CMMC and Managing CUI
29 September 2020


CMMC and Managing C.U.I. in the DIB (Defense Industrial Base)

There is an old saying. How do you eat an elephant?

Answer – In small bites.

The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

It’s a known fact that Nation-states focused on espionage, target the DIB; it is a good hunting ground. Supply chain attacks, which exploit security weaknesses in third-party service providers, allow the threat actors to build a bigger picture of the ultimate target – The U.S. Government. (Remember how you eat an elephant – In small bites)

The Dilemma

The DIB is increasingly investing in digital technologies to accelerate innovation, improve existing processes, and increase efficiency. COVID has resulted in many workers accessing information remotely, and cloud-first strategies have resulted in highly sensitive and confidential data being stored for more extended periods and shared internally as well as externally.

Until June of this year, DIB contractors were responsible for self-reported compliance checklists on their security posture. But now, with the introduction of CMMC, companies will be audited. They will have to demonstrate that they have taken steps to build a proactive, broader approach to managing risks within their organization, much of this focusing on C.U.I.

New Regulation means the stakes are high for the DIB (defense industrial base) who provide R&D, manufacturing, mission assurance, engineering, logistics testing and integration services for the DOD. Defense manufacturing often involves a complex global supply chain, involving tier-1, tier-2, and tier-3 contractors. This complexity introduces numerous cybersecurity risks as the involvement of multiple organizations places confidential information in environments with more significant opportunity for compromise and exploitation.

Some of the most common questions we see asked are;

1. What is CUI Data?

In general, C.U.I. is information marked or identified in a government contract or provided to a government contractor by the DoD in connection with a contract; however, it can also be content that is developed by the contractor during the performance of a contract. This content is marked or identified by the DoD as requiring safeguarding or specific dissemination controls.

2. Do I have C.U.I. data in my network?

In 99% of cases, the answer to this question is “YES”. Controlled Unclassified Information consists of sensitive items pertaining to privacy, security, proprietary business interests, or law enforcement investigations. Controlled Unclassified Information consists of anything which cannot legally be made public, but which also isn’t sensitive enough to require a high-level security clearance. You probably don’t need to go through a rigorous background check to work with it, and you can’t withhold it from a judge should it be requested in court. But it is the kind of information which could be damaging if leaked.

It’s not hard to imagine how someone with malicious intent might exploit some of this information. But it’s also clear that many people have legitimate reasons for accessing it, and that putting up too many safeguards would limit the efficiency of many organizations. So the CUI category is intended to facilitate the safe use of this information without unduly hampering business processes.

3. How do I protect C.U.I. data?

It is imperative that defense contractors be well prepared to manage cybersecurity risks within their supply chain to protect against national security threats. To prepare for the future, DoD prime contractors and suppliers should become familiar with CMMC and identify where they have potential gaps in their security posture. Importantly consider leveraging emerging technologies such as artificial intelligence, and advanced analytics to increase visibility and prioritization of high-risk data.

4. Why am I required to protect C.U.I. data as a defense contractor?

If you form part of the Defense Industrial Base (DIB) then you are a cog in a global supply and logistics chain and have access to sensitive or classified technologies and information. Cybersecurity has become increasingly complicated, and as attackers continue to look for new entry points, your business s increasingly becoming more susceptible to espionage and may be a target for theft and sabotage where counterfeit or otherwise faulty components could enter the supply chain.

The Solution

Navigate CUI complexities with confidence with Getvisibility

Getvisibility provides preconfigured policies to make it easy to apply CUI markings accurately:

  • Get visibility of all of the data within your business
  • Automatically access the full list of 240 CUI categories
  • Manually tailor Banner and Portion markings.
  • Follow formatting guidelines.
  • Keep data secure.
  • Speak to one of our experts