CMMC 2.0 is rapidly becoming an industry standard, and will soon become critical for any organization which makes or processes parts for the Department of Defence (DoD), or is part of the Defense Industrial Base Sector. It is essentially a formal process of certifying that organizations meet NIST-800-171, with levels applicable to various sizes and sensitivity levels of businesses.

A critical component of these frameworks, is how your organization handles and processes Controlled Unclassified Information (CUI). CUI is information that requires strict safeguards surrounding how it is handled to comply with government regulation, but is not Classified.

In this blog, I’ll outline everything a small business needs to know in order to be NIST-800-171 or CMMC 2.0 compliant out of the gate - maintaining the strict security and documentation required to operate a business in this space.

1000 ft.

If your company receives CUI from customers, then you are considered an Authorized Holder and thus should have a secure environment in which that data is kept within to protect from unauthorized access or disclosure.

The Authorized holder is an individual, agency, organization, or group of users that is permitted to designate or handle CUI, in accordance with 32 CFR part 2002

At time of creation the authorized holder is responsible for determining if the data is part of a CUI category, and applying the required CUI markings and dissemination instructions.

At time of modification the modifying party must follow the instructions provided in the document marking or contractual obligations between the parties.

If combining multiple pieces of CUI, and returning to the same origin, you may not need to re-mark the article. However, you should still consult the origin party and contracts.

DODI 5200.48 declares guidelines for implementing policies and procedures surrounding how you handle CUI with respect to:

1. Designation
2. Handling
3. Decontrolling

Recognizing, Marking, Decontrolling

This is the easy part of CUI. The rules are clear, obligations are obvious and overhead is minimal.

The first task to take on is determining what CUI your company handles. In the industrials sector it is safe to say if the data is coming from your customer in the industrials sector, it’s probably CUI. This of course wouldn’t include traditional Personally Identifying Information (PII) which you still have to handle securely, but this is the sort of data every software company has to handle and is not in-scope for this blog post.

For information on PII check out some of these resources:

• https://www.cms.gov/marketplace/technical-assistance-resources/assister-programs/best-practices-for-handling-pii-fast-facts.pdf
• https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf

The primary resource for determining if something is CUI is the CUI Registry:

• https://www.dodcui.mil/CUI-Registry-New/
• https://www.dodcui.mil/CUI-Categories-and-Abbreviations/

For example, at Ground Control we handle Controlled Technical Information (CTI):

• https://www.dodcui.mil/Defense/Controlled-Technical-Information/

If you have created a document or piece of data, and it is within a CUI category, you must mark the document.

• Add CUI in the header and footer of each page
• Add a CUI Designation Indicator on the first page

Anything that contains CUI should be appropriately marked. For example, if you are sending your customer their own document via email (be sure the email provider is ITAR registered and at least NIST-800-171 compliant!) you must also mark the email:

Only three parties may ever decontrol CUI

• The Originator of the information
• The Original Classification Authority (OCA)
• Designated Offices for Decontrolling

Hint: If you are a software company like Ground Control, only accepting and handling CUI from customers, modifying it and returning it to the same customer, you may never decontrol CUI!

A customer may decontrol CUI that you hold, which would release you of your obligations surrounding that particular document.

Safeguarding

This is where you cannot make any mistakes. It is absolutely critical to protect CUI with the highest level of security available to you, it is a matter of life and death for any business operating in the defence space.

How you implement your safeguards depends on your business context. I highly suggest consulting with a cybersecurity professional to implement appropriate safeguards for your organization. For software organizations, the controls outlined in CMMC 2.0 or NIST-800-171 are a fantastic resource for both education and implementation of appropriate safeguards for handling CUI.

With that said, it will take you some time to be completely robust in your approach, so from day 0 you should at least do the following:

• Ensure CUI is within a secure area: this can mean a physical area, or virtual area.
  • Closely regulate, audit and protect this secure area. Limit access to those who strictly require it, and record any action taken within it. Access should never be granted to any non-US persons or persons without a specifically granted ITAR exemption.
• Never leave CUI un-attended, or discuss it where unauthorized personal are present. For a software organization, this means preferably never letting CUI leave application data stores except back to the origin customer. If it is to leave for the purposes of customer support, it should be strictly tracked and destroyed after use, and never left displayed on the screen while you are not present.
• For a software company - your life will be significantly easier if you never print documents. For most manufacturing facilities this is not possible, so it is highly recommended to use CUI cover sheets and ensure documents never leave secure areas.
• Transmission electronically is only to occur via approved protocols and encryption mechanisms
  • Avoid wireless transfer if at all possible
• Destroy CUI once it is no longer used through document lifecycle policies

Document Lifecycle

This is the largest consistent overhead concerning handling CUI. You must carefully audit your organization and produce a data inventory map, at least including the following information:

1. How data comes into your possession
2. How you store it at rest
3. How you use it
4. How you share it
5. How you archive and dispose of it

Once you understand your CUI footprint, your goal should be reducing your footprint. Only store data that has a requirement for your organization, otherwise you should immediately dispose of it.

The recommended way to accomplish a strong document lifecycle by NIST is by maintaining a Data Inventory Map.

Documenting your Records of Processing Activities (ROPA) can adequately fulfill the requirements of a Data Inventory but it is highly recommended to have a holistic approach to Data Inventory Mapping through the implementation of a Data Governance Program. This can include maintaining a structured metadata repository for databases and cloud resources, and using a discovery engine to scan for unstructured data across all environments (e.g., endpoints, cloud stores, documentation repositories, SaaS apps, etc.)

There are a lot of guides out there for helping with a Data Inventory Map, and maintaining one is part of a larger cybersecurity policy. I recommend reading https://www.kroll.com/en/insights/webcasts-and-videos/fundamental-steps-building-data-inventory and doing your own research to decide what will work for your organization.

Training and Maintenance

CUI handling is not a one-and-done portion of your business. You of course must constantly audit and monitor your security posture, but you must also constantly maintain your policies and procedures surrounding CUI. Update your Data Inventory Map on a regular basis, leverage automation to keep your inventory up to date, or create tooling to enforce how documents are shared and destroyed.

Once you have your policies and procedures in place, carefully develop a training program for your employees that gives them the tools they need to meet regulatory requirements and update this training at least annually.

Legal and Contracting

For any customer engagements, it’s important to obtain a form of CUI Authorization. This can be in the form of a clause within a software license agreement or an explicit document.

This authorization should include at minimum Authorization to Handle CUI, Liability and Indemnification:

• Clearly state that your organization is authorized to handle, process, and return the CUI provided by the customer.
• Specify the scope of the authorization, including what types of CUI are covered and any limitations on its use.
• Define the responsibilities and liabilities of each party in the event of a breach or misuse of CUI.

It is also recommended to include:

1. CUI Handling Procedures

• Describe the security controls and procedures your organization follows to protect CUI, referencing relevant standards like NIST SP 800-171.
• Include details on how CUI is stored, processed, and returned to the customer, and confirm that it will not be transmitted to third parties.

2. Compliance and Incident Reporting

• Outline your obligations for maintaining compliance with applicable regulations.
• Include a process for reporting any security incidents or breaches involving CUI to the customer in a timely manner.

3. CUI Retention and Disposal

• Specify how long CUI will be retained and the procedures for securely deleting or returning it once the contract is completed or terminated.

4. Audit and Review Rights

• Allow the customer the right to audit or review your processes and controls related to CUI handling, if necessary.