Organizations that work in close proximity to government entities, like the US military, come into contact with several protected forms of information. One of the most critical kinds, for national security, is controlled unclassified information (CUI). It’s imperative to understand the processes and logistics of controlling and decontrolling CUI, such as who can decontrol CUI and who has a responsibility to protect it (and how). Read on to learn what your organization may need to do.
For organizations facing regulatory compliance requirements from several industries, it can be difficult to understand where to start. Luckily, there’s a one-size-fits-all solution available in HITRUST CSF certification.
Finding the best CMMC consultant for your organization comes down to four steps:
CMMC certification will soon be required for most military contractors, and achieving it will be a challenge across the board. One of the best ways to prepare for your certification audit is mapping over security controls from other regulatory frameworks you’re already subject to.
If your organization works with US government agencies, including the military, you’ll need to conduct one or more NIST assessments. Getting ready includes determining which standards apply, conducting readiness assessments, implementing, and securing an official assessor.
To work with the US government, organizations need to implement NIST frameworks like the CSF. NIST SP 800-53 maps CSF principles into executable controls, which then translate into requirements in other frameworks, like SP 800-171, that are required for specific contracts.
The DoD requires all military personnel, contractors, and other individuals who come into contact with CUI to complete formal training on how to protect it. Third-party staff need to understand marking requirements, decontrol procedures, reporting protocols, and more.
To work with the Department of Defense (DoD), organizations need to follow its guidance on safeguarding Controlled Unclassified Information (CUI), which focuses on the following:
Organizations that work with US government agencies have to follow various NIST frameworks to secure sensitive data. NIST incident response is spelled out in NIST SP 800-61, which also informs incident response protocols in other NIST frameworks needed for DoD compliance.
Organizations that work with the US military need to prove their security maturity with the CMMC framework. Preparation requires knowing the framework inside and out, scoping out what Level of compliance you need, and then implementing it and getting ready for assessment.