Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

Determining Your Level of CMMC Compliance: The Importance of CUI

Determining Your Level of CMMC Compliance: The Importance of CUI

Blog Article Published: 10/03/2022

Originally published by Schellman here.

Written by Todd Connor, Schellman.

Did you know? The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. And unfortunately, in the years since, cybercrime has only become worse. (The Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017.)

In the U.S., it’s not a problem our government—more specifically, our military—can leave unchecked, not when it comes to the theft of valuable intellectual property and sensitive information from all industrial sectors. The potential backlash on our economic security and national security is too great, and something had to be done.

If you’re doing business in the Defense Industrial Base (DIB) sector, you will soon need to become CMMC certified. Within this new program meant to protect information within the supply chain of the Department of Defense (DoD), there are three levels and their related assessments.

If you’re wondering which level is right for you, don’t worry—in this article, we’ll explore the different levels of CMMC compliance you can achieve, but we won’t be able to do that without first addressing the critical importance of CUI. But having read this, you’ll understand how all these pieces fit together and have more of an idea of which level is right for your organization and what to expect.

Federal Contract Information (FCI) vs. Controlled Unclassified Information (CUI)

As is usually the case with security frameworks, when CMMC goes into effect, Organizations Seeking Certification (OSC) will need to comply with the requirements. As a whole, CMMC requirements are primarily concerned with securing sensitive information from unauthorized dissemination. But for individual organizations, what level of cybersecurity maturity you’ll need to obtain will be determined by exactly the type of information you handle—is it FCI or CUI?

Here’s the technical difference between these data types:

CUI

FCI

Information that requires safeguarding or dissemination control pursuant to and consistent with laws, regulations, and government-wide policies.

Exclusions: Information that is classified under:

  • Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order; or
  • Atomic Energy Act of 1954, as amended.
  • Information provided by the Government to the public (such as on public Web sites); or
  • Simple transactional information (such as that necessary to process payments).

Source: NIST SP800-171 Rev 2 Controlled Unclassified Information (CUI) | National Archives

Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

Exclusions:

Source: 48 CFR § 52.204-21

What is Controlled Unclassified Information (CUI)?

As you’ll learn later, CUI plays a central role in the more advanced CMMC assessments, so let’s delve a little deeper than just the standard legal definitions. Per the above, CUI is defined in law by how the information is handled; however, there is no simple definition for what information that actually is.

(As a matter of fact, there is an entire government website that speaks to how something is defined as CUI, as well as the associated requirements.)

So then, how might you discern which of the data in your charge could be classified as CUI?

  • Any data whose public release (or unauthorized disclosure) would negatively impact national defense, including if aggregated with additional information.
  • CUI that is received from an organization that has created it will be prominently identified with specific markings:
    • “CUI” will appear in document headers and footers.
    • Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
    • Further detail concerning CUI markings.

However, CUI does not include:

  • Classified information or information that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency; or
  • That which is in the possession of a non-executive branch entity that maintains its systems.

What are the CMMC Compliance Levels?

Once you’ve classified the data you handle as FCI or CUI (based on sensitivity), you’ll then understand the level of CMMC compliance you must achieve.

As defined by its governing body—known as The Cyber Accreditation Body (Cyber AB)—there are three increasingly stringent levels of CMMC compliance. Each of these levels is cumulatively comprised of several control practices and assessment requirements:

Level

Relevant Data

Details

Level 1 (Foundational)

FCI

Requirements: Compliance with 17 practices as specified in FAR Clause 52.204-21.

You must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect FCI.

Level 2 (Advanced)

CUI

Requirements: Compliance with 110 practices specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].

You must demonstrate an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.

Level 3
(Expert)

CUI

Requirements: Compliance with 110+ practices drawn from the security requirements specified in NIST SP 800-172.

You must demonstrate standardized and optimized processes in place—including resources to monitor, scan, and process data forensics—as well as enhanced practices that detect and respond to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs).

(An APT is an adversary with the sophisticated cyber expertise and significant resources to conduct attacks from multiple vectors.)

If you were in this line of government work before the advent of CMMC, you may have been subject to DoD NIST 800-171 compliance requirements under the Defense Federal Acquisition Regulation Supplement (DFARS). Therefore, you’ve likely performed the necessary periodic self-assessment or undergo an audit by the DoD for that type of compliance.

As you make the switch to CMMC, there will be an option to self-assess, but your assessment type will depend entirely on which of these levels you aspire to attain, as well as any relevant contractual requirements.

What Level of CMMC Compliance Do You Need?

So then, which level do you need to attain? Here’s how it breaks down, including what kind of assessment you can expect at each level:

  • Level 1: If your organization only handles FCI.
    • Assessment Type: You’ll be responsible for performing annual self-assessments of the associated controls.
    • You can also elect to use a C3PAO to assist with the self-assessment.
  • Level 2: If your organization has any exposure to CUI.
    • Assessment Type: You may need to undergo an external assessment that is performed by a Certified 3rd Party Assessment Organization (C3PAO) every three years.
  • Level 3: Cyber AB contains to review what specific criteria would determine if an OSC must achieve Level 3 compliance
    • Assessment Type: Should your organization qualify, you would need to undergo government-led assessments every three years.
    • These assessments are incremental so you would first contract with a C3PAO to conduct your Level 2 assessment and then the government would test the incremental controls.

What Is In-Scope for Your CMMC Assessment?

So, you’ve classified your data and determined your exposure, which means you also understand the level of CMMC compliance you need (and thereby determined the type of assessment you can expect).

But what at your organization will fall into scope for your chosen assessment?

Level 1
Self-Assessment

Who Defines the Scope? You

What Should Be In Scope: Any assets that:

  • Process FCI – e.g., assets that access, enter, edit, generate, manipulate, or print FCI).
  • Store FCI– e.g., electronic media, system component memory, or physical format such as paper documents.
  • Transmit FCI – e.g., data transit systems or methods—both physical and digital.
  • Process, store, or transmit CUI, as well as
  • Those that provide security functions or capabilities to the assets within your CMMC Assessment Scope (irrespective of whether or not these assets process, store, or transmit CUI).

Level 2
External Assessment

Who Defines the Scope? Agreed upon by you and your C3PAO

What Should Be In Scope: All assets that:

For even more insight on your potential CMMC scope, check out our article on how to use PCI context to glean more understanding.

Moving Forward with CMMC Compliance

If your organization is part of the DIB and supports FCI and CUI, you’ll likely need to become CMMC certified, and determining just what level of certification will largely be influenced by the type of data your systems handle.

If your organization does have exposure to CUI, you can expect to need the more rigorous Level 2 assessment, but now you at least have a basic understanding of what the requirements will be as well as what will fall in scope.

Share this content on your favorite social network today!