The Cybersecurity Maturity Model Certification (CMMC) is designed to improve the cybersecurity posture of the Defense Industrial Base (DIB). It does so by requiring a third-party assessment of compliance, unlike NIST 800-171, which allows self-certification. A primary goal of the CMMC is the protection of Controlled Unclassified Information (CUI).
What is CUI?
CUI is information that is sensitive but doesn’t meet the criteria for classification at the Confidential level or above. It is information that the government (or an entity like a contractor creates or processes for, or on behalf of, the government. While this is a government classification system, many organizations have similar types of information. For example, a company’s intellectual property (IP) or sensitive employee or customer data could be considered public sector CUI.
In the past, CUI was protected largely by requiring defense contractors to self-certify as compliant with NIST 800-171. Widespread leaks of CUI within the DIB inspired the Department of Defense (DoD) to create the CMMC.
The CMMC requires third-party auditors to certify that a defense contractor is compliant with the requirements outlined at one of CMMC’s five levels. Level 3 CMMC compliance is roughly equivalent to full NIST 800-171 compliance with some additional requirements, and higher levels require additional processes and security controls to be in place.
By making the move from NIST 800-171 to CMMC, the DoD is more strongly enforcing the protection of CUI by its contractors. Organizations are now actually required to implement the required security controls, providing better protection to the DoD’s sensitive data.
FOUO vs CUI
CUI is a classification that replaces several previous classifications, including For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES). FOUO and CUI are therefore very similar, though not quite the same. All of these refer to information that does not require a security clearance, but have some level of restrictions on access. For example, information may be restricted to federal employees without requiring a clearance.
What are CUI Categories and Subcategories?
CUI is divided into Organizational Index Groupings, including the following:
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural and Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Procurement and Acquisition
- Proprietary Business Information
Within each of these are several CUI categories. For example, the Defense OIG includes four categories: Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Unclassified Controlled Nuclear Information – Defense.
CUI can also be labeled with dissemination controls. These include:
- NOFORN: No Foreign Dissemination
- FED ONLY: Federal Employees Only
- FEDCON: Federal Employees and Contractors Only
- NOCO: No dissemination to contractors
- DL ONLY: Dissemination list controlled
- REL TO: Authorized for release to certain nationals only (Ex: REL TO USA)
- DISPLAY ONLY: Disclosure allowed to a foreign recipient with providing a copy
- Attorney Client: Protected by attorney-client privilege
- Attorney Work Product: Dissemination prohibited unless specifically permitted by overseeing attorney
These dissemination controls are listed as part of the classification and are separated by a forward slash.
CUI Example Scenario
As part of their contractual duties, an organization in the DIB may have access to sensitive information about the nation’s critical infrastructure. Information that reveals vulnerabilities in critical infrastructure may be classified as CUI/DCRIT.
This information may be shared as part of a contract to modernize critical infrastructure and transition to a “smart grid” or to develop mitigations for these vulnerabilities. A contractor would likely be required to control access to this information and protect it using security controls such as encryption.
Preparing for CMMC Compliance
CMMC is currently in its early stages, with a few “pathfinder” contracts requiring it in 2021. However, between 2021 and 2026, the DoD plans to require CMMC compliance for all new contracts. This means that every contractor listed on a contract bid – both prime and sub-prime – will be required to achieve a minimum level of CMMC compliance before the contract is awarded.
With mandatory CMMC compliance comes the need to implement the required security controls for CUI. Depending on an organization’s current level of NIST 800-171 compliance and intended future roles on defense contracts, achieving this could be an extended process.
Companies looking to participate in defense contracts in the future should begin their CMMC compliance journey today. Reach out for a readiness inspection to learn how your organization can better protect its CUI.