The US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) on January 31, 2020 as a unified standard for implementing cybersecurity across the defense industrial base and includes over 300,000 companies. The CMMC is the DoD's response to the significant number of compromises of sensitive CUI data that contained defense information located on contractors' information systems. In order for contractors to be eligible for DoD contract awards they are required to have the CMMC certification.
Contractors are responsible for implementing and monitoring their information technology systems and any sensitive DoD information stored on those systems. The CMMC framework guides companies with the appropriate levels of cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
The CMMC consists of five certification levels to best implement cybersecurity based practices.
Controlled Unclassified information (CUI), is information that government agencies and some of their contractors are required to both mark and classify within their data stores. CUI represents a particular kind of sensitive data created by the U.S. federal government or developed on its behalf and merits special protection against exposure.
As result of the CMMC and the contractual agreements between contractors and the DoD, assessors must understand the contractors response capabilities by knowing which systems store CUI data that may not be within policy. When it comes time to prove that CMMC controls are in place, you must be able to audit your systems, generate comprehensive reports, and review audit reports in detail. To do so will require a robust and accurate vended data discovery toolset.
A typical government contract is around $250,000 and without this certification there is substantial risk losing contracts. To reduce the loss of contracts and/or potential for a data breach as they relate to data that contain CUI, DFARS 7012, NIST 800-171/172 and the CMMC, it's necessary to identify the locations which store sensitive data assets processing Controlled Unclassified Information (CUI).
Conducting regular CUI risk or breach damage assessments is time intensive and doing so manually is not attainable. It's necessary to use an industry trusted data discovery tool that provides the necessary technologies to accurately locate common types of PII and CUI. These automated tools reduce the overall time spent locating documents with common categories or markings that may be in scope of the CMMC.
The U.S. governments rule for protecting CUI includes marking documents (classifying) to indicate the protected status. The National Archives Records Administration (NARA) issued a handbook on marking best practices in 2016 and cites the proper organizational markings and categories to consider when looking for CUI.
CMMC compliance will help reduce the potential loss of contracts. Using discovery tools to accurately locate these types of data are core to the CMMC. Before the concept of CUI was introduced in 2008, documents that contained sensitive defense information such as schematics, reports, and other technical data were marked with an array of acronyms that were indicative of its protected status, such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU). However since the introduction and executive order, NARA was put in charge to better facilitate standards across the DoD.
Maintaining a good alignment with the CMMC is about using the right set of tools; there is no one single security tool that can do it all. Spirion is one such tool that identifies both PII and CUI across structured and unstructured data by searching text and images for common PII or searching for phrases, words, and acronyms that are indicative of CUI. This toolset is fundamental to assisting the compliance with the CMMC via its data discovery and classification capabilities.
Success will be achieved through accurate and automated process's to identify and classify sensitive data as it relates to the CMMC such as CUI. By conducting regular CUI risk assessment throughout the business's information ecosystem, the implementation of data classification policy by imbedding labels into documents and files will help delineate their sensitivity and facilitate the protection of unauthorized and unintended transfers and publication of CUI.