By Greg Kent
“Follow the CUI.” That is the standard practice that DoD contractors follow to determine exactly what system components and networks are within the scope boundary for Level 3 Cybersecurity Maturity Model Certification (CMMC) compliance. Any system, network, or component that is used to store, process, transmit, or secure CUI should be included within the CMMC system boundary. But what exactly is CUI? Unfortunately, many contractors don’t really know. Other contractors think they know what CUI is, but often they are mistaken. That mistake that can result in improper scoping of the system boundary for CMMC and could even affect the CMMC level that an organization should pursue.
Organizations often assume that CUI is a general abstract concept that means something like “critical data.” That is incorrect and can lead to a poorly defined system. Far from being conceptual and ambiguous, the meaning of CUI is actually quite concrete and specific. Government regulations (see 32 CFR 2002) define CUI as follows:
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified … or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
The official definition of CUI contains 2 main elements. The first element of the definition indicates CUI is information that is specifically called out by Federal law, regulation, or Government-wide policy as requiring safeguarding or dissemination controls. It is Federal law, regulation, or policy that requires that CUI be controlled. Therefore, information is considered CUI only if a law, regulation, or Federal policy specifically identifies controls for that information. Fortunately, the Federal Government doesn’t expect government contractors to peruse federal laws, regulations, and policies to determine what types of information qualify as CUI. Instead, the Government tasked the National Archives and Records Administrations (NARA) to analyze those laws, regulations, and policies and extract all of the required types of information that comprise CUI. Based on its analysis, NARA created the official CUI Registry to define the categories of information that qualify as CUI. The information categories in the CUI Registry essentially define what CUI is. If information pertaining to a contract corresponds to a category in the CUI Registry, then it is CUI (if it meets the second part of the definition). All other information is not CUI.
The CUI Registry is organized into 20 main groupings and 125 categories. To identify what is CUI, contractors need to review each of the 125 subcategories listed in the CUI registry and determine what information pertaining to their Federal contracts corresponds to the CUI categories. Information that matches a description of a subcategory in the CUI registry meets the first criteria for being considered CUI.
The second element of the definition of CUI clarifies that CUI includes only information that is directly related to the execution of a contract with a Federal Agency. Any information that the Federal Agency provides to the contractor could be CUI (e.g., if it pertains to a CUI Registry subcategory). However, information that the contractor creates or compiles might also be considered CUI. If a contractor creates or compiles that information “on behalf of” the Government, then it might be CUI. Federal regulations consider information to be created or compiled “on behalf of” an Agency whenever the information created/collected is central to the service that the contractor was engaged to provide to the Agency. For example, design drawings produced by an engineering firm are central to the service contracted by the Government, and therefore are viewed as being produced “on behalf of” the Government. However, information that is incidental to the core service of the contract is not considered to be “on behalf of” the Government. Such information, therefore, cannot be CUI.
In addition, information that is not related the delivery of a Government contract is not considered CUI even if it matches a CUI category. For example, CUI Registry indicates that “Personnel Records” are considered to be CUI. This does not mean that a contractor’s internal HR systems are considered CUI. The second sentence of the official definition above expressly excludes the contractor’s internal systems. “Personnel records” are CUI only if they are core to the execution of a Government contract. If, for example, the Government engages a human resources firm to review promotions and salaries with respect to job performance to identify signs of discrimination at an Agency, then the “personnel records” provided by the Government for the execution of the contract would be considered CUI.
In order to properly scope the CMMC system boundary, contractors must adopt the definition of CUI when considering the information associated with Government contracts and tracing data flows through their system. Organizations should frequently consult the CUI Registry and become very familiar with the categories of CUI. This will enable them to accurately and confidently assess whether information qualifies as CUI or not, which is a critical early step in designing a CMMC-compliant environment that adequately protects the information that the Government has determined warrants heightened protection.
SecureIT is a trusted security, audit and compliance firm with certified professionals that provide practical, efficient solutions. If you’re planning your CMMC compliance effort and want an advisor to help ensure your success, please contact us. We’d love to talk and show you how we can help.