On December 16th, 2024, the CMMC Final Rule was officially put into effect as an official government program. Through CMMC, DoD contractors will be held accountable for how they protect controlled unclassified information (CUI) provided by the federal government. Contractors will have to prove that they have the necessary controls, practices, and policies in place to protect sensitive data via third-party audits conducted by certified assessor organizations. It is important for businesses to assess themselves to determine whether or not they hold CUI and what steps they need to take to become compliant.
Controlled Unclassified Information (CUI) is sensitive data that requires safeguarding controls and policies to be implemented for its protection and dissemination. According to Title 32 of the CFR, CUI can be defined as "information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."
While CUI is considered "unclassified", it still demands that certain precautions are taken to ensure it isn't stolen.
Examples of CUI may include:
2 Types of CUI -
Basic CUI: This type of CUI requires basic safeguarding practices and mostly refers to information about contracts or other information that is to be protected under certain regulations.
Specified CUI: This is CUI that calls for additional safeguarding measures that may pertain to national defense or law enforcement.
Why is protecting CUI important?
CUI often includes information that could negatively impact our national security if that data is lost or stolen. Keeping information on our nation's defense capabilities or critical infrastructure secure should be of the upmost importance for contractors.
CUI will often also contain identifiable information like phone numbers, social security numbers, or addresses that could be used in social engineering schemes or as footholds into other organizations. Failure to protect this data could mean that you are not only in violation of CMMC requirements but of individual privacy rights as well. Additionally, protecting CUI is simply required to work within the DoD. With CMMC being finalized and beginning the implementation process, contractors will have no choice but to put in the effort to secure their infrastructure and protect sensitive data.
CUI can exist in a number of different places across your organization in different departments, on various networks, or outlined in documents. CUI can also exist in text messages, emails, and other forms of communication that must be taken into account.
It is the contractor's responsibility to include all of these locations in their CMMC scope. Start by examining customer lists, financial records, legal data and emails to determine where you are storing CUI and who has access to it. These are some of the most common places one can find CUI as they often require safeguarding and dissemination policies. You should also take the time to review government contracts, subcontracts, and agreements for clauses related to CUI. Specifically, look for language that mentions to CUI registry or safeguarding requirements.
The CUI registry is a great resource for determining the category of CUI and how to accurately mark it.
Organizations are required to accurately mark CUI to avoid the information being incorrectly distributed or released. Every document that contains CUI must appropriately designate visually that there is sensitive information present. The first step is to include a "Designation indicator". This indicates the agency of designation and may be included as a letterhead, signature block, or "controlled by line". It is also recommended that you include the contact information of the designating agency in addition to the point of contact from the contracting organization. Banner markings must also be used to distinguish whether or not the document contains CUI. The banner is typically found at the top of the document and should also specify the CUI category. Header and footer markings are also recommended by must match the markings of the banner.
For more in depth instructions on how to mark CUI, take a look at this video from the US National Archives:
Security and compliance are a group effort. You must ensure that your employees are prepared to handle CUI with the security it requires and to mark it correctly. Here are some questions you can use to better train your users to identify and protect CUI:
Q: What is the correct banner marking for unclassified documents with CUI?
A: CUI
Q: What does an individual need to obtain access to CUI?
A: A lawful government purpose
Q: Who is responsible for implementing CUI markings and dissemination instructions?
A: The Authorized holder of the information at time of creation.
Q: True or False? It is mandatory to include a banner marking at the top of a page to signify that CUI exists in the document.
A: True
Q: What should you aim for when destroying CUI?
A: To render it unreadable, indecipherable, and unrecoverable.
Q: What DoD instruction implements the CUI program?
A: DoDI 5200.48, Controlled Unclassified Information
One of the first things you should do to better protect CUI is to implement stringent access controls that limit who have access to sensitive data in your organization. Limiting the scope of who has access to CUI can reduce overall risk and make your compliance efforts much easier. Utilize strong authentication methods, least privilege principles, and consistently review permissions to avoid scope creep. Additionally, your organization should implement strong encryption policies to protect CUI both in transit and at rest. Specifically, FIPS 140-2 validated encryption is required to secure CUI.
Your organization must also have security awareness training programs in place to educate users on how to protect CUI and avoid common cyber threats that they may face day to day. This includes training them on the importance of protecting CUI, how to recognize CUI, and how to securely handle sensitive data.
Your organization should also conduct regular security assessments to root out vulnerabilities and identify where the weakest gaps are in your security. You should also have plans in place to remediate vulnerabilities and respond to successful cyber threats. At the end of the day, NIST 800-171 is your guide. It is the standard that you will be audited on and is designed to help contractors secure CUI.
CorpInfoTech is a CMMC level 2 compliant MSP that offers IT, cybersecurity, and compliance solutions to SMBs. Through TAS for CMMC Compliance, contractors will gain access to enterprise level tools and expertise that makes achieving and maintaining compliance much more efficient.
By partnering with CorpInfoTech, your organization will inherit 200+ out of the 320 objectives required by CMMC. This increases compliance efficiency, reduces overall risk, and eliminates the stress of an upcoming audit.