What Practices and Assessment Objectives from CMMC apply to CUI?
Sometimes to get a job done you just need Data.
In the Cybersecurity Maturity Model Certification program, with five levels of cyber hygeine, almost all the Domains, practicies, and assessment objectives implicity require you to follow the regulations for the authorized handling of sensitive data: Controlled Unclassified Information (CUI) on non-federal systems (your computers, phones, internet, and other stuff).
The major baseline for CMMC Level 3, which the Department of Defense will require for handling of CUI, builds off of NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Basically everything after the first Level in CMMC has a role in protecting CUI.
Yet you should know the assessment objectives that explicitly call out CUI. Once you know you have CUI in your business use need to scope out your CMMC assessment. This means you need think about your data flow from the DoD, or a prime, and all your subcontractors. You need to inventory all assets in and out of scope, you need a network diagram, and need to know what third party or Software as a Service companies you use and if they fall in scope or out of scope (CMMC Kill Chain, 2002).
This sounds like a lot. It is. You
Still before engaging a vendor you should have a good understanding the assessment objectives that explicitly call out CUI. May provide you with a good place to start before enganging a cybersecurity Professional.
AC.2.005
Provide privacy and security notices consistent with applicable CUI rules.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
[b] privacy and security notices are displayed.
AC.2.006
Limit use of portable storage devices on external systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] the use of portable storage devices containing CUI on external systems is identified and documented;
[b] limits on the use of portable storage devices containing CUI on external systems are defined; and
[c] the use of portable storage devices containing CUI on external systems is limited as defined.
AC.2.016
Control the flow of CUI in accordance with approved authorizations.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if: [a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.
AC.3.014
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
AC.3.020
Control connection of mobile devices.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] mobile devices that process, store, or transmit CUI are identified;
[b] mobile device connections are authorized; and
[c] mobile device connections are monitored and logged.
AC.3.022
Encrypt CUI on mobile devices and mobile computing platforms.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
AM.3.036
Define procedures for the handling of CUI data.
ASSESSMENT OBJECTIVES [CMMC]
Determine if: [a] the organization establishes and maintains one or more processes or procedures for handling CUI data.
AT.2.056
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if: [a] security risks associated with organizational activities involving CUI are identified;
[b] policies, standards, and procedures related to the security of the system are identified;
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
MA.3.115
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
MA.3.116
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
P.2.119
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] paper media containing CUI is physically controlled;
[b] digital media containing CUI is physically controlled;
[c] paper media containing CUI is securely stored; and
[d] digital media containing CUI is securely stored.
MP.2.120
Limit access to CUI on system media to authorized users.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] access to CUI on system media is limited to authorized users.
MP.3.122
Mark media with necessary CUI markings and distribution limitations.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.
MP.3.124
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] access to media containing CUI is controlled; and
[b] accountability for media containing CUI is maintained during transport outside of controlled areas.
MP.3.125
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
PS.2.127
Screen individuals prior to authorizing access to organizational systems containing CUI.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.
PS.2.128
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.
PE.3.136
Enforce safeguarding measures for CUI at alternate work sites.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] safeguarding measures for CUI are defined for alternate work sites; and
[b] safeguarding measures for CUI are enforced for alternate work sites.
RE.2.138
Protect the confidentiality of backup CUI at storage locations.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] the confidentiality of backup CUI is protected at storage locations.
RM.2.141
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
[b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
SC.3.177
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
SC.3.185
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
SC.3.191
Protect the confidentiality of CUI at rest.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
[a] the confidentiality of CUI at rest is protected.
SC.3.193
Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).
ASSESSMENT OBJECTIVES [CMMC]
Determine if: [a] the organization has a security policy which restricts publishing CUI to any externally owned, publicly accessible information system;
[b] the organization designates individuals authorized to post organization information onto any externally owned, publicly accessible information systems;
[c] the organization trains authorized individuals to ensure that publicly accessible organization information does not contain CUI;
[d] the organization conducts reviews to ensure CUI is not included in proposed content to be posted by the organization on a publicly accessible information system under its control; and
[e] the organization removes CUI, if discovered, from any publicly accessible information system under its control.
Data flickr photo by thirteenthbat shared under a Creative Commons (BY) license