Cybersecurity Maturity Model Certification (CMMC) and CUI

What is it? What is CUI? How can you be compliant?

Request a Demo Watch a Demo

Cybersecurity Maturity Model Certification (CMMC) and CUI

What is the Cybersecurity Maturity Model Certification Program?

The CMMC establishes assessment mechanisms to verify defense contractors’ compliance with Department of Defense (DoD) security requirements for the protection of sensitive information.

Any direct supplier of the DoD that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need to achieve 1 of the 3 CMMC levels, as specified in its contract, to be eligible to do defense-related work.

What is FCI or CUI?

FCI - refers to information that is not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. Examples include contract details or provisions, contractor performance data, reports or deliverables developedunder federal contracts, project management or financial information relevant to the contract

CUI - CUI-protected information is unclassified but requires control to prevent release of unclassified information that, if publicly associated with defense missions or aggregated with other sources of information, often will reveal exploitable information to adversaries or violate statutory requirements.

CUI requires markings that alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy.

The 3 Levels of CMMC 2.0

CMMC 2.0 has three levels. Which level you need to comply with will be outlined in your Federal Government contract. The level you will be assessed corresponds to the type of information your organization will handle:

Level 1 - Foundational - FCI Only (Self-Assessment)

This level is for organizations that only handle FCI and is based on the 17 controls found in FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information”, which focuses on protecting FCI. Companies and organizations within this level must conduct an annual self-assessment to prove they are compliant in order get their certification.

Level 2  - Advanced - CUI (Third Party Assessed)

Level 2 requirements are in complete alignment with NIST SP 800-171 requirements. When it comes to certification, organizations within this level are split into two groups:

CUI with prioritized acquisitions: Organizations that have CUI with prioritized acquisitions, which is information deemed critical to national security, will be required to undergo third-party assessments for certification every 3 years.

CUI with non-prioritized acquisitions: CUI without prioritized acquisitions, which is information that is not critical to national security, can perform an annual self-assessment for their certification following the same process as Level 1 organizations.

Level 3 - Expert - Critical CUI (DoD Assessed)

Officially at the time of this writing (September 2024), Level 3 is still listed as a TBD as rulemaking is still underway. However, we know that Level 3 will use NIST SP 800-171 requirements and a subset of NIST SP 800-172 requirements. Level 3 organizations will always be subject to a government-led assessment for certification every 3 years.

CMMC 2

CUI Compliance and Fortra's Data Classification Suite (DCS)

Level 2 and 3 contain rules to identify and control CUI (like AC.L2.3.1.1), and there are standards on what markings must appear to allow it to be properly identified and managed.

Fortra's Data Classification Suite has a pre-built CUI template that allows organizations to drop and load CUI in a matter of minutes across the primary Microsoft Office tools, and all it takes is installing the DCS agent and training the key individuals handling CUI content.

Here are key aspects of CUI marking standards:

1. Basic CUI Marking Requirements

  • Header/footer marking: Every page of a document containing CUI must be marked with the term "CONTROLLED" or "CUI" in the head er and/or footer to indicate the presence of CUI.
  • Portion marking: While optional, portion markings (e.g., marking specific paragraphs or sections with "(CUI)") are encouraged to identify specific parts of a document that contain CUI.
  • Banner marking: A clear indication at the top of the first page or screen stating, "Controlled Unclassified Information" or "CUI" is necessary.
  • Decontrolling markings: When the CUI status changes, the document should reflect this, such as by adding the phrase "Decontrolled" with the date of decontrol.

2. Category Marking

  • CUI may fall under different categories (e.g., Privacy (PII), Financial, Law Enforcement). The marking standards allow for the inclusion of category abbreviations (e.g., "CUI//PRIV") to specify the type of CUI.
  • CUI documents can include more specific safeguarding or dissemination instructions as appropriate (e.g., "CUI//NOFORN" to restrict foreign dissemination).

3. Handling Instructions

  • Documents may also include instructions such as "CUI//SP-Export Control" or other specific safeguarding rules to indicate special protection requirements under particular laws or policies.

4. CUI Decontrol

  • When CUI is no longer considered sensitive and requires decontrol, the decontrol date should be clearly indicated. A line may be drawn through CUI markings, or a note may be added indicating that the information has been decontrolled.

5. Transmission and Storage Marking

  • Electronic files containing CUI must be marked similarly, with visible indicators on emails, shared drives, or cloud storage.
  • When transmitting CUI, physical or digital files must be labeled to ensure recipients are aware of their responsibilities for protecting the information. These marking standards help ensure proper handling and dissemination, reducing the risk of unauthorized disclosure while promoting uniformity across different government entities and contractors. The standards are guided by the National Archives and Records Administration (NARA) CUI program.

Drive The CUI Component of Your CMMC Certification with Fortra's DCS

The key to successfully managing CUI data is electronic enforcement. You cannot apply enforcement unless the proper information is in place within your unstructured content for your electronic barriers to read and take action (like a data loss prevention system, ABAC, or an encryption system).

CUI standards have and will change, so you need a tool that is flexible to meet those changes with the click of a mouse vs. waiting on vendors to make changes to address the new standards. Fortra's DCS is proven in the defense industrial base (DIB) to be the key tool to provide the flexibility our DIB customers need, and the capability to provide the audit needs to keep your certification current while minimizing the overhead to keep your individual program approved.

Learn More About Fortra’s Data Classification Suite and Our Fast Path to CUI Compliance

Discover how we make it easy for you to accurately and securely apply CUI markings to help you comply with regulations and requirements, like CMMC, to appropriately safeguard sensitive government information.

Learn More

Is Fortra FedRAMP certified?

Now that the CMMC program has been finalized, the program has called out that supporting tools that enable CMMC certification are not required to be FedRAMP certified.  Our data classification product runs as an extension to your Office applications and will run on your organization’s devices and endpoints. We therefore do not have to be FedRAMP certified in order to help with your CMMC compliance. Our admin tool can be hosted locally in a cloud environment that may be FedRAMP certified, or on-premises depending on your company requirements.

Resources

Learn More about Fortra's Data Classification

Find out how Fortra's flexible data classification can help drive compliance with a variety of regulations and requirements.

Regulatory Compliance

If you're ready for a demo, let's talk about how we can help with your specific compliance needs.

REQUEST A DEMO