Home Compliance StandardsCMMC What is the Purpose of the ISOO CUI Registry?
CMMC

What is the Purpose of the ISOO CUI Registry?

by RSI Security
written by RSI Security

To work with the Department of Defense (DoD), organizations need to follow its guidance on safeguarding Controlled Unclassified Information (CUI), which focuses on the following: 

  • Understanding the purpose of the ISOO CUI registry
  • Ensuring stakeholders follow DoD Instruction 5200.48
  • Implementing the NIST SP 800-171 framework
  • Meeting CMMC requirements for DoD compliance

 

What is the Purpose of the ISOO CUI Registry?

The Information Security Oversight Office (ISOO) maintains a registry of all document types that are considered CUI. The purpose of the ISOO CUI registry is to provide uniform definitions and responsibilities for CUI for every government agency that might come into contact with it—along with contractors that work with them. With a few exceptions, they all follow the same rules.

For example, the first grouping of CUI in the ISOO registry is Critical Infrastructure. It includes several categories of CUI, including chemical terrorism vulnerability information and SAFETY Act information. All government entities, including their contractors, have to mark and protect documents in these categories in the same exact ways or face ISOO (or other) enforcement.

There is also a DoD CUI registry that exists independently from the ISOO registry but is nearly identical to it. It includes all of the CUI’s categories except Immigration, and it stipulates additional rules and responsibilities pertinent to DoD personnel and contractors.

 

Why is DoD Instruction 5200.48 Important?

DoD Instruction 5200.48 is the formal touchstone of all DoD guidance on safeguarding CUI. It establishes the basic infrastructure of the CUI program and all the key government departments that organizations need to be aware of for reporting and oversight purposes. It also explains the basic purposes and functions of CUI protection, with rules and examples for how to follow them.

One such rule is that organizations need to mark CUI in particular places with symbols or language to designate what kind of information it is, who can access it, and which government entities have authority over its control. Organizations need to ensure that the markings are accurate—and that access and dissemination are controlled in the ways stipulated.

For example, a document marked “FEDCON” can be disseminated to both federal employees and contractors, but “FED ONLY” files can only be accessed by employees and not contractors.

All staff at an organization that comes in contact with CUI need to be familiar with these and other controls. They also have to go through mandatory training, which should include becoming familiar with DODI 5200.48 in its entirety, along with supplemental documents it refers to.

 

Request a Consultation

 

How Does NIST SP 800-171 Protect CUI?

Beyond DODI 5200.48, the other document most critical to following DoD guidance on safeguarding CUI is the National Institute for Standards and Technology (NIST) Special Publication 800-171. It contains programmatic guidance on network security controls organizations need to implement to minimize threats and vulnerabilities impacting CUI.

NIST SP 800-171 specifies 110 individual Requirements across 14 Families:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Protecting CUI per Defense Federal Acquisition Regulation Supplement (DFARS) requirements, which apply to nearly all DoD entities and contractors, means implementing NIST SP 800-171.

laptop

Is CMMC Required for CUI Protection?

Finally, DODI 5200.48 and NIST SP 800-171 are not the only governing frameworks related to CUI protection. DFARS also requires DoD contractors to achieve Cybersecurity Maturity Model Certification (CMMC). CMMC guarantees that contractors are well-positioned to protect CUI and other sensitive data they’ll come into contact with when working with the US military.

Contracts with the DoD will require contractors to achieve a certain CMMC Level:

  • Level 1: Foundational – Organizations with the lowest amount of exposure to CUI need to implement 15 Practices based on NIST SP 800-171 and self-assess annually.
  • Level 2: Advanced – Organizations with moderate exposure to CUI must implement all 110 Requirements from SP 800-171 and conduct third-party assessments triennially.
  • Level 3: Expert – Organizations with the most CUI exposure must also implement practices from NIST SP 800-172 and conduct triennial government-led assessments.

Implementing the appropriate framework controls and assessing per your Level’s requirements is the final and most formal step toward following the DoD guidance on safeguarding CUI.

 

What Level of System and Network Configuration is required for CUI?

Moderate level of System and Network Configuration is required for CUI.

 

Protect CUI and Streamline DoD Compliance

To recap, protecting CUI per the DoD’s guidance requires understanding the DoD CUI registry, DODI 5200.48, NIST SP 800-171, and CMMC. Familiarizing your workforce with each of these complex systems can be challenging, but working with a DoD compliance advisor can help.

RSI Security has helped many organizations meet DoD compliance requirements, including mandatory CUI training. We’re committed to serving you above all else, and we’ll work closely with teams at your organization to ensure that all stakeholders know their responsibilities.

For tailored assistance implementing DoD guidance on safeguarding CUI, get in touch today!

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Your Complete CMMC Assessment Guide 

March 22, 2021

How to Choose a Cybersecurity Maturity Model Certification...

July 30, 2020

What Is The CMMC & How Should I...

November 25, 2020

How to Prepare for a CMMC Audit

September 24, 2021

How to Map NIST Cybersecurity Framework Controls

May 28, 2023

How to Find the Right CMMC Consulting Partner

August 9, 2023

How to Use CMMC Compliance Tools

December 24, 2020

CMMC DoD Certification Requirements

April 14, 2020

Preparation Checklist for a CMMC Audit

August 25, 2020

Who Can Decontrol CUI?

August 12, 2022

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More