Safeguarding the sensitive non-classified information that is shared with U.S. defense contractors is the driving force behind the CMMC program. In recent years, cyber attacks and breaches have put this controlled unclassified information (CUI) at a higher risk than ever before.
What is CUI?
CUI is “government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies”.1
Most importantly, the types and amount of government information a contractor can see, store in their computer systems, or send determines which CMMC Level (Level 1, 2, or 3) the company falls into. Using the criteria below, a contractor can determine which level of compliance they will likely require. However, the DoD will specify which level is required for a contract in its requests for information (RFIs).
- If a contractor handles any CUI, they must become at least CMMC Level 2 certified. Level 2 contractors have to implement 110 security controls.
- If an organization handles only FCI (Federal Contract Information, as described below), they can certify at Level 1. Level 1 contractors have to implement 17 basic security controls.
Controls for CUI
The controls prescribed to protect CUI against unauthorized disclosure fall into 14 domains:
Controls in the Access Control domain restrict system access to protected information based on authentic user, process, or device identities.
AC Control Example: An organization monitors and controls their employees’ internet remote access sessions to the system and implements a VPN (virtual private network) to improve confidentiality.
Controls in the Awareness & Training domain ensure that all users of a system are made aware of security risks and applicable policies, standards, and procedures through rigorous training.
AT Control Example: An organization teaches their staff how to recognize and report potential insider threats through security awareness training.
Controls in the Audit & Accountability domain provide protocols for system audit scheduling and audit log storage for the monitoring and reporting of unauthorized system use.
AU Control Example: An organization specifies the system event types to be logged and outlines requirements for retaining and storing the audit records.
Controls in the Configuration Management domain govern the baseline settings installed on software, hardware, and firmware and listed in documentation.
CM Control Example: An organization establishes and maintains sets of specifications and configuration items (standard software packages installed on devices, current version numbers on applications, etc.) throughout all organizational systems (software, hardware, firmware, System Security Plan) listed in their system inventory.
Controls in the Identification & Authentication domain serve to specify the user and device identification process and set up authentication of users and devices before allowing them access to the system.
IA Control Example: An organization assigns unique user IDs to each employee to be able to log into the system. This allows for granting access to information needed for a project to certain users while preventing other users not working on the project from accessing the information.
Controls in the Incident Response domain establish the systematic approaches and architecture needed to respond to real-time attacks. An incident response plan outlines an organization’s capacity to handle incidents, including preparation, detection, analysis, containment, recovery, and user response activities.
IR Control Example: An organization establishes a procedure for users to identify and report potential incidents by emailing a certain address. The procedure also assigns roles and responsibilities to different users within a system to prepare incident handling capabilities like determining a place to store evidence of an incident.
Controls in the Maintenance domain list protocols and procedures for scheduling regular and special event maintenance on organizational systems.
MA Control Example: An organization establishes a procedure and performs preventative maintenance by updating operating systems and applications to avoid potential problems, tracking what maintenance was perform to help with troubleshooting (if needed).
Controls in the Media Protection domain outline practices for the safeguarding of FCI and CUI in information system media like paper documents, USB drives, or mobile phones. These practices include the encryption and secure storage of media and the sanitization or destroying of media before its disposal or reuse.
MP Control Example: An organization has CUI stored on a USB drive which is then locked in a drawer and logged in a system inventory. Any time the USB drive is checked out by an employee, a log is updated with their information.
Controls in the Personnel Security domain require that an organization define protocols for screening individuals during the recruiting, hiring, and onboarding processes prior to granting access to systems containing CUI.
PS Control Example: An organization assesses a newly hired employee’s conduct and reliability, as well as background and credit checks, before they can access CUI.
Controls in the Physical Protection domain limit physical access through proximity-based safeguards for workspaces and devices linked to CUI or CDI (covered defense information).
PE Control Example: An organization keeps a log of visitors to their office and requires that they be escorted by an employee at all times. Video cameras are installed at each entrance and exit and feed video to a reception desk monitor.
Controls in the Risk Assessment domain advise periodically assessing the risk to an organization by monitoring, analyzing, and mitigating known threats and vulnerabilities.
RA Control Example: An organization performs their annual risk assessment exercise by reviewing incident reports, identifying threat sources and events, and determining the likelihood of risk to the safeguarding of CUI.
Controls in the Security Assessment domain includes protocols for conducting regular internal and external audits of cybersecurity measures and practices to determine their effectiveness.
CA Control Example: An organization uses their own System Security Plan (SSP) as a guide and reviews the efficacy of their security controls, proposing updated or new controls where needed.
Controls in the System and Communications Protection domain optimize the security of all internal and external network traffic, such as through a web proxy and a firewall.
SC Control Example: An organization installs a firewall to separate their internal network from the internet. The firewall allows them to block access to websites that appear to spread malware and keeps a log of blocked activity for use in monitoring.
Controls in the System and Information Integrity domain entail protocols, like system security alerts and communication monitoring, that ensure total confidentiality of protected data within systems.
SI Control Example: An organization sets up system security alerts for different parts of the system, reviews alerts, and researches how to appropriately address them.
Source: CMMC Level 2 Assessment Guide
Some CMMC Level 2 contractors will be able to submit self-assessments of their adherence to the 110 Level 2 controls. Although, the vast majority of Level 2 companies and all of Level 3 will have to undergo a third-party assessment by a C3PAO every three years.2
Basic and Specified Markings
There are two control levels of CUI: Basic and Specified. Both levels require or allow agencies to protect the information. The Basic level does not provide specific controls to do this. Alternatively, CUI Specified does provide specific controls for doing so.3 The Specified level also requires unique markings, enhanced safeguards, and limits on who can access the information.
To determine whether an information category is Basic or Specified, click on a category link in the Controls for CUI tabs above. Next, scroll to the “Notes for Safeguarding, Dissemination and Sanction Authorities” section.
The DoD CUI Program
For decades, federal agencies within the DoD have used their own methods and labels for managing sensitive information. Popular acronyms include FOUO, LES, and SBU. However, the lack of a standard labeling process has led to inefficiency and confusion. This created obstacles in sharing authorized information across agencies.
To address these issues, President Obama created the DoD CUI Program in 2010. The program made CUI the uniform standard to replace other agency-specific marking processes.
Prior to 2010
DoD CUI Program
CUI Training Requirements
The DoD Mandatory Controlled Unclassified Information (CUI) Training course fulfills training requirements outlined in some contracts under the CMMC model. Trainees learn how to access, mark, safeguard, decontrol, and destroy CUI. Also, the course includes guidelines on how to report cyber incidents.
What Is FCI?
More broadly, Federal contract Information (FCI) is data not intended for public release that is generated by a contract between the DoD and a contractor to provide a certain good or service. It does not include information provided by the government to the public, such as a public government website.4
Due to the nature of DoD contracts, all of a contractor’s CUI is technically FCI, but not all FCI is CUI. In the context of CMMC, FCI refers to information not categorized as critical CUI.
FCI can be stored in:
- Hard storage devices
- Manufacturing devices
- Backup systems
- Systems that store files received from the government
Controls for FCI
The presence of FCI only in a contractor’s computer system classifies them as subject to CMMC Level 1. FCI doesn’t require additional safeguarding controls beyond those outlined in FAR clause 52.204-21.
DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
Request your CMMC 2.0 self-assessment tool and learn whether or not your company has CUI.