Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.
Contact us
About SSE
SSE is a certified Women-Owned Small Business with over 30 years of experience in both the technology and training industries, serving commercial and government markets.
Keeping CUI, or Controlled Unclassified Information, protected is the reason regulations such as CMMC and NIST 800-171 exist. But who is responsible for protecting CUI?
Ultimately, the Department of Defense (DoD) is in charge of safeguarding classified national security information. Alternatively, the DoD plays an important role in establishing policies and procedures that government contractors must abide by to keep unclassified controlled technical information safe.
In this article, we’ll go over some foundational knowledge before going deeper into who should be protecting controlled unclassified information and how to protect it.
What is controlled unclassified information?
Taking a step back, let’s establish what exactly controlled unclassified information is.
According to NIST, CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.”
Thankfully, we don’t have to interpret what that means for the CUI we might be handling. The DoD has an extensive list that can be downloaded as a reference. More simply, below are some of the most common items that can be considered CUI:
CUI basic and CUI specified: what’s the difference?
When it comes to determining whether controlled unclassified information is CUI basic or CUI specified, it comes down to the way it’s handled. How data is handled is called dissemination controls.
Data labeled as CUI basic does not have specific dissemination instructions, whereas CUI specified has required dissemination instructions that must be documented and implemented.
Does CUI have to be protected?
Yes, protecting CUI is federally mandated under current NIST 800-171 and CMMC requirements. CUI usually contains sensitive information, so it must be protected to ensure federal agencies’ information is not compromised.
Why is it important to protect CUI?
The United States government is far from immune to cyberattacks. Since CUI is unclassified information, it has fewer controls to protect than classified data. Hackers can find ways to leverage CUI to breach more sensitive, classified information, which creates a huge risk to national security.
What are the consequences of not protecting CUI?
Failure to comply with NIST 800-171 and CMMC requirements or even misrepresenting your organization’s compliance status can result in large fines, loss of a government contract, or even litigation against your organization.
Recently, the Department of Justice rolled out a Civil Cyber Fraud Initiative that leverages the False Claims Act to enforce how companies adhere to and represent their compliance with protecting CUI.
How can I protect my CUI documents?
To protect your organization’s CUI, you must put a Security System Plan (SSP) in place. An SSP consists of formal plans, procedures and physical security measures.
Of course, putting a plan in place is not sufficient; your company will need to carry out, monitor, and enforce these security plans. Providing training to employees about how to handle CUI correctly goes a long way in protecting controlled unclassified information.
So, who is responsible for protecting CUI?
Ultimately, you are responsible for protecting CUI. Federally mandated programs can provide the tools, guidelines and resources for your organization to follow. However, when CUI is in your or your company’s hands, it becomes your responsibility and liability.
SSE Can Help
It’s wise to conduct a third-party Gap Assessment to determine if you’re compliant or to identify any gaps in your security procedures.
SSE is accredited by the CYBER AB (formerly the CMMC-Accreditation Body) as a Registered Provider Organization (RPO) and are DoD contractors ourselves. We’ll guide you through the compliance process or consult you on your current security measures.
Schedule a complimentary CMMC Readiness Assessment today to get started!