Understand How to Achieve CMMC Compliance When Handling CUI

In 2019 The Office of Under Secretary of Defense Acquisition and Sustainment (OUSD(A&S)) announced that the Defense Industrial Base (DIB) will have to comply with the new Cybersecurity Maturity Model Certification (CMMC). This CMMC framework intends to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Both FCI and CUI are information created or provided by the government that require protection and are not available for public release. There is a significant difference in how FCI and CUI are treated, with different practices both in the federal government and non-federal contracting environments. Due to the differences in the nature and handing of FCI and CUI, CMMC varies in compliance levels to allow contractors to take the appropriate steps to safeguard this information.

Controlled Unclassified Information (CUI) is a category of federal information that is unclassified and still considered a sensitive and a critical component to national security. The CUI program established by Executive Order 13556 required the Executive branch to standardize existing desperate practices around unclassified information. The definition for the CUI program is stated in the National Archives as the following, “…the Controlled Unclassified Information (CUI) program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.”

Soon after CUI standardization was ordered, there was a government wide push to understand how agencies classify information as CUI. To gather this information a poll was sent out to government agencies, and an influx of thousands of responses on how CUI is classified came pouring in. From these responses was the creation of a live CUI registry, published on the National Archives and Records Administration (NARA) and is available for public use. The current registry includes total of 20 informational index groups and 124 categories. The defense index includes the following categories in the registry: Controlled Technical Information and DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Unclassified Controlled Nuclear Information – Defense.

As the CUI program spread throughout the government, there was a push for non-federal agencies to handle CUI appropriately and ensure the safety of government information. With this, the existing cybersecurity document NIST publication SP 800-171(revision 2 issued 1/28/21) became one of the main documents behind CMMC framework. SP 800-171 pulls from federal documents FIPS 200, SP 800-53, 32 CFR 2002, and is a security guide for non-federal systems. Before the push for CMMC, the DIB was able to self-assess and attest to the security measures based off NIST 800-171. However, this has proven to be an ineffective measure in securing sensitive government information.

CMMC consists of 5 levels, with a total of 17 domains and 171 practices in all. Level 1 (L1) is considered “Basic Cyber Hygiene”, allowing non-federal organizations to handle FCI only. Although many organizations will fall into the category of L1 compliance, there are others that currently handle or anticipate handling CUI. CMMC framework has built in maturity methods to guide an organization to the level of compliance that demonstrates appropriate CUI security measures that vary based on the nature of work and government information. As CMMC continues to rollout, there will be an indication on each Request for Information (RFI) and Request for Proposal (RFP) for the necessary CMMC compliance level to bid on that particular contract.

To handle CUI, an organization must comply with CMMC Level 3 (L3). Before diving into L3 it is important to understand how to comply with CMMC and the levels that lead up to the official compliance in CUI handling. As mentioned above, many organizations will only handle FCI and will not need to move beyond the basic L1 compliance which does not require a documented maturity process. For any organization that handles CUI it is mandatory to achieve compliance in L2, with a documented process and practices considered “Intermediate Cyber Hygiene”. It is clearly stated in CMMC Model V1.02 that, “This level represents a transitional stage, a subset of the practices references the protection of CUI.” In L2 there are domains and capabilities that first establish the security of CUI. For example, Access Control (AC) is a domain that introduces CUI protocols. L2 requires Access Control capability: provide privacy and security notices consistent with applicable CUI rules (AC.2.005). There are a total of 7 capabilities in L2 that specifically mention CUI safeguarding protocols. If an organization can plan and document all these practices that include the protection of CUI they are then considered prepared to mature to L3 and officially create an environment that handles CUI.

In CMMC L3 the process is labeled as managed, meaning there must be an appropriate and repeatable plan for the implemented mandatory practices. L3 is also considered “Good Cyber Hygiene” and pulls requirements from both NIST 800-171 and Carnegie Mellon’s Resilience Maturity Model (RMM). Out of 171 unique requirements defined in CMMC, L3 compliance achieves a total of 130 practices. With a total of 58 unique requirements added to L3 above L2, many of the practices in L3 are an accumulation of what is first implemented in L1 and L2.

One domain in particular that is first introduced in L3 and rolls over into L4 is called Asset Management (AM). Asset Management is considered an important part of safeguarding CUI and can be traced back to document NIST 800-53r4 as well as is a top hitter for the Center for Internet Security.

Within Level 3 exists capability AM.3.06 , where you define procedures for the handling of CUI data. When all the practices followed in L3 are achieved, an organization will be set up for an official assessment with a Certified Third-Party Assessor Organization (C3PAO). To ensure you are ready to have an official assessment it is crucial that you have not only the practices required, but the documentation, management, and resources in place the prove you are set up for long term success in protecting CUI.

If you would like to learn more about CMMC and cybersecurity practices, you can read our additional blogs on the topic. SoundWay Consulting LLC provides cybersecurity services and specializes in RPO services that provide you with the resources to achieve CMMC compliance. SoundWay guides and supports many organizations to achieve their cybersecurity goals, catered to unique environments while remaining cost effective. If you would like to speak to our experts, we encourage you to reach out to us and schedule a time to talk.