Are you confused about what CMMC level requirements your organization needs to meet? Do you know where the federal controlled unclassified information (CUI) lives within your environment—or whether you even have any?
Now that CMMC is in effect, businesses within the Defense Industrial Base (DIB) must satisfy certain cybersecurity compliance requirements to obtain or keep their Department of Defense (DoD) contracts.
The Cybersecurity Maturity Model Certification (CMMC) Final Rule establishes a method for the government to verify that primes and their subcontractors have implemented the required cybersecurity measures needed to protect sensitive federal information.
Under CMMC 2.0, contractors are split into three levels depending on the type of data they may handle—CUI or Federal Contract Information (FCI).
Businesses must implement certain security safeguards and meet assessment requirements at each level.
In this article, we’ll outline five questions to determine your CMMC level.
With this information, you’ll have a clear understanding of what the security and audit mandates will mean for your business so that you know where to start, and you can properly prepare for your CMMC compliance assessment and get certified.
In order to achieve and maintain CMMC certification, DIB contractors must prove that they’re storing, processing, and transferring FCI and CUI within secure environments.
FCI is federal information not intended for public release. CUI is sensitive federal information that the government hasn’t marked as classified, but still requires additional safeguards around its handling and disclosure.
Related Article: What Is Controlled Unclassified Information (CUI) In NIST 800-171?
So, how do you know if you even have CUI? When trying to identify CUI within your organization, there are several places to look.
Start by reviewing your DoD contracts. Look for specific language that mentions NIST and Defense Federal Acquisition Regulation Supplement (DFARS) requirements, as this could be an indication that you have CUI.
You should also examine your data for specific government markings. Look for “CUI,” “Controlled,” or “Controlled Unclassified Information” markings at the top and bottom of each page and on cover page.
In addition to these CUI banner/footer markings, legacy CUI markings from the government include FOUO (For Official Use Only) and SBU (Sensitive But Unclassified). If you spot these markings, they could also signal that the information is CUI.
Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level
For any unmarked data that you suspect to be CUI, if you’re a DoD contractor, you should reach out to your contracting agency for verification, and if you’re a subcontractor you can verify the information with your prime.
You’ve now verified that your contract does require you to protect CUI data, but you’re uncertain where to find it within your organization.
CUI can be housed in several different places.
Now that you’ve located the CUI, you can then determine what kind of CUI it is.
There are two main types of CUI: CUI Basic and CUI Specified. CUI is defined by what’s known as the 32 CFR Rule within the U.S. Code of Federal Regulations. This law establishes CMMC and serves as the legal standard for defense contractors.
CUI Basic follows the fundamental cybersecurity requirements following the 32 CFR Rule. CUI Specified data mandates tougher safeguarding requirements for its handling and dissemination.
The more stringent cybersecurity guardrails required to protect CUI are intended to prevent hackers from gaining unauthorized access to compromise, steal, or share, this highly sensitive information.
Related Article: How Zero Trust Can Streamline NIST & CMMC Compliance For Your Business
Under the broad umbrella of CUI, there are different CUI categories. CUI Specified can fall under categories covering information with export control restrictions, certain information related to the military, and critical infrastructure information, among others.
For instance, a common type of CUI Specified is Naval Nuclear Propulsion Information (NNPI). This is information specifically related to the design, maintenance, and operation of these types of U.S. Navy plants and their support facilities.
You should also note that while you may be tempted to label every document, media file, or email as “Controlled” or “CUI” as a way to avoid having to figure out what kind of CUI you have and where it is — don’t do it.
What may seem like a simple fix could cause more problems than it’s worth.
Again, if you’re unsure about the type of CUI you handle, check with either your contracting agent or prime.
Related Article: What Will The CMMC Certification Process Cost My Business?
You’ve now identified the type of CUI you’re responsible for protecting, but which users are authorized to access it? What systems within your infrastructure are used to store or process such information?
Before you can implement the right protections, it’s critical that you scope your IT environment. A CUI scope is essentially creating a boundary so that you zero in on the specific parts of your infrastructure where CUI lives. You can then implement the cybersecurity standards necessary to protect the CUI data within your identified scope.
Remember, your entire organization doesn’t need to get CMMC audited.
By CUI scoping, you’ll know exactly which users and systems within your environment handle CUI so that you can implement the required cybersecurity controls for those identified areas.
Establishing a CUI boundary will also help you save considerable time and money by focusing your efforts only on those targeted areas. This means that you will avoid needlessly overspending on unnecessary security measures for out-of-scope parts of your environment.
Although the CMMC certification process may seem overwhelming, it may not be as intimidating an undertaking as you might think.
The government has created a system to categorize DIB suppliers into three CMMC levels:
Level 1 (Foundational): Organizations handling FCI must meet 17 basic cyber hygiene practices based on 15 controls taken from the Federal Acquisition Regulation (FAR).
Level 2 (Advanced): Businesses at this level handling CUI must satisfy the 110 security practices from NIST SP 800-171.
Level 3 (Expert): Companies at this level handling CUI must satisfy the 110 security practices of NIST SP 800-171, plus additional security requirements from NIST SP 800-172.
Since CMMC 2.0 builds on existing security frameworks and regulations, federal suppliers should already have many of the NIST cybersecurity measures in place.
Those security measures could include:
Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks
If you’ve gotten a jump on putting in place certain robust security measures within your organization, you might be pleasantly surprised to learn that you may have already satisfied some CMMC compliance requirements.
So, you may find that you already have a good head start when it comes to protecting FCI and CUI. A certified CMMC specialist can evaluate your existing controls by performing a gap analysis to see how your current security controls measure up against the requirements for your CMMC level.
Your CMMC certification readiness will largely depend on the strength of your current security posture and how well you’re safeguarding FCI and CUI data.
After reading this article, you now know the five questions to pinpoint your CMMC level so that you can start implementing the necessary cybersecurity controls to close any gaps and achieve CMMC certification.
If you need help determining your CMMC level, performing a CMMC gap analysis to identify security flaws, or designing security defenses that align with your CMMC level, we can help.
Our specialized team of IT and cybersecurity professionals can provide comprehensive consultative services to help streamline your CMMC certification journey and get you ready to keep or win DoD contracts.