CMMC Compliance Requires More Than Encryption

The CMMC Program establishes assessment mechanisms to verify defense contractors’ compliance with Department of Defense (DoD) data protection requirements.

Any direct supplier of the DoD that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need to achieve 1 of the 3 CMMC levels, as specified in its contract, to be eligible to carry out defense-related work.

Level 1 - Foundational - FCI Only (Self-Assessment)

This level is for organizations that only handle FCI and is based on the 17 controls found in FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information”, which focuses on protecting FCI. Companies and organizations within this level must conduct an annual self-assessment to prove they are compliant in order to earn their certification.

Level 2  - Advanced - CUI (Third Party Assessed)

Level 2 requirements are in complete alignment with NIST SP 800-171 requirements. When it comes to certification, organizations within this level are split into two groups:

CUI with prioritized acquisitions: Organizations that handle CUI with prioritized acquisitions, which is information deemed critical to national security, are required to undergo third-party assessments for certification every 3 years.

CUI with non-prioritized acquisitions: CUI without prioritized acquisitions, which is information that is not deemed critical to national security, can perform an annual self-assessment for their certification following the same process as Level 1 organizations.

Level 3 - Expert - Critical CUI (DoD Assessed)

CMMC Level 3 consists of a selected set of (24) security requirements derived from NIST SP 800-172. Additionally, Level 3 only applies to systems that have already achieved a Final Level 2 (C3PAO) CMMC Status and have therefore fulfilled the security requirements specified in NIST SP 800-171. Per the DoD, Level 3 will only apply to an estimated 1% of contracts that support "its most critical programs and technologies.”

In addition to Level 2 requirements, Level 3 provides additional protections against advanced persistent threats (APTs), and increases assurance to the DoD that an organization seeking certification can adequately protect CUI at a level commensurate with the adversarial risk, including protecting information flow with the government and with subcontractors in a multitier supply chain. Level 3 organizations will always be subject to a government-led assessment for certification every 3 years.

FCI - Federal Contract Information

FCI refers to information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. Examples include contract details or provisions, contractor performance data, reports or deliverables developed under federal contracts, and project management or financial information relevant to the contract.

CUI  - Controlled Unclassified Information

CUI-protected information is unclassified but requires control to prevent the release of unclassified information that, if publicly associated with defense missions or aggregated with other sources of information, often will reveal exploitable information to adversaries or violate statutory requirements.

CUI requires markings that alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy.

1. Basic CUI Marking Requirements

• Header/footer marking: Every page of a document containing CUI must be marked with the term "CONTROLLED" or "CUI" in the header and/or footer to indicate the presence of CUI.
• Portion marking: While optional, portion markings (e.g., marking specific paragraphs or sections with "(CUI)") are encouraged to identify specific parts of a document that contain CUI.
• Banner marking: A clear indication at the top of the first page or screen stating, "Controlled Unclassified Information" or "CUI" is necessary.
• Decontrolling markings: When the CUI status changes, the document should reflect this, such as by adding the phrase "Decontrolled" with the date of decontrol.

2. Category Marking

• CUI may fall under different categories (e.g., Privacy (PII), Financial, Law Enforcement). The marking standards allow for the inclusion of category abbreviations (e.g., "CUI//PRIV") to specify the type of CUI.
• CUI documents can include more specific safeguarding or dissemination instructions as appropriate (e.g., "CUI//NOFORN" to restrict foreign dissemination).

3. Handling Instructions

• Documents may also include instructions such as "CUI//SP-Export Control" or other specific safeguarding rules to indicate special protection requirements under particular laws or policies.

4. CUI Decontrol

• When CUI is no longer considered sensitive and requires decontrol, the decontrol date should be clearly indicated. A line may be drawn through CUI markings, or a note may be added indicating that the information has been decontrolled.

5. Transmission and Storage Marking

• Electronic files containing CUI must be marked similarly, with visible indicators on emails, shared drives, or cloud storage.
• When transmitting CUI, physical or digital files must be labeled to ensure recipients are aware of their responsibilities for protecting the information. These marking standards help ensure proper handling and dissemination, reducing the risk of unauthorized disclosure while promoting uniformity across different government entities and contractors. The standards are guided by the National Archives and Records Administration (NARA) CUI program.

Now that the CMMC program has been finalized, the program has made clear that supporting tools enabling CMMC certification are not required to be FedRAMP certified. Our data classification product acts as an extension to your Office applications and will run on your organization’s devices and endpoints. Therefore, it isn't necessary for our product to be FedRAMP certified to help with your CMMC compliance. Our admin tool can be hosted locally in a cloud environment that may be FedRAMP-certified, or on-premises depending on your organization's requirements.