CMMC 2.0/CUI Marking Campaign
Cybersecurity Maturity Model Certification (CMMC) 2.0 as published for comment will require three different levels of accreditation associated with federal contracts. While Level 1 is a self-attestation to a small number of controls, Level 2 requires contracts to meet the 110 requirements in NIST 800-171 Rev. 2 titled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.” In order to protect CUI, organizations must first document and have a firm understanding of what data they possess that is considered CUI. Properly applying and maintaining CUI markings to data is key to understanding when possessed data is considered CUI and the proper protection policies that should be applied to it.
What Is CUI?
Executive Order 13556 established the National Archives and Records Administration (NARA) as the Executive Agent of the CUI program and maintains the CUI marking registry. Per NARA, “Controlled Unclassified Information is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.” The CUI program was established as way to facilitate the transfer of information through by standardizing the information protection policies that must be applied to sensitive but unclassified information, avoiding hurdles that came from each agency having its own sensitive information sharing policies. 32 CFR Part 2002 states that all unclassified information throughout the executive branch that carries and safeguards or disseminates controls is considered CUI. CUI can fall under one of many categories on the CUI registry. Some common examples include:
NATO Restricted and Unrestricted data
Critical Infrastructure
Proprietary business information
PII/PHI
Sensitive but unclassified defense and intelligence information
Legal and privileged data
Law enforcement records
Procurement Information
Private financial, tax or retirement information
Why Is Marking CUI Important?
Much like classification markings, CUI markings alert an individual to the presence of CUI data in a document, email or other media and dictate the set of controls that must be followed with that data. Markings define the type of CUI, how it must be handled, where it can be sent and who is the ultimate authority of that CUI. The Government and Defense Industrial Base benefit from the establishment of common CUI markings because they prevent overly restrictive policies from limiting information sharing between organizations. Standardization of CUI facilitates information sharing while maintaining data protection by establishing common data protection policies when information is shared.
Challenges with Marking CUI
NARA’s CUI registry defines two types of CUI: CUI Basic with a standard set of controls across data categories and subcategories, and CUI Specified in instances where an agency has designated a specific set of controls for that category of CUI. Under each of these there are 20 categories and 120+ subcategories of CUI. In order for the CUI program to be effective, all participants must be on board properly applying and following markings. To an end user, remembering each category and its subsequent set of rules and dissemination controls is an arduous task so organizations must find a way to make it easy to apply and follow markings and alert them to possible mistakes. The modern workplace already makes it easy for individuals to access and share information from anywhere on any device. Organizations must implement a solution that combines the information access advantages of the modern workplace while making it easy for users to apply and comply with CUI markings.
How Does ISEC7 CLASSIFY Help?
ISEC7 CLASSIFY provides organizations with a user-friendly platform enabling the proper marking of emails, calendar appointments and documents on any device. ISEC7 CLASSIFY takes the guesswork out of implementing a CUI program by defining the CUI categories and associated controls through our platform, ensuring that your markings follow the most current CUI registry. Microsoft Office users are presented with a simple Microsoft Office add-in for emails and documents providing them with picklist options for CUI categories and dissemination controls. Once selected, ISEC7 CLASSIFY will apply the necessary markings while also validating control rules against wherever that data is being sent, requiring no additional action from an end user. For M365 users, ISEC7 CLASSIFY will present the same way enabling a common user experience for web and desktop. For mobile users, ISEC7 CLASSIFY is enabled within the ISEC7 MAIL mobile app for Android and IOS devices so that employees can properly mark their and disseminate their information regardless of work platform. CUI classification schemas are easily updated within the ISEC7 SPHERE CLASSIFY editor, ensuring that any CUI Registry updates can be quickly implemented. For administrators and information security professionals, all marked media receives its own unique tracking id for full auditing and statistics to understand where CUI is being transmitted.
With regulations increasing, it is important that organizations prioritize protecting and marking their classified and CUI data. ISEC7 CLASSIFY is an essential tool for any organization with data protection requirements, providing a user-friendly experience to ensure that all Emails, Calendar entries, and Office documents are properly marked and compliant with laws and regulations. Feel free to contact us about the new CMMC requirements, CUI, or ISEC7 CLASSIFY, and we would be happy to answer any questions and provide a demo.