What is Controlled Unclassified Information (CUI)?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at:
https://www.archives.gov/cui and includes the following organizational index groupings:
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural and Cultural Resources
- NATO
- Nuclear
- Privacy
- Procurement and Acquisition
- Proprietary Business Information
- Provisional
- Statistical
- Tax
What is the difference between CUI and FOUO?
CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for 'For Official Use Only', is a document designation used by the DoD.
What are the concerns regarding cybersecurity in the Defense Industrial Base (DIB)?
The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018]. The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime - No Slowing Down” in February 2018].
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
Why is the CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
When will CMMC Model v1.0 be released to the public?
The DoD released CMMC Model version 1.0 to the public on January 31, 2020.
Will other Federal (non DoD) contracts use CMMC?
The initial implementation of the CMMC will only be within the DoD.
What is the relationship between NIST SP 800-171 rev.1 and CMMC?
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
How will CMMC be different from NIST SP 800-171?
Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.
In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.
How will my organization become certified?
The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (
www.cmmcab.org). The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
How much will CMMC certification cost?
The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.
Will there be a self-certification?
No. DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment.
Who will perform the CMMC assessments?
Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.
Are the results of my assessment public? Does the DoD see my results?
No, the results of a CMMC assessment will not be made public. The only information that will be publically available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.
How often does my organization need to be reassessed?
In general, a CMMC certificate will be valid for 3 years.
If my organization has a CMMC certification and my unclassified network is compromised, do I lose my certification?
A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.
What if my organization cannot afford to be certified? Does that mean my organization can no longer work on DoD contracts?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
I am a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.
How will I know what CMMC level is required for a contract?
The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs).
Will CMMC certifications and the associated third party assessments apply to a classified systems and / or classified environments
within the Defense Industrial Base?
CMMC applies to only a DIB contractor’s unclassified networks that handle, process, and/or store FCI or CUI.
How does my company become a CMMC third-party assessor organization (C3PAO)?
The CMMC AB will provide information and set requirements for prospective C3PAOs and individual assessors. Prospective C3PAOs and assessors should reference the CMMC AB website (
www.cmmcab.org).
