Companies contracted with the Department of Defense (DoD) come into contact with sensitive information constantly. That’s why they need to comply with cybersecurity frameworks like the Cybersecurity Maturity Model Certification (CMMC) to retain preferred contractor status. One of the primary data types CMMC is designed to protect is the class of information known as “controlled unclassified information” (CUI).
Read on to learn about CUI and how to protect it effectively.
What is Controlled Unclassified Information?
Controlled unclassified information (CUI) is one of two primary information types the CMMC exists to protect — the other is federal contract information (FCI). While both are critical to the DoD’s security, CUI is a more varied category with potentially higher stakes for data. This guide will break down all you need to know about CUI and how to protect it, including:
- An explanation of what CUI comprises with examples of CUI you might encounter
- A detailed breakdown of the relevant CMMC controls targeting the protection of CUI
Soon, you’ll be well prepared to protect CUI (and other sensitive data) up to the standards required by the CMMC for DoD contracts. We’ll even provide resources to help.
Controlled Unclassified Information 101
The definition for controlled unclassified information is so integral to the CMMC that it appears directly in the introduction. On the first page of the most recent CMMC document, version 1.02 (current as of March 2020), CUI is defined as information that does not carry classified status but needs to be safeguarded due to particular government policies and laws or ordinances.
FCI is the other form of data protected by CMMC and is defined as information pertaining to federal contracts. There is some crossover between these information classes: some FCI may qualify as CUI and vice versa.
Controlled Unclassified Information Examples
The Defense Federal Acquisition Regulation Supplement (DFARS) is a source text for the CMMC. It details what qualifies as CUI, including a link to the updated CUI Categories list in the National Archives. The primary categories and some of their examples include but are not limited to:
- Data pertaining to critical infrastructures, such as defense, nuclear, and natural resources
- Financial records, including procurement and acquisition, tax documents, and patents
- Immigration, transportation, and export controls, along with international agreements
- Global and domestic defense, law enforcement, and privacy-related intelligence
- Miscellaneous provisional and statistical data from governmental agencies
The list of categories is dynamic, and specific pieces of information that qualify as CUI don’t often fit squarely into any one category. Also, not all information that qualifies as CUI is the same sensitivity level. Still, all CUI needs to be safeguarded to the same extent.
Safeguarding CUI: CMMC Levels 1, 2, and 3
In piecing together the CMMC, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S) has adapted best practices from other regulatory frameworks, facilitating their adoption under one uniform ruleset. This is how the CMMC protects CUI.
The CMMC is unique among regulatory frameworks that have been required of DoD contractors in that it allows for its controls to be gradually adopted. Unlike the NIST SP 800-171, another primary source text, the CMMC comprises five Maturity Levels. Across these levels, there are 171 Practices distributed across 17 Domains.
To understand all five levels, consult our complete CMMC assessment guide, where we break down each level’s Practices. This article will outline the first three levels and the 130 total controls they comprise, covering complete protection for CUI (and FCI).
CMMC Level 1: Basic Protections for FCI and CUI
The first level of CMMC is focused primarily on safeguarding FCI, but it also establishes a foundation for later protections specific to CUI. Its 17 total Practices break down as follows:
- Access Control (AC) – Four Practices for limiting and monitoring access to FCI/CUI
- Identification and Authentication (IDA) – Two Practices specifying ID requirements
- Media Protection (MP) – One Practice requiring data wiping before transport
- Physical Protection (PP) – Four Practices extending proximal restrictions to CUI access
- Systems and Communications Protection (SCP) – Two Practices protecting network traffic
- System and Information Integrity (SII) – Four Practices requiring regular monitoring
These Practices constitute “basic cyber hygiene,” and Process maturity (institutionalization) requires all practices to be “performed.” At this level, none are tangibly measured.
CMMC Level 2: Preparing for Full CUI Protection
The second level is transitional, building on FCI protections from the first level and preparing for full FCI and CUI protection. Full protection is achieved at the third level. In total, 55 new Practices are added:
- Access Control (AC) – Ten more Practices extending restrictions on FCI and CUI access
- Audit and Accountability (AA) – Four Practices defining standards for regular auditing
- Awareness and Training (AT) – Two Practices mandating training across all personnel
- Configuration Management (CM) – Six Practices for replacement of default settings
- Identification and Authentication (IDA) – Five more Practices for more substantial ID control
- Incident Response (IR) – Five Practices specifying immediate responses to breaches
- Maintenance (MA) – Four Practices detailing the schedule and other maintenance protocols
- Media Protection (MP) – Three more Practices defining protocols for media storage
- Personnel Security (PS) – Two Practices detailing secure recruitment and hiring protocols
- Physical Protection (PP) – One Practice further extending proximal access controls
- Recovery (RE) – Two Practices regarding performing and testing backups and protecting the confidentiality of CUI data location
- Risk Management (RM) – Three Practices detailing preventive measures to be taken for CUI
- Security Assessment (SAS) – Three Practices describing assessment for internal applications
- Systems and Communications Protection (SCP) – Two Practices for network traffic
- System and Information Integrity (SII) – Three more Practices ensuring the integrity of systems
These Practices constitute “intermediate cyber hygiene,” and Processes must be documented.
CMMC Level 3: Complete Protection of CUI and FCI
The third level is a significant milestone in the CMMC. It signifies complete adoption of the NIST SP 800-171 and full protection of FCI and CUI. It also adds 58 Practices:
- Access Control (AC) – Eight more Practices finalizing safeguards for CUI and FCI access
- Asset Management (AM) – One Practice defining protocols for physical handling of assets
- Audit and Accountability (AA) – Seven more Practices defining accountability standards
- Awareness and Training (AT) – One more Practice detailing awareness requirements
- Configuration Management (CM) – Three more Practices controlling device settings
- Identification and Authentication (IDA) – Four more ID-focused Practices for CUI/FCI
- Incident Response (IR) – Two more Practices detailing response(s) to cyber-attacks
- Maintenance (MA) – Two more Practices strengthening regular and special maintenance
- Media Protection (MP) – Four more Practices devoted to securing media for transport
- Physical Protection (PP) – One more Practice finalizing proximal CUI/FCI access control
- Recovery (RE) – One Practice defining protocols for short and long term CUI/FCI recovery
- Risk Management (RM) – Three more Practices defining risk monitoring and mitigation
- Security Assessment (SAS) – Two more Practices further defining assessment needs for CUI
- Situational Awareness (SA) – One Practice for defining organization-specific awareness
- Systems and Communications Protection (SCP) – 15 more Practices for network traffic
- System and Information Integrity (SII) – Three more Practices ensuring robust integrity
These practices constitute “good cyber hygiene,” and Processes must be managed.
Professional CMMC Compliance and Security
The only way to ensure the complete protection of controlled unclassified information to DoD specifications is to begin your journey toward compliance. RSI Security offers a suite of CMMC advisory services that can help your company comply, regardless of the current level.
Our team of experts has over a decade of experience providing security solutions to companies of all sizes and across all industries, including DoD contractors. To see how simple CMMC can be, contact us today!