Determining Your Level of CMMC Compliance: The Importance of CUI
Did you know? The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. And unfortunately, in the years since, cybercrime has only become worse. (The Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017.)
In the U.S., it’s not a problem our government—more specifically, our military—can leave unchecked, not when it comes to the theft of valuable intellectual property and sensitive information from all industrial sectors. The potential backlash on our economic security and national security is too great, and something had to be done.
If you’re doing business in the Defense Industrial Base (DIB) sector, you will soon need to become CMMC certified. Within this new program meant to protect information within the supply chain of the Department of Defense (DoD), there are three levels and their related assessments.
If you’re wondering which level is right for you, don’t worry—in this article, we’ll explore the different levels of CMMC compliance you can achieve, but we won’t be able to do that without first addressing the critical importance of CUI. But having read this, you’ll understand how all these pieces fit together and have more of an idea of which level is right for your organization and what to expect.
Federal Contract Information (FCI) vs. Controlled Unclassified Information (CUI)
As is usually the case with security frameworks, when CMMC goes into effect, Organizations Seeking Certification (OSC) will need to comply with the requirements. As a whole, CMMC requirements are primarily concerned with securing sensitive information from unauthorized dissemination. But for individual organizations, what level of cybersecurity maturity you’ll need to obtain will be determined by exactly the type of information you handle—is it FCI or CUI?
Here’s the technical difference between these data types:
Information that requires safeguarding or dissemination control pursuant to and consistent with laws, regulations, and government-wide policies.
Exclusions: Information that is classified under:
Source: NIST SP800-171 Rev 2 Controlled Unclassified Information (CUI) | National Archives
Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.
Source: 48 CFR § 52.204-21
What is CUI?
As you’ll learn later, CUI plays a central role in the more advanced CMMC assessments, so let’s delve a little deeper than just the standard legal definitions. Per the above, CUI is defined in law by how the information is handled; however, there is no simple definition for what information that actually is.
(As a matter of fact, there is an entire government website that speaks to how something is defined as CUI, as well as the associated requirements.)
So then, how might you discern which of the data in your charge could be classified as CUI?
- Any data whose public release (or unauthorized disclosure) would negatively impact national defense, including if aggregated with additional information.
- CUI that is received from an organization that has created it will be prominently identified with specific markings:
- “CUI” will appear in document headers and footers.
- Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
- Further detail concerning CUI markings.
However, CUI does not include:
- Classified information or information that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency; or
- That which is in the possession of a non-executive branch entity that maintains its systems.
What are the CMMC Compliance Levels?
Once you’ve classified the data you handle as FCI or CUI (based on sensitivity), you’ll then understand the level of CMMC compliance you must achieve.
As defined by its governing body—known as The Cyber Accreditation Body (Cyber AB)—there are three increasingly stringent levels of CMMC compliance. Each of these levels is cumulatively comprised of several control practices and assessment requirements:
Requirements: Compliance with 17 practices as specified in FAR Clause 52.204-21.
You must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect FCI.
Requirements: Compliance with 110 practices specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].
You must demonstrate an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.
Requirements: Compliance 110+ practices drawn from the security requirements specified in NIST SP 800-172.
You must demonstrate standardized and optimized processes in place-including resources to monitor, scan, and process data forensics-as well as enhanced practices that detect and respond to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs).
(Am APT is an adversary with the sophisticated cyber expertise and significant resources to conduct attacks from multiple vectors.)
If you were in this line of government work before the advent of CMMC, you may have been subject to DoD NIST 800-171 compliance requirements under the Defense Federal Acquisition Regulation Supplement (DFARS). Therefore, you’ve likely performed the necessary periodic self-assessment or undergo an audit by the DoD for that type of compliance.
As you make the switch to CMMC, there will be an option to self-assess, but your assessment type will depend entirely on which of these levels you aspire to attain, as well as any relevant contractual requirements.
What Level of CMMC Compliance Do You Need?
So then, which level do you need to attain? Here’s how it breaks down, including what kind of assessment you can expect at each level:
- Level 1: If your organization only handles FCI.
- Assessment Type: You’ll be responsible for performing annual self-assessments of the associated controls.
** You can also elect to use a C3PAO to assist with the self-assessment.
- Level 2: If your organization has any exposure to CUI.
- Assessment Type: You may need to undergo an external assessment that is performed by a Certified 3rd Party Assessment Organization (C3PAO) every three years.
- Level 3: Cyber AB contains to review what specific criteria would determine if an OSC must achieve Level 3 compliance
- Assessment Type: Should your organization qualify, you would need to undergo government-led assessments every three years.
- These assessments are incremental so you would first contract with a C3PAO to conduct your Level 2 assessment and then the government would test the incremental controls.
What Is In-Scope for Your CMMC Assessment?
So, you’ve classified your data and determined your exposure, which means you also understand the level of CMMC compliance you need (and thereby determined the type of assessment you can expect).
But what at your organization will fall into scope for your chosen assessment?
For even more insight into your potential CMMC scope, check out our article on how to use PCI context to glean more understanding.
Moving Forward with CMMC Compliance
If your organization is part of the DIB and supports FCI and CUI, you’ll likely need to become CMMC certified, and determining just what level of certification will largely be influenced by the type of data your systems handle.
If your organization does have exposure to CUI, you can expect to need the more rigorous Level 2 assessment, but now you at least have a basic understanding of what the requirements will be as well as what will fall in scope.
As you continue to prepare for your CMMC process, you may—understandably—still have many questions and we would encourage you to reach out to us. Schellman was one of the first CMMC Authorized C3PAOs and we recently performed the first CMMC Joint Surveillance Assessments. Our team would love to schedule a conversation with you so we can help ease your concerns regarding this highly anticipated requirement for doing business with the DoD.
About Todd Connor
Todd Connor is a Senior Associate with Schellman based in Jacksonville, FL. Prior to joining Schellman in 2022, Todd worked as a technology manager for a maritime shipping company responsible for architecting and developing their NIST / CMMC compliance program. Todd has over twenty years of information technology leadership experience across various industries including transportation & logistics, pharmacy benefits management, retail pharmacy and big-box retail, during which time, he has been responsible for responding to NIST 800-171, HIPAA, PCI, ISO and Sarbanes Oxley audits. Todd is now focused primarily on Schellman’s FedRAMP practice, specializing in CMMC compliance for organizations across various industries.