When you cut through the marketing hype, when you ignore all the LinkedIn trolls predicting doom of the Cybersecurity Maturity Model Certification program you realize CMMC did not rise out of the blue. When you read the history you will find nothing really new. CMMC simply requires third party attestation of what defense contractors already had to do in order to fulfill legal requirements of their agreements. CMMC no longer allows for the self assessment of cyber hygiene as measured against NIST-SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
Instead of the contractor saying how well they secure Controlled Unclassified Information a third party will come in and assess this information. It all comes down to CUI. But what do we mean we say Controlled Unclassified Information (CUI)?
What is CUI?
The US Government defines CUI as information that requires safeguarding or dissemination controls required by law, regulation, or Govt-Wide Policy but not classified and nuclear stuff. The latter two fall under classified policies and therefore get more protections than CUI.
The CUI program gets explained in Code of Federal Regulation 32 Part 2002. The program standardizes how the Executive Branch handles CUI. The Department of Defense, for example, established a CUI policy on March 6th 2002. This policy DoD Instruction 5200.48, “Controlled Unclassified Information.” fulfills their requirements to develop a CUI policy. Every Department, and thus their respective agencies must have a similar CUI policy.
The CUI designation got created in response to 9/11 by President Obama’s Executive Order 13556. This executive order required all unclassified information, that required additional protection above information not for public release, throughout the Executive Branch to get labeled CUI. Before the CUI policy no uniform marking system existed across the Federal Government. Different agencies used an alphabet soup of labels such as FOUO, LES, SBU, etc.
Under the Executive Order, NARA, the National Archives and Record Administration got appointed lead on developing the CUI Policy. The Secretary of Commerce, through the Office of Management and Budget decided that CUI required moderate protection. FISMA, the Federal Information Modernization Security Act, then authorized NIST, National Institute of Standards and Technologies to develop standards for the protection of CUI.
In fact, section two of the Executive Order designated NARA as the Executive Agency to oversee the order and the CUI program. NARA delegated this authority to ISOO to Information Security Oversight Office. ISOO established a CUI registry that is:
- Publicly Accessible
- Includes authorized categories
- Subcategories and guidance
- Includes citations to laws and regulation and government wide policies
The Department of Defense then defined their relevant categories using DoD Instruction 5200.48, “Controlled Unclassified Information”.
The ISOO CUI policy defines two types of CUI: Basic and Specified. CUI Specified contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. So, if a federal law or regulation requires handling instructions beyond the basics protections of CUI we call this CUI specified. An agency internally, or with agreement with ISOO can require additional protection.
The CUI lifecycle requires a contractor to only share CUI with those with a lawful purpose, identify CUI , mark data as CUI, protect CUI while in transit, protect CUI at rest, destroy CUI, and decontrol CUI when it no longer needs additional security.
You first begin by identifying if you have CUI in your system or if you wish to bid on future contracts that would require CUI on your systems. Unfortunately most of the data a contractor gets from the Department of Defense, or a Prime contractor will not have proper markings. This does no alleviate a contractor of the legal responsibilities for protecting CUI, especially if they have existing contracts with the Defense Federal Acquisition Regulation Supplemental (DFARS) clause 7012 which requires self-attestation for protecting CUI against a 171 baseline.
Once you identify the CUI in your system, identify which contract vehicles with a 7012 clause the CUI gets associated with, you then identify the people or roles with legal access to that CUI under each contract. In fact, you should create a matrix to capture this information.
You can not expect nor wait on the DoD or a prime contractor to label all CUI created under a CUI contract. How could a contracting officer (KO) or a Program Management Office to decide if the personal notes taken or meeting minutes contain CUI?
The CUI program set out to protect unclassified information and ensure the timely sharing of information. The marking requirements of CUI vary based on kids of CUI and the chosen designation indicator. These influence the requirements for Banner markings, which have to include category markings, control markings, and any limited dissemination markings (should only certain people see this).
CUI marking requirements get influence by more than just their category and control marking. The type of media such as emails or military documents can influence the marking as well. Email banners may differ from the requirements for removable media. CUI can also be co-mingled into documents that require different limited dissemination or considered classified. Finally, you also have rules about marking CUI for mailing.
The marking must include a designation indicator. This indicates who created the CUI. This can include a variety of formats such as a letterhead, a logo on a sticker, a signature, or a controlled byline. You have no requirement to include contact information, but many markings add this optional information.
Department of Defense guidance suggests using a Designation Indicator block when space allows. This includes who controls the data and anyone that control got flowed to through an authorized and legal use, any limited dissemination controls, and a point of contact.
Controlled by: OUSD(I&S)
Controlled by: CL&S INFOSECCUI Category(ies): PRVCY, OPSEC
Limited Dissemination Control: FEDCON
POC: John Brown, 703-555-0123
The banner marking can include three elements. The first, the control marking is mandatory. This can say controlled or CUI. Category markings are required for CUI Specified and get separated by two // slashes. If dissemination controls included those follow the category markings, again after two forward slashes. Banners must appear in Bold Capitalized text and be centered when possible.
CUI works as a basic CUI label.
Category markings are optional but not for CUI-Specified. In fact, when you have CUI-Specified you include the letters SP before the category marking. If you include more then one type of specified marking you alphabetize them but only separate by one forward slash after the first category follows the two forward slashes after the basic marking.
CUI//SP-HLTH/PHYS -in this example we see two CUI specified categories that follow the basic CUI marking.
The banner markings can also designate the dissemination controls. Limited Dissemination Controls identify an intended audience, so a document does not need continuous authorization.
No Foreign Dissemination (NOFORN)- Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.
Federal Employees Only (FED ONLY)- Dissemination authorized only to employees of the U.S.
Government executive branch agencies or armed forces personnel of the U.S. or Active Guard and Reserve.
Federal Employees and Contractors Only (FEDCON)- Includes individuals or employees who enter a contract with the U.S. to perform a specific job, supply labor and dissemination is in furtherance of the contractual purpose.
No Dissemination to Contractors (NOCON) Intended for use when dissemination is not permitted to federal contractors, but permits dissemination to state, local, or tribal employees. Dissemination List Controlled DL ONLY Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list.
Authorized for Release to Certain Foreign Nationals Only (REL TO USA, LIST) Information has been predetermined by the designating agency to be releasable only to the foreign country(ies) or international organization(s) indicated, through established foreign disclosure procedures and channels
The Department of Defense CUI guidance also allows for dissemination marking to get included in the designation box. These include:
Distribution Statement A: Approved for public release. Distribution is unlimited.
Distribution Statement B: Distribution authorized to U.S. Government agencies only (fill in reason and date of determination).
Distribution Statement C: Distribution authorized to U.S. Government agencies and their contractors (fill in reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD
Distribution Statement D: Distribution authorized to Department of Defense and U.S. DoD contractors only (insert reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).
Distribution Statement E: Distribution authorized to DoD Components only (fill in reason and date of determination). Other requests shall be referred to (insert controlling DoD office).
Distribution Statement F: Further dissemination only as directed by (insert controlling DoD Office and date of determination) or higher DoD authority.
On digital media you include the markings. On PowerPoint slides you can include the CUI label at the top and bottom of the title slide with the indication block and the CUI label on the bottom of each slide. In a word document you can include a cover sheet with the marking and designation block.
On a removable storage device you include the basic marking and a controlling indicator. Each file contained on the storage device needs its own marking. When feasible you include all required elements in the designation block, but the CUI basic marking and the originator or controller must get included.
Email gets a bit trickier. When you send an email (try not to) containing CUI you must let recipient know. You must include a banner marking in the body of the email. Furthemore, best practice suggests including it the CUI. Many companies use email server rules to sequester email with CUI. The subject line helps protect the data. When you forward email you must keep all banner markings. Make sure you cut and paste the banner to the top of the forward You can also portion mark emails like regular documents where you call out sections that contain CUI.
Physical Protection of CUI
You will need to create a controlled environment to protect CUI. The regulations require you to have one physical barrier such as sealed envelopes, locked doors, bins, drawers, or electronic locks. You have flexibility in deciding what counts as a physical barrier.
You also need to consider meeting areas. You will need to control meeting access when CUI gets shared and discussed. You will need to mark the door with eh lock noting only authorized individual allowed, and you will need a clean desk policy for after the meeting.
Think about who has access to your controlled environments. You will need to lock away CUI from after hour cleaning crews and need to keep visitor and employee logs of areas that contain or discuss CUI. Your computer systems and networks also need to control access. You need to include banner markings on devices and systems that can connect to controlled environments.
Basically, on electronic systems you need to create some kind of barrier to prevent unauthorized access to CUI. This can include network folders, files, intranet, cloud enclaves, file sharing sites, and individual machines or devices.
Encryption and CUI
Based on OMB policy CUI requires moderate protection and this in turn requires encryption that meets a specific level called FIPS Validated 140-2A. At the simplest definition encryption means something we read in plain text gets scrambled into a cyphertext. The authorized holder then has a “key” to unscramble the ciphertext into plain text.
The approved encryption techniques get authorized by NIST in a document called. Federal Information Processing Standards (“FIPS”) 140-2. The approved techniques, which can change based on use case and authorizer include: include AES, Triple-DES, and the Digital Signature Standard (“DSS”). NIST-SP-800-171 (3.1.13 and 3.13.11)and CMMC spell out specific requirements for encryption (AC.3.014, SC.3.177).
With FIPs level encryption we make an important distinction between modules and devices. A module can be an embedded part of a product, such as an “encrypt this email” button or an entire product such as a CUI cloud enclave. A device, such as a laptop or cellphone does not itself need the encryption. The tool accessed on that device to share, access, store or transmit CUI must use encryption modules that meet the FIPS standards.
When you destroy CUI the NARA policy CFR 32 Part 2002 requires the CUI to end up unreadable, indecipherable, and irreconcilable. The NARA policy follows guidance of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Revision l: “Guidelines for Media Sanitization” or any technique approved by Classified National Security Information (32 CFR 2001.47).
In 2019 NARA released guidance on destroying paper-based CUI. You must follow the specifics of NIST-SP-800-88 when shredding paper. You must crosscut, meaning up and down, and left and right, down to 1mm x 5mm (0.04in x 0.2in) in size. You can also pulverize paper using disintegrator devices equipped with a 3/32in pulverizer.
The approved shredders can get expensive. Many companies use a third party shredder or recycler that will provide a certification that they meet the requirements of NIST-SP-800-88
You can always go the cheapest route and follow the burn recommendations.
In terms of media you also have destruction requirements. NIST SP 800-171 3.8.3 states, “Sanitize or destroy system media containing CUI before disposal or release for reuse. The type of media will determine how you sanitize the device. Hard drives for example need different disposal methods than static hard drives.
CFR 32 Part 2002 defines decontrolling as when the authorizing agency decides the CUI “no longer requires such controls.” You must have policies and procedure in place to decontrol CUI. CUI can get decontrolled autmoatically or through positive decontrol, In automotive decontrol a prio event such aas a date was chosen when the controls were no longer required by law or policy. In positive decontrol the authorizing agency takes an action to remove the controls.
While a contractor, by the authorizing agency can get appointed a disagree with the ability to decontrol CUI on a contract with the 7012 clause it will not often.
In the end when you think CMMC just think CUI and how you protect it from unauthorized disclosure