Webinar

CMMC scoping: How to ensure your scope is ready for assessment

  • 18 Sep 2024
  • admin

Understanding your scope begins with identifying and managing Controlled Unclassified Information (CUI)

When preparing for your Cybersecurity Maturity Model Certification (CMMC) assessment, it’s crucial to start by clearly defining key terms: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

FCI refers to information that is not public but is provided by or generated for the government under a contract, particularly with the Department of Defense (DoD) in the context of CMMC. Essentially, FCI encompasses any non-public information you handle as part of your contract with the government.

CUI is a subset of FCI. While also non-public and government-owned, CUI is classified as sensitive but unclassified. What distinguishes CUI is that it requires specific safeguarding and dissemination controls based on various laws, regulations, and government policies. In summary, CUI is subject to special rules to ensure its protection and restrict access appropriately.

Who makes the rules about CUI?

It’s important to note that Controlled Unclassified Information (CUI) is not exclusive to the Department of Defense (DOD) or the Cybersecurity Maturity Model Certification (CMMC). CUI was officially defined by Executive Order 13556 during the Obama administration. This order established the National Archives and Records Administration (NARA) as the executive agent responsible for setting the standards, rules, and policies for protecting CUI and for implementing the entire process.

Under this framework, CUI requirements apply not only to government agencies but also to federal contractors. However, it’s crucial to understand that this process establishes only the baseline requirements. While the DOD can add additional requirements, it cannot reduce or deviate from the established minimum standards. In practice, this means a series of policies and guidelines are in place to ensure compliance:

  • Executive Order 13556
  • 32 Code of Federal Regulations (CFR) Part 2002 (Implementing Directive)
  • CUI Marking Handbook
  • CUI Notices
    • CUI Notice 2020-01 (Implementation Deadlines)
    • CIO Notice 2020-02 (Alternate Marking Methods)
  • National Institute of Standards and Technology (NIST) Publications
  • Office of Management and Budget (OMB) Circular No. A-11
  • CUI Advisory Council

When pursuing CMMC, it’s important to recognize that it is a Department of Defense (DOD) requirement that builds upon the Controlled Unclassified Information (CUI) protection standards applicable to all government agencies.