CMMC 1.0 Practice AM.3.036 Requirement:

Define procedures for the handling of “Controlled Unclassified Information” (CUI) data.

CMMC 1.0 AM.3.036 Requirement Explanation:

The goal of the CMMC program is to protect “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI). By defining procedures for handling “Controlled Unclassified Information” (CUI) your employees can protect “Controlled Unclassified Information” (CUI) while they are handling it.

Example CMMC 1.0 AM.3.036 Implementation:

You need to label controlled unclassified information in accordance with the “Controlled Unclassified Information” (CUI) handbook from the national archives. Only store “Controlled Unclassified Information” (CUI) in authorized locations. This includes storing paper work containing “Controlled Unclassified Information” (CUI) in designated locked containers (file cabinets) and storing digital files containing “Controlled Unclassified Information” (CUI) on authorized systems. Only allow authorized individuals to access “Controlled Unclassified Information” (CUI). When destroying digital media containing “Controlled Unclassified Information” (CUI) do so using DoD 5220.22-M data wipe method or by physically destroying it. When destroying paper work that has “Controlled Unclassified Information” (CUI), destroy it so that it is unrecoverable. To accomplish the above you need to document procedures for handling “Controlled Unclassified Information” (CUI). This includes documenting who is responsible for labeling “Controlled Unclassified Information” (CUI), authorized storage locations for “Controlled Unclassified Information” (CUI), a list of persons authorized to access “Controlled Unclassified Information” (CUI), the requirements for protecting “Controlled Unclassified Information” (CUI), and the requirements for destroying “Controlled Unclassified Information” (CUI). You should train employees who are handling “Controlled Unclassified Information” (CUI) so that they follow your defined procedures for handling “Controlled Unclassified Information” (CUI).

CMMC 1.0 AM.3.036 Scenario(s):

- Scenario 1:

As part of your DoD contract your employees have to create blue prints for a DoD facility. Because they are created in support of your DoD contract you classify them as “Controlled Unclassified Information” (CUI). In accordance with your defined procedures for handling “Controlled Unclassified Information” (CUI) you label the blue prints to indicate that they are “Controlled Unclassified Information” (CUI). You store them in your company's lockable file cabinet that is designated to store “Controlled Unclassified Information” (CUI). Only authorized persons have keys to the file cabinet.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.