Protecting CUI with CMMC Framework

The National Archives states, “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” CUI ranges from a wide variety of information and is protected by government regulations, markings, and designations.

An official program for CUI was established because there were challenges with unclassified information being accessed, shared, or often restricted with policies across both government agencies and the public. Oftentimes the policies did not match the needs for agencies or organizations that required access to this information, and therefore they inhibited necessary communication. The CUI program was finally formulated with Executive Order 13556. With this program new procedures were given to assign necessary information as CUI, and new policies and laws were incorporated. By creating the CUI program an open channel of communication was included, DoD personnel were able to access CUI, and proper markings with clear agency indication were added to all assets pertaining to CUI. You can find additional training and resources on the CUI program on the National Archives website.

How does CUI play into CMMC?

The Cybersecurity Maturity Model Certification (CMMC) and CUI Program under NARA share the same goal of safeguarding valuable information. The CUI program and CMMC require that all parties handling CUI must be able to demonstrate proper procedures and practices that safeguard the information.

In CMMC many organizations will only need to certify for Level 1, Basic Cyber Hygiene. Level 1 however only allows for Defense Industrial Base contractors to handle Federal Contract Information (FCI) and does not allow for a contractor to handle CUI. CMMC Levels 2-5 are part of the maturity process where a contractor prepares for or handles CUI, with 5 being the most advanced. The certification level you pursue in CMMC depends on the nature of your work with the Department of Defense (DoD) and likely with the Department of Homeland Security (DHS) and General Services Administration starting in 2022. You will find that necessary CMMC level requirements are noted in (Request for Information) RFI and (Request for Proposals) RFP documents.

The 5 levels of CMMC progress in maturity with a range of different and overlapping practices, and have the same thing in common, protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Although CMMC is focused on protecting CUI from threats in all aspects, there are a couple of domains that are particularly catered to the protection of CUI. Asset Management (AM) is found in both levels 3 and 4 in CMMC and Personnel Security (PS) is found in level 2 with a level 3 resourcing requirement. Access Management encompasses all channels of CUI and contains two capabilities: Identify and document assets and manage asset inventory. Personnel Security also has two capabilities: Screen personnel and protect CUI during personnel actions.

Additionally, you will find that levels 4 and 5 in CMMC are the most advanced and specifically focus on the protection of CUI and Advanced Persistent Threats (APT). With the proactive capabilities in place of monitoring active threats, a level 5 organization will best be able to defend CUI against security threats.

Current Challenges with CUI Handling

One common challenge around CUI includes improper tagging and marking by government agencies. DIB sector organizations receive information from the DoD and/or their primes, and out of abundant caution, artifacts will likely be marked CUI even when not warranted. That makes handling and management more cumbersome for a contractor.

Another related issue is identification and labeling of CUI. Organizations carry hundreds of thousands, if not millions of files and related materials that could be CUI. In addition, companies are advised to restrict CUI within a narrow network of operations, thus limiting its exposure. Exposure limitation is also an effective way to save money on technology costs.

What’s Next?

Navigating your physical and cyber environment can be a challenge. Many organizations are not fully aware of where CUI exists in their ecosystem or who handles CUI. In order to protect all your assets, a thorough assessment must take place to prepare for your anticipated CMMC audit. If you want to learn more about CMMC check out some of our additional blogs on CMMC. You can also reach out and talk to our experts about best methods for defending your organization. At SoundWay Consulting LLC we strive to continuously to provide our clients with the best methods in keeping their organizations safe from physical and cyber threats.