agency contractors that handle CUI. Other agencies, like GSA and DHS, are in the process of developing cybersecurity rules similar to those found in the DFARS , but most are waiting until the National Archives and Records Administration (NARA) publishes a new Federal Acquisition Regulation (FAR) rule that lays out a policy for how all executive agencies and their contractors should handle Controlled Unclassified Information.

The primary issue to note is that it is only a matter of time before all contractors will need to meet the standards laid out in NIST SP 800-171. The most important items within the document are the System Security Plan (SSP) and Plans of Action. It will be required that contractors have these plans, and the government may request them at any point during the execution of a contract. Furthermore, agencies may require them with the submission of a contract proposal or they may be used as evaluation criteria for awarding contracts. Those contractors who demonstrate their compliance with those plans may drastically set themselves apart from their competitors. Even if your contract doesn’t appear to have CUI designated in it, there is a chance your company could create it during the execution of the contract, so it is important to check your contract for these clauses.

Clauses to look for in contracts:

  • DFARS Subpart 204.73 requires the inclusion of DFARS Subpart 252.204-7008 in contracts
  • DFARS Subpart 252.204-7008 requires a contractor to meet NIST SP 800-171 standards if they handle CUI
  • DFARS Subpart 252.204-7012 requires specific cloud service providers (CSPs) be used if a contractor stores or transmits CUI to a cloud service and also has specific incident tracking and reporting requirements

The new CUI FAR will not be published until the beginning of FY ’19, but begin working on your plans now to get ahead of your competition!

Defense contractors are already on the hook for meeting NIST SP 800-171!

Check out Anneal Initiative in the Topeka Capital-Journal!!

Morgan Chilson, from the Topeka Capital-Journal, recently interviewed us on the innovative approaches we take to help businesses become more competitive, innovative, and resilient. The article can be found here.

Our primary goal is to bring resiliency to Kansas businesses. Developing this resiliency comes in the form of helping businesses strategize on how to minimize vulnerabilities in networks and be prepared for emerging threats, as well as build adaptive business continuity plans and programs that foster an agile culture within a business.

The Department of Defense has passed the first set of acquisition regulations that require their contractors to meet cybersecurity standards listed in NIST SP 800-171, but other agencies and industries will soon follow. For a consultation on how your business might be impacted by cybersecurity regulations or how it might benefit from a stronger continuity program, contact

Anneal Initiative, Inc. is a Women Owned and Veteran Owned Small Business (WOSB & VOSB) focused on designing, developing and operating innovative intelligence analysis capabilities (primarily for national security), and providing businesses with customized cybersecurity analysis, cyber regulatory compliance, and business continuity planning.

Kansas Small Business Development Center Cybersecurity Conference

According to the National Cyber Security Alliance, 60% of small businesses that experience a breach go out of business within 6 months. The average cost to a small business attempting to clear up a cyber breach is $117K. The Kansas SBDC Cybersecurity Forum brings together experts to help educate business leaders and small business owners about cybersecurity risks and corresponding issues.

The goals of the forum are to elevate the level of discussion surrounding cybersecurity and related risks in order to reduce the exposure of small business to such threats and also to connect small businesses with valuable resources. Attendees will gain an appreciation of what are the risks, how to defend against and mitigate those risks, employee management, training and policy issues, budgeting for cybersecurity, how to recover from security breaches, resources available to small businesses, and what to expect in this area going into the future.

Register here:

*Schedule subject to change.
7:30 – 8:00 Attendees Sign –in and receive Info Packets (Light Food & Beverages)
8:00 – 8:10 Welcome from KSBDC
8:10 – 8:15 Introduction of Key Note Speaker by Main Sponsor
8:15 – 8:30: Keynote Speaker
8: 30- 9:00 Panel: Information Security Basics (CIA – Confidentiality, Integrity, Availability)
9:00 – 9:15 How as a Leader Do You Talk about IT? How Do You Talk with Your IT Person?
9:15 – 9:45 Panel: Cybersecurity for Businesses with Remote Employees and for
Home-Based Businesses
9:45 – 9:52 Cybersecurity Insurance – What It Does & Doesn’t Do
9:52 – 10:12 Penetration/Vulnerability Testing
10:12 – 10:30 Break (Light Food & Beverages)
10:30 – 11:00 Panel: Making Cybersecurity a Part of Your Policy & Procedures

11:00 – 11:30 Industry Break-Out Sessions
• CS Issues for Agriculture Businesses and Businesses with GPS-Controls or Unmanned Aerial Systems
• CS for Industries with HIPAA Compliance Issues
• CS for Financial Services Industries
11:30 – 12:00 Industry Break-Out Sessions
• CS for Government Contracting
• CS for Internet of Things (Manufacturing Systems, Building Systems, Mobile Systems, etc.)
• CS for Micro-businesses (PCI Compliance, etc.)

12:00 – 1: 15 Lunch & Networking Time

1:15 – 1:45 Panel: Identify, Protect, Detect, Respond, Recover
1:45 – 1: 52 “Aack! We’ve Been Hacked!” What to Do If You’ve Been Breached
1:52 – 2:22 Panel: Looking Into the Cyber-Crystal Ball: What Should Small Businesses Expect
in the Future? (Trends, Regulations, Opportunities)
2:22 – 2:35 Resources and Return on Cybersecurity Investment
2:35 – 2:45 Thank you from Kansas SBDC
2:45 – 3:30’ish Networking

Background Part 2: Medicare/Medicaid Emergency Preparedness Rule

A few weeks ago, we posted on the background behind the new Medicare and Medicaid Emergency Preparedness regulation. Now we would like to provide more detail on the specific requirements. Again, these requirements very slightly between the different providers, but these four are common to all 17 providers and suppliers.

A Plan

While each of the 17 providers and suppliers have their own specific guidelines to follow, many of the rules are common to them all. To start with, the affected facilities must have an annually reviewed and updated emergency preparedness plan that is developed from a facility-based and community-based risk assessment. These can be challenging and burdensome tasks to undertake, and may require outside help and guidance.

Two components of COOP planning that must be included are delegations of authority and succession plans. These are essential to maintaining continuity in emergency situations.

Policies and Procedures

Affected suppliers and providers must also develop policies and procedures, that also must be reviewed and updated annually, addressing the following items:

  • Provision of subsistence (including food, water, medical and pharmaceutical supplies and alternate sources of energy – that can protect patient health and safety – emergency lighting, fire detection systems, sewage and waste disposal)
  • A system to track the location of on-duty staff and sheltered patients
  • Procedures for safely evacuating the facility
  • Means to shelter in place
  • A documentation system that preserves records and protects confidentiality
  • The development of arrangements with other hospitals and providers in the event of a limitation or cessation of operations

Communication Plan

The communication plan must include a method for sharing information and medical documentation for patients under the facility’s care as necessary with other health care providers, in order to maintain continuity of care. It must also include a means for releasing patient information in the event of an evacuation.

One of the major issues that could make the communication plan more complicated is that privacy violations are not given any leniency just because a disaster strikes. The HIPAA Privacy Rule is not suspended during a public health or other emergency.

Training and Testing

The training and testing piece of the Emergency Preparedness regulation will likely be one of the most challenging aspects of the regulation. The training and testing program, that is required to be reviewed and updated annually, must be provided to all staff, to include those providing services under arrangement and volunteers and must be documented. Two types of exercises must be provided to test the emergency plan and must also take place annually:

  1. A full-scale exercise that is community-based
  • When a community-based exercise is not accessible, an individual, facility-based exercise can suffice
  1. An additional exercise must be conducted that is either:
  • A second full-scale community-based or facility-based exercise
  • A tabletop exercise

These can be waived if the supplier or provider experiences an actual natural or man-made emergency that requires activation of the emergency plan and can be exempt for 1 year.


This can be a lot to take in, and can often be a struggle for those trying to balance tasks required to operate a business or organization. However, this is a time when compliance can actually aide an organization in building a more adaptive culture, if approached thoughtfully and strategically. Anneal Initiative’s approach is to build stronger organizations while at the same time bring them into compliance. If interested, do not hesitate to reach out to us with any questions.

For more information on any of these requirements or for help executing them, contact

JumpStart Kansas Entreprenuer Grant

Anneal Initiative is excited to have won a competitive JumpStart Kansas grant for innovative entrepreneurs! This award will help us develop more innovative approaches to help businesses improve cyber regulatory compliance, find competitive advantages, and be more resilient. Thank you to Washburn University and Kansas Department of Commerce for this opportunity! Check it out here:

Background Part 1: Medicare/Medicaid Emergency Preparedness Rule

In 2016, a new requirement was issued that affects Medicare and Medicaid providers and suppliers resulting in more stringent guidelines of their emergency preparedness plans. Centers for Medicare and Medicaid Services (CMS) recognize that emergency preparedness requirements already exist, but claim they do not go far enough in comprehensively addressing preparedness needs. They also do not address inconsistencies among various healthcare providers. As a result, this regulation went into effect on November 16, 2017 establishing national emergency preparedness requirements for seventeen types of Medicare and Medicaid providers and suppliers (see the below list for affected organizations).

This post is intended to raise awareness of this new regulation and is not intended to be a comprehensive report on all of the details of this regulation. For additional information, Anneal Initiative can be contacted directly at or 785-249-5576.

The new rule, Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers, imposes a mixture of business continuity, continuity of operations (COOP), and emergency planning rules that must be followed, and will be inspected. The rules require four main elements to be present in an emergency preparedness plan:

  1. A risk-based plan that must be updated annually
  2. Policies and procedures customized to fit the plan
  3. A communication plan
  4. A training and testing program

These elements focus on certain aspects of emergency preparedness, and CMS claims they focus on continuity planning, but it is important to keep in mind that not all aspects of business continuity/continuity of operations are covered by this regulation. The rule does not cover matters of recovery of operations, which is an important aspect of a comprehensive business continuity or continuity of operations plan. There are also other items such as determining an organizations’ essential functions or critical business functions that are crucial to having a plan that will work.

Here are some notable highlights from the rule:

  1. While there are more requirements for setting up an emergency preparedness plan, there has been no new funding allocated to offset those costs.
  2. It focuses on an all-hazards approach. While this might introduce more burden, it is actually a helpful approach. When a continuity plan is flexible by taking a broad approach to hazards, it is also likely to be more successful. Continuity planning should focus on dealing with the unavailability of people, resources, or facilities. If a plan is focused on adapting to those three problems, it will significantly increase the ability of an organization to survive unforeseen events or disasters, even if those disasters were not specifically written into the plan.

If you’re questioning whether or not your affected, here is the list of suppliers and providers covered by the new CMS requirements:

  1. Hospitals
  2. Religious Nonmedical Health Care Institutions (RNHCIs)
  3. Ambulatory Surgical Centers (ASCs)
  4. Hospices
  5. Psychiatric Residential Treatment Facilities (PRTFs)
  6. All-Inclusive for the Elderly (PACE)
  7. Transplant Centers
  8. Long-Term Care (LTC) Facilities
  9. Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF//IID)
  10. Home Health Agencies (HHAs)
  11. Comprehensive Outpatient Rehabilitation Facilities (CORFs)
  12. Critical Access Hospitals (CAHs)
  13. Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services
  14. Community Mental Health Centers (CMHCs)
  15. Organ Procurement Organization (OPOs)
  16. Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs)
  17. End-Stage Renal Disease (ESRD) Facilities

See our next blog post for more details on these requirements.

Fitting Business Continuity into Business Operations

“The real problem is that the activities and processes involved in creating business continuity programs are too often seen as something different, foreign, and almost mutually exclusive of other practices businesses engage in to enhance their productivity and relevance.”

At the October 4th Wichita Cyber Security Forum, Anneal Initiative participated in a general session panel on cyber and business continuity issues and offered some impressions on what difficulties and concerns small business owners face regarding business continuity planning. Here are some of the issues we felt were most likely to keep businesses from starting or persisting in the process of building a business continuity program:

  • The difficulty in finding the time to start and continue development of a continuity program
  • Figuring out where and how to start in developing a continuity program
  • Evaluating an organization’s continuity planning approach to understand if they are on the right path
  • Executives’ uncertainty that the time and resources dedicated to continuity planning will generate the desired results in the wake of a disaster

We offered ideas to help overcome those individual difficulties. We talked about how to start small, explore available low-cost resources, seek multi-discipline internal and external input, and test and exercise plans to judge how effectively and easily they can be executed. Those specific solutions are valid, but they don’t really address a significant overarching problem that the list of common difficulties and concerns highlights. The real problem is that the activities and processes involved in creating business continuity programs are too often seen as something different, foreign, and almost mutually exclusive of other practices businesses engage in to enhance their productivity and relevance.

Some of this disconnect may be due to the unique nature of continuity plans in comparison to other plans. However, the continuity plan is only a framework for the continuity program. The continuity plan must be accompanied by an organizational culture that empowers its members to see that framework as a starting point from which to adapt to change and solve the problems at hand. This “business continuity culture” in conjunction with a continuity plan is what constitutes a true business continuity program.

The disconnect may also result from the focus of continuity planning on disasters. Business continuity planners know that there are more incidents and events that can push a business into a continuity scenario than fit into what people normally consider disasters. Cyber-attacks prove daily that it doesn’t take a tornado, flood, ice storm or fire to disrupt business operations in a potentially fatal (for the business) way. Unintentional outcomes of technology changes, regulatory changes, market changes, and many other variables can also have the similar effect of pushing a business into scenarios where practiced and routine methods of operation won’t keep a business running anymore. History is littered with examples of businesses, organizations, governments, cultures, and nations that failed, and sometimes disappeared, because they couldn’t learn how to deal with changes in the world around them. Sometimes those changes occurred over a long time and sometimes they occurred very quickly. In either case they were disasters for those who couldn’t adapt.

If we consider the disasters, disruptions, incidents, attacks, and contingencies that business continuity programs focus on in the context of all other types of change that businesses must navigate then it is possible to see that the efforts involved in building those programs aren’t dissimilar from other efforts to keep businesses ahead in a rapidly changing world. There is a notable exception in that disasters may happen much more rapidly, violently, and dangerously, but they still constitute change that must be dealt with to persist as a viable business. This is where business continuity planning and programs present a significant opportunity to grow and enhance a business instead of just preparing for what is sometimes a hypothetical catastrophe. When business continuity planning is integrated into and helps to enhance a business’s overall culture of learning it stands to not only help businesses prepare for hazards but also prepare to seize on opportunities presented by new trends in markets, technology, government, politics, and culture.

So, when the term business continuity culture is used, it should be considered a complimentary element in an overall learning culture. Just as a learning culture allows for innovation and creative problem solving across an organization to keep a business progressing forward, so does a business continuity culture utilize those traits among employees to deal with disasters. When the learning culture and the business continuity culture are viewed as mutually supporting, tightly linked efforts then it becomes much more apparent that business continuity efforts can help prepare people to deal with not only disasters but also deal with opportunities. Finding the time to start and how to start is much less of a mystery when you are already engaging in the right activities and can modify them to address a different type of change. When business continuity becomes part of the learning culture, then the evaluation of the progress and results can be supported by how well the organization and employees adapt to any change.  

Looming Deadline for Cybersecurity Regulations

Looming Deadline for Cybersecurity Regulations – December 31, 2017: DFARS Subpart 204.73 & DFARS 252.204-7012.

The Anneal Initiative team just returned from the Wichita Cyber Security Forum where professionals convened to learn, share, and discuss the importance of cybersecurity.

While at the conference, we provided training on the latest Department of Defense cybersecurity regulation that will impact non-federal entities contracting with them (often referred to as DFARS Subpart 204.73 or DFARS 252.204-7012). These regulations impact contractors, subcontractors, universities and state agencies – basically any entity that handles sensitive, unclassified government data. Check out the Controlled Unclassified Information (CUI) registry to assess if any information you handle could be considered CUI here. A lot of unexpected items are actually considered CUI, and even if a contract doesn’t begin with any CUI, entities might develop it during the course of executing a contract.

For more information on this regulation, check out our PowerPoint presentation here. We built this presentation for a 45 minutes conference breakout session, so it definitely does not include every detail of what you need to know regarding the DoD regulation, but we have tried to break this down for those of you who likely do not have the time to do it yourselves. One of the main items non-federal entities need to tackle to become compliant with DFARS Subpart 204.73 is a System Security Plan per the standards established in NIST SP 800-171. Anneal Initiative can be your partner in reaching DFARS Subpart 204.73 compliance.

The deadline for compliance is December 31, 2017! If you have questions or concerns about your own need to be DFARS 204.73 compliant or build a System Security Plan, email us at or check out our website at

For other agencies impacted by cybersecurity regulation changes, more to follow…