Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Determining Your Level of CMMC Compliance: The Importance of CUI

Home
Industry Insights
Determining Your Level of CMMC Compliance: The Importance of CUI

Blog Article Published: 10/03/2022

Originally published by Schellman here.

Written by Todd Connor, Schellman.

Did you know? The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. And unfortunately, in the years since, cybercrime has only become worse. (The Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017.)

In the U.S., it’s not a problem our government—more specifically, our military—can leave unchecked, not when it comes to the theft of valuable intellectual property and sensitive information from all industrial sectors. The potential backlash on our economic security and national security is too great, and something had to be done.

If you’re doing business in the Defense Industrial Base (DIB) sector, you will soon need to become CMMC certified. Within this new program meant to protect information within the supply chain of the Department of Defense (DoD), there are three levels and their related assessments.

If you’re wondering which level is right for you, don’t worry—in this article, we’ll explore the different levels of CMMC compliance you can achieve, but we won’t be able to do that without first addressing the critical importance of CUI. But having read this, you’ll understand how all these pieces fit together and have more of an idea of which level is right for your organization and what to expect.

Federal Contract Information (FCI) vs. Controlled Unclassified Information (CUI)

As is usually the case with security frameworks, when CMMC goes into effect, Organizations Seeking Certification (OSC) will need to comply with the requirements. As a whole, CMMC requirements are primarily concerned with securing sensitive information from unauthorized dissemination. But for individual organizations, what level of cybersecurity maturity you’ll need to obtain will be determined by exactly the type of information you handle—is it FCI or CUI?

Here’s the technical difference between these data types:

CUI

FCI

Information that requires safeguarding or dissemination control pursuant to and consistent with laws, regulations, and government-wide policies.

Exclusions: Information that is classified under:

  • Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order; or
  • Atomic Energy Act of 1954, as amended.
  • Information provided by the Government to the public (such as on public Web sites); or
  • Simple transactional information (such as that necessary to process payments).

Source: NIST SP800-171 Rev 2 Controlled Unclassified Information (CUI) | National Archives

Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

Exclusions:

Source: 48 CFR § 52.204-21

What is Controlled Unclassified Information (CUI)?

As you’ll learn later, CUI plays a central role in the more advanced CMMC assessments, so let’s delve a little deeper than just the standard legal definitions. Per the above, CUI is defined in law by how the information is handled; however, there is no simple definition for what information that actually is.

(As a matter of fact, there is an entire government website that speaks to how something is defined as CUI, as well as the associated requirements.)

So then, how might you discern which of the data in your charge could be classified as CUI?

  • Any data whose public release (or unauthorized disclosure) would negatively impact national defense, including if aggregated with additional information.
  • CUI that is received from an organization that has created it will be prominently identified with specific markings:
    • “CUI” will appear in document headers and footers.
    • Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
    • Further detail concerning CUI markings.

However, CUI does not include:

  • Classified information or information that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency; or
  • That which is in the possession of a non-executive branch entity that maintains its systems.

What are the CMMC Compliance Levels?

Once you’ve classified the data you handle as FCI or CUI (based on sensitivity), you’ll then understand the level of CMMC compliance you must achieve.

As defined by its governing body—known as The Cyber Accreditation Body (Cyber AB)—there are three increasingly stringent levels of CMMC compliance. Each of these levels is cumulatively comprised of several control practices and assessment requirements:

Level

Relevant Data

Details

Level 1 (Foundational)

FCI

Requirements: Compliance with 17 practices as specified in FAR Clause 52.204-21.

You must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect FCI.

Level 2 (Advanced)

CUI

Requirements: Compliance with 110 practices specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].

You must demonstrate an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.

Level 3
(Expert)

CUI

Requirements: Compliance with 110+ practices drawn from the security requirements specified in NIST SP 800-172.

You must demonstrate standardized and optimized processes in place—including resources to monitor, scan, and process data forensics—as well as enhanced practices that detect and respond to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs).

(An APT is an adversary with the sophisticated cyber expertise and significant resources to conduct attacks from multiple vectors.)

If you were in this line of government work before the advent of CMMC, you may have been subject to DoD NIST 800-171 compliance requirements under the Defense Federal Acquisition Regulation Supplement (DFARS). Therefore, you’ve likely performed the necessary periodic self-assessment or undergo an audit by the DoD for that type of compliance.

As you make the switch to CMMC, there will be an option to self-assess, but your assessment type will depend entirely on which of these levels you aspire to attain, as well as any relevant contractual requirements.

What Level of CMMC Compliance Do You Need?

So then, which level do you need to attain? Here’s how it breaks down, including what kind of assessment you can expect at each level:

  • Level 1: If your organization only handles FCI.
    • Assessment Type: You’ll be responsible for performing annual self-assessments of the associated controls.
    • You can also elect to use a C3PAO to assist with the self-assessment.
  • Level 2: If your organization has any exposure to CUI.
    • Assessment Type: You may need to undergo an external assessment that is performed by a Certified 3rd Party Assessment Organization (C3PAO) every three years.
  • Level 3: Cyber AB contains to review what specific criteria would determine if an OSC must achieve Level 3 compliance
    • Assessment Type: Should your organization qualify, you would need to undergo government-led assessments every three years.
    • These assessments are incremental so you would first contract with a C3PAO to conduct your Level 2 assessment and then the government would test the incremental controls.

What Is In-Scope for Your CMMC Assessment?

So, you’ve classified your data and determined your exposure, which means you also understand the level of CMMC compliance you need (and thereby determined the type of assessment you can expect).

But what at your organization will fall into scope for your chosen assessment?

Level 1
Self-Assessment

Who Defines the Scope? You

What Should Be In Scope: Any assets that:

  • Process FCI – e.g., assets that access, enter, edit, generate, manipulate, or print FCI).
  • Store FCI– e.g., electronic media, system component memory, or physical format such as paper documents.
  • Transmit FCI – e.g., data transit systems or methods—both physical and digital.
  • Process, store, or transmit CUI, as well as
  • Those that provide security functions or capabilities to the assets within your CMMC Assessment Scope (irrespective of whether or not these assets process, store, or transmit CUI).

Level 2
External Assessment

Who Defines the Scope? Agreed upon by you and your C3PAO

What Should Be In Scope: All assets that:

For even more insight on your potential CMMC scope, check out our article on how to use PCI context to glean more understanding.

Moving Forward with CMMC Compliance

If your organization is part of the DIB and supports FCI and CUI, you’ll likely need to become CMMC certified, and determining just what level of certification will largely be influenced by the type of data your systems handle.

If your organization does have exposure to CUI, you can expect to need the more rigorous Level 2 assessment, but now you at least have a basic understanding of what the requirements will be as well as what will fall in scope.

ComplianceIdentity and Access ManagementIndustry

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Are You Ready for Microsoft Copilot?

Published: 04/19/2024

Implementing a Data-Centric Approach to Security

Published: 04/19/2024

How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

10 Tips to Guide Your Cloud Email Security Strategy

Published: 04/17/2024