Last Updated on January 14, 2024
Does your organization need to comply with the new Cybersecurity Maturity Model Certification (CMMC) so you can participate in future US Department of Defense (DoD) contracts? CMMC is an audit-based program that is significantly more rigorous than today’s self-attestation approach based on NIST 800-171.
CMMC was created specifically to ensure that DoD suppliers can protect controlled unclassified information (CUI) related to their contracts.
If you want to do business with the DoD, you need to know where CUI resides in your systems and prove to an independent auditor that you can protect it.
To find out more about CUI and “all things CMMC” from an audit viewpoint, we invited Thomas Price to join The Virtual CISO Podcast. Thomas is a Client Manager/IT and Information Security Auditor/Quality Management Professional with BSI, a leading global audit and compliance firm.
Hosting the episode is John Verry, Pivot Point Security’s CISO and Managing Partner. Their “implementer/auditor” dynamic makes the conversation between these two experts especially valuable to SMBs that need to plan for CMMC certification.
So what is CUI?
As Thomas explains, “It’s information that the government decides needs to be controlled and not disseminated. It can reside either in a federal system or in a contractor’s system. If you want information exactly as to the definition of CUI and how to identify and mark it, you need to look at DoD instruction 5200.48, “Controlled Unclassified Information (CUI).” This is important new guidance from the DoD as of March 6, 2020.
You need to worry about CUI regardless of the CMMC level your contract requires you to meet. “[CUI] starts at Level 1, well really Level 2 through Level 5,” Thomas points out. “Basically the government wants people to have some basic cybersecurity controls in 17 domains—everything from doing access controls to network controls to how you do risk assessments to verify what are the risks affecting the CUI that you may have in your custody.”
Another CMMC term that relates to CUI is federal contract information (FCI). “That is any information that is created and used in the administration and execution of a government contract,” states Thomas. “However, FCI is not subject to the same level of controls as CUI under the CMMC.”
“Also, some of your deliverables could later be classified as CUI so you need to be working closely with your contracting officer throughout the duration of your contract to make sure about any information you have that does become classified as CUI and becomes subject to the controls in NIST 800-171 and CMMC,” Thomas emphasizes.
If your organization will need to achieve CMMC certification and/or is currently subject to NIST 800-171 compliance, you need to listen to this podcast episode featuring Thomas Price.
To hear the complete episode, along with all the other amazing episodes in The Virtual CISO Podcast series, click here.
For those who don’t use Apple Podcasts, all our episodes are available here.