How To Find CUI Within Your Environment & Set A CUI Boundary For CMMC

With the risks of a cyber incident such as malware, ransomware, or data breach growing, the Department of Defense (DoD) created a new assessment mandate within the Cybersecurity Maturity Model Certification (CMMC) program to increase the security of its supply chain.

CMMC is intended to enforce cybersecurity standards for protecting federal contract information (FCI) and controlled unclassified information (CUI), through a three-tiered assessment system.

Under CMMC 2.0, defense contractors and subcontractors within the Defense Industrial Base (DIB) have to now prove that they’re doing everything they can to protect the sensitive federal information they handle.

Before you can implement the right security guardrails, however, you first need to establish a boundary, or scope, for the CUI you store, process, or transmit.

Your FCI and CUI assets form the core of your CMMC assessment scope, for which your company will need to meet all CMMC security requirements for your level.

In this article, we’ll examine why creating a CUI scope is a foundational step in your CMMC compliance journey and provide a checklist for how to successfully accomplish it.

With this information, you’ll have the information you need to streamline your CMMC compliance process as you work toward final certification.

Understanding The CMMC Assessment Levels

With the CMMC Final Rule, the DoD adopted mandatory assessments as a way of verifying that organizations are actually meeting the CMMC requirements. 

The new, three-tiered assessment system divides DoD contractors and subcontractors into three levels, based on the sensitivity of the federal information they handle.

A company's CMMC level determines the cybersecurity and assessment standards it must satisfy.

Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level

Level 1 companies only store or process FCI. These companies must meet basic security controls aligned with the Federal Acquisition Regulation (FAR) and conduct a self-assessment each year.

Level 2 and Level 3 companies house, access, and transmit FCI and CUI that’s created by or for the government. Level 2 organizations must meet 110 security practices outlined in NIST SP 800-171.

Most Level 2 organizations will need to get assessed every three years by a certified third-party assessor organization (C3PAO). A small number of Level 2 businesses will be allowed to perform a self-assessment every three years.

Level 3 primes and their subcontractors must satisfy the most rigorous standards to protect against advanced persistent threats (APTs). Because of this, they must first achieve Level 2 certification before they can be assessed for Level 3, which tacks on additional cybersecurity requirements aligned with NIST SP 800-172. 

Level 3 businesses must have a federal CMMC audit performed every three years.

Organizations at all three levels will be required to reexamine their security defenses and annually reaffirm or “self-attest” ongoing compliance.

Why A CUI Boundary Analysis Is Critical For CMMC 2.0 Compliance

Before you can determine what security measures you’re required to meet under CMMC, you first have to figure out what CUI you have and where it’s located within your entire environment.

The purpose of a CUI boundary analysis is to get a clear understanding of where the CUI you handle is located within your environment and categorizing it so you can establish the proper security controls.

It represents a fundamental step in the CMMC certification process.

Related Article: Do I Need A Managed IT Service Provider To Meet CMMC Requirements?

The government’s CUI marking guide outlines how it categorizes and labels, or marks, information as CUI. The government agency that awarded your contract—in this case the DoD—is responsible for marking any CUI that it creates and shares with you as part of your contract.

It’s important to note that contractors cannot and should not create their own marking guides.

The DoD marking guide doesn’t apply to Level 1 defense contractors since FCI is not marked.

For businesses at Levels 2 and 3, the CUI markings are needed to establish dissemination controls to ensure such information stays confidential to only authorized users and remains secure.

Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks

There are different types of CUI, such as: critical infrastructure, defense, financial, intelligence, legal, nuclear, transportation, and procurement and acquisition.

CUI can fall under one of two different categories: CUI Basic or CUI Specified. Information that falls under CUI Basic has to meet a baseline set of security controls; CUI specified data requires tighter security measures.

Where Can CUI Live Within Your Organization?

CUI can live in many different places within your organization across various departments, paper and digital files, databases, communications, and networks.

Among possible sources are:

• financial records
• technical and design drawings
• business plans
• customer lists
• email communications

When the government shares CUI with you, it will generally be identified within the header and footer of each page and any cover page as “CUI” or “Controlled.” It may also include category markings and controls for how and with whom the information can be shared.

There are many different CUI markings. For a detailed list and more information about these markings, refer to the DoD CUI Registry.

Some examples of CUI markings include:

• NOFORN: No foreign dissemination
• FEDCON: For use by federal contractors only
• CTI: Controlled Technical Information
• EXPT: Export Controlled

Keep in mind that there are instances, especially with legacy data, when CUI isn’t labeled.

If you’re a subcontractor and you’re concerned that some unmarked information may actually be CUI, you should check with your prime or contracting officer for verification. Primes can check with their contracting agency if necessary.

CUI Scoping: How To Establish A CUI Boundary For Your Environment

The following nine steps will give you a clear guide for CUI scoping to establish a CUI boundary so you can identify any security gaps and correct those deficiencies ahead of your CMMC audit.

To establish a CUI boundary, follow these steps:

1. Review DoD contracts

• Review your contracts to look for language indicating that you will be handling CUI. 
  
  
• The CUI Registry is a good resource for determining if something is CUI and understanding the CUI categories.

2. Inventory assets

• Complete an asset inventory to identify your assets within your organization—including your employees, computers, mobile devices, filing cabinets, network equipment, software, policies, systems, locks, and even assets stored in the cloud.
  
  
• This will allow you to understand and identify the kind of CUI you have to establish a boundary for your CUI environment.

3. Classify & Document Data

• Categorize everything into one of five asset types set by the government: CUI Asset, Security Protection Asset, Contractor Risk Managed Asset, Specialized Assets, or Out of Scope Assets.
  
  
• Document your CUI assets. This will become part of your assessment scope, against which your CMMC compliance will be measured.

4. Track CUI Data Flow

• Document how CUI moves through your organization’s processes and systems to determine how and where it’s being stored, processed, or transmitted.

5. Establish Clear Parameters

• The type of CUI you handle will determine the CMMC controls needed to protect it. CUI Specified requires more robust controls than CUI Basic. 
  
  
• Once you’ve identified your CUI, separate CUI from other non-CUI data to ensure that you implement the required safeguarding controls for the type of sensitive federal information you handle.

6. Implement Strong Security Measures

• Implement the required controls, including physical security measures, to ensure the ongoing safety of the FCI and CUI within your environment.

7. Document Implementation

• Document the specific security measures, policies, and procedures you put in place to fix any identified security gaps within your CUI scope for CMMC compliance.

8. Provide Employee Training

• Provide employee security awareness training to educate employees about your security policies and procedures, especially as it relates to accessing, storing, or transmitting FCI and CUI.
  
  
• This will emphasize the importance of your security controls and reinforce ongoing adherence to them. It will also ensure that workers understand how to use the tools and systems you’ve implemented to safeguard FCI and CUI.
  
  
• Since staff can be interviewed during a CMMC audit, employee training also helps prepare them so they can accurately demonstrate or document specific compliance controls that you've implemented. 

9. Conduct CUI boundary analysis

• Regularly perform a CUI boundary analysis to evaluate your security controls to identify the users, systems, and processes within your business that share, store, or access CUI.
• This ensures ongoing CMMC compliance for targeted areas within your environment.

The Bottom Line With CUI Scoping

After reading this article, you now understand the importance of developing a CUI boundary to streamline your compliance process toward CMMC certification. 

Since it can take most small and medium-sized businesses the better part of a year or longer to plan and implement the required security controls to meet compliance, it’s critical that you take action now—if you haven’t already gotten started.

As a managed IT service provider (MSP), Kelser offers strategic planning, regulatory insight, and cybersecurity expertise, to expertly guide you along your CMMC compliance journey from start to finish. 

From evaluating your infrastructure and performing a CMMC compliance gap analysis to providing remediation support and developing system security plan (SSP) documentation, we can help lay the critical groundwork for CMMC regulatory compliance.

If you want more information about how we can help you achieve CMMC readiness, we're here to help.