Any organization that works within the Defense Industrial Base (DIB) has to comply with CMMC to continue doing business with the federal government. The reason being is that these contractors are entrusted with sensitive information that, if compromised, could be a threat to national security. In the context of CMMC, this information is known as "CUI". But what is CUI? and why is it so important to secure?
Controlled Unclassified Information, or CUI, is information or data that the federal government creates, stores, or transmits that is required to be safeguarded using particular controls and protocols. CUI can also refer to data created or possessed by an outside entity on behalf of the federal government. By law or regulation, any agency or party that has access to this data must exhibit a certain level of security. In addition to the data itself, CUI assets represent any assets that process, store, or identify CUI. Organizations must make inventorying these assets a top priority to make sure no CUI slips through the cracks.
When it comes to classifying CUI, there are 125 total CUI categories that a further divided into 20 index groupings. CUI can be further divided into either CUI Basic or CUI Specified.
CUI Basic -
CUI Basic describes CUI that requires only NIST 800-171 implementation to protect it. NIST 800-171 is a set of 110 controls that provide guidance on how to protect sensitive information. It is the foundation of CMMC compliance and is necessary for protecting CUI.
CUI Specified -
CUI Specified refers to when an authorizing law or policy puts additional control over the handling of the data itself. The protection of this level of CUI is mandated by law and failure to comply can bring with it serious penalties. This includes going beyond NIST 800-171 and complying with the requirements set out in DFARS 7012.
There are a number of steps your organization can take to better secure CUI as well as precautions you are required to take. First and foremost, when handling CUI, NIST 800-171 should act as your foundation. The procedures outlined in this framework are designed to protect CUI and are required for both CUI Basic and Specified. Your organization should also be prepared for third-party assessments. Under CMMC your organization will have to prove your compliance with NIST 800-171 by undergoing an external audit from a C3PAO (Certified third-party assessment organization).
To ensure your organization is ready come audit time, a managed service provider (MSP) is able to help. CorpInfoTech is an MSP that offers IT and security solutions to SMBs seeking to bolster their security posture. As a certified RPO (Registered Provider Organization) with the CyberAB, we are able to provide services to contractors seeking CMMC level 2 compliance. Through our services, your business can be confident in its ability to identify and secure CUI!
Contact CorpInfoTech today to learn more about how our managed services can protect your CUI!