With CMMC deadlines creeping closer by the day, many businesses are still unsure where to start or are attempting to read through newly published guidelines and documentation and deepening their confusion. Our goal: to help even the most lost and overwhelmed professional understand the new CMMC regulations. We have put together this document as well as others to help walk through the entire process from start to finish.
Defining the Cybersecurity Maturity Model Certification: A Compliance Framework for DoD Contractors
In the security and compliance industry, CMMC stands for the Cybersecurity Maturity Model Certification. CMMC is a type of compliance framework that ensures your cybersecurity and physical security standards are up to a certain “maturity” level. This is not dissimilar from other compliance frameworks that may be more familiar, such as: HIPAA, PCI DSS, or FTC Safeguards. Each of these frameworks are established to protect certain types of information. For example, HIPAA’s goal is to protect both electronic and physical Personal Health Information (PHI). In the case of CMMC, the goal is to protect all DoD Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared outside of the DoD’s internal systems.
Just like most of the compliance frameworks which are implemented today, CMMC requirements only apply to companies which handle specificed types of data. To truly determine if you need CMMC, you first need to be able to identify FCI and CUI.
Identifying FCI and CUI and How to Tell the Difference
Prior to defining FCI and CUI it is critical to note that CUI is always FCI, but FCI is not necessarily CUI. According to 48 CFR 52.204-21, FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including… simple transaction information…” The following is a simple stress test that you can use to determine if something is FCI. The first test is if you currently or plan to have any contracts with the government. If you do, then any information created by or for the government in the context of that contract is considered FCI unless it meets either of the following criteria:
- Publicly available information that can be found publicly or has been cleared for release.
- Simple transactional information (Invoices, Quotes, etc.)
With FCI defined, we can now review CUI’s definition. As mentioned previously, not all FCI is CUI, but all CUI is FCI. So, by definition, we already know that CUI is information created for or by the government during a contract that is not meant for public release or is more than simple transactional information. While there are multiple federal documents that define CUI, the one most relevant to CMMC is provided in 32 CFR 2002.4 (h) which states, “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information…”
The definition of CUI becomes complex rapidly, so we will break it into smaller segments. The most important part of this definition states, “that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Simplified, this means FCI becomes CUI when a specific ruling stating that this information must be controlled is in place. Typically, these rules are found in the NARA CUI Registry or the DoD CUI Registry. These registries also may give specific safeguards that are needed for special types of CUI which are known as CUI Specified. Moreover, CUI Basic is any kind of CUI which does not have any extra controls that must be added to it, whereas CUI Specified adds extra safeguards on top of those defined in the CMMC program.
In addition to the FCI identification process outlined above, it is also important to ensure any identified FCI is not actually CUI. To do this, we recommend cross-referencing any FCI against the NARA or DoD CUI registries and see if the FCI falls into any of the CUI categories. There is a ton of information in these registries, but for the purpose of CMMC compliance you can focus on the Defense category of both registries. If you are still struggling to determine if information you have is CUI, you can always contact your contracting officer and they can provide further insight into whether you are or will be handling CUI during the course of a contract.
What CMMC Level Is Required For My Business
Now that we have defined both FCI and CUI, it is vital to understand the different requirements for which a company is responsible, depending on what kind of information they handle.
If you have established that you are handling FCI, then you must ensure any people, technology, facilities, and External Service Providers (ESPs) that process, store, or transmit FCI are fully compliant to CMMC Level 1 according to the CMMC Level 1 Scoping Guide provided by the Department of Defense Chief Information Officer (DoD CIO). To learn more about starting CMMC Level 1 implementation, see our article on what questions to ask when implementing CMMC Level 1.
If you have established you are handling CUI, then you must ensure that any people, technology, facilities, and ESPs that process, store, or transmit CUI are defined as CUI Assets and are fully compliant to at least CMMC Level 2. However, CMMC Level 2 also adds several other asset types into the scope, such as those that are protecting the CUI Assets (Security Protection Assets), those that are on the same logical or physical network as the CUI Assets (Contractor Risk Managed Assets), and Specialized Assets. The details of these kinds of assets is beyond the scope of this article, but you can find more in-depth information on each of these assets in our article on understanding the CMMC Level 2 asset categories.
Finally, certain types of CUI are required to have enhanced security protections that are implemented by CMMC Level 3. The best way to determine if you are required to meet these requirements is to communicate with your contracting officer, as according to 32 CFR 170.5 (a), a DoD Program Manager will designate if the CUI in a contract requires enhanced security protections based on if it is supporting their “most critical programs and technologies.”
Next Steps: Scoping and Engaging an RPO
Once you have established you need a certain level of CMMC compliance, it is time to start scoping, implementing, and assessing your environment against the specific CMMC controls that are required to be implemented for you to be awarded a federal contract containing FCI and/or CUI. This can be a long and intimidating process, but RPO companies such as Stratus Services are available to help you take care of your CMMC needs no matter what level you need. For guidance on choosing a strong CMMC Registered Provider Organization, check out our guide. Feel free to shoot us a message here at any point in the process, and we wish you the best on all your CMMC endeavors!
