Before we identify CMMC, we must understand Controlled Unclassified Information (CUI).
CUI is an important factor in achieving CMMC, because protecting CUI is a key component of cybersecurity.
The CMMC model is a framework that helps organizations assess and improve their cybersecurity posture. It’s designed to help organizations achieve a baseline level of cybersecurity maturity that aligns with their risk management goals and objectives.
One of the key security controls in CMMC is the protection of CUI. Organizations that handle CUI must ensure that they are safeguarding this information in accordance with applicable laws, regulations, and guidance. This includes identifying and marking CUI appropriately, as well as implementing the appropriate security controls to protect it.
Understanding CUI (Classified Uncontrolled Information)
CUI is a category of sensitive but unclassified information that is regulated by the US government. To ensure that CUI is appropriately safeguarded, specific markings and controls are used to identify it. They are:
1. Banner & Footer Markings
These markings may include a statement indicating that the document contains CUI and should be handled accordingly. For example, a banner marking might read “Controlled Unclassified Information – Do Not Release Without Authorization.” Footer markings may include the specific CUI category and subcategory.
Pro-tip: There is no requirement to add the “U,” signifying unclassified, to the banner and footer as was required with the old FOUO marking (i.e., U//FOUO).
CUI markings in classified documents will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with “(CUI).” “CUI” will not appear in the banner or footer.
Last tip – there will be an acknowledgement added to the warning box on the first page of multi-page documents to alert readers to the presence of CUI in a classified DoD document.
2. Category & Sub-Category Markings
These are used to identify the type of information and the level of protection it requires. Categories may include areas such as “Legal,” “Financial,” or “Defense.” Subcategories provide further specificity within each category. For example, within the “Defense” category, subcategories may include “Weapons Systems Design” or “Military Operations.”
3. CUI Basic vs. CUI Specified
CUI Basic refers to information that is not specifically listed in the CUI Registry but still requires safeguarding. CUI Specified refers to information that is specifically listed in the CUI Registry and has a designated category and subcategory. CUI Specified will also be marked with (SP-) on the document.
4. Limited Dessimination Controls
Limited dissemination controls are used to restrict the distribution of CUI to authorized individuals only. This may include controls such as password protection, access controls, or encryption.
5. Portion Markings
Portion markings are used to identify specific sections of a document that contain CUI. This allows individuals to quickly identify which portions of the document are sensitive and require protection. Portion markings may include labels such as “CUI,” “FOUO” (For Official Use Only), or “Limited Distribution.”
Quick side note: if Portion Markings used in one part of the document, they must be used throughout the entire document.