Safeguarding Controlled Unclassified Information (CUI) is critical to working with the Department of Defense (DoD). This involves understanding the ISOO CUI registry, adhering to DoD Instruction 5200.48, implementing the NIST SP 800-171 framework, and meeting CMMC requirements for DoD compliance. But what level of system and network configuration is required for CUI? This article delves into the importance of these aspects and provides a comprehensive guide to help organizations tackle this question.
The Role of the ISOO CUI Registry
The Information Security Oversight Office maintains a registry containing all document types considered as CUI. The ISOO CUI registry serves a significant role in providing uniform definitions and responsibilities for CUI across all government agencies and contractors that come into contact with it.
The registry is organized into several categories. Critical Infrastructure is one such category, including CUI types like chemical terrorism vulnerability information and SAFETY Act information.
Parallel to the ISOO registry is the DoD CUI registry, which is nearly identical but includes additional rules relevant to DoD personnel and contractors.
The Significance of DoD Instruction 5200.48
The DoD Instruction 5200.48 is the core of all DoD guidance on safeguarding CUI. It outlines the basic infrastructure of the CUI program, key government departments for reporting, and oversight purposes. It is a comprehensive guide to CUI protection’s purposes, functions, rules, and examples.
One of the rules highlights the need for organizations to accurately mark CUI with symbols or language, indicating the type of information, who can access it, and the governing entities. For instance, a document marked “FEDCON” can be disseminated to both federal employees and contractors, whereas “FED ONLY” files are exclusive to employees.
Organizations must ensure all staff dealing with CUI are familiar with these controls and undergo mandatory training, which should include understanding DODI 5200.48 thoroughly.
The Protection of CUI with NIST SP 800-171
Apart from DODI 5200.48, the National Institute for Standards and Technology (NIST) Special Publication 800-171 is a crucial document for CUI safeguarding. This document provides guidance on network security controls required to minimize threats and vulnerabilities affecting CUI.
NIST SP 800-171 prescribes 110 individual requirements across 14 families, including:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Adhering to NIST SP 800-171 is a requirement for nearly all DoD entities and contractors. This is per the Defense Federal Acquisition Regulation Supplement (DFARS).
CMMC and its Role in CUI Protection
DoD Instruction 5200.48 and NIST SP 800-171 are not the only governing frameworks for CUI protection. DFARS also mandates DoD contractors to achieve Cybersecurity Maturity Model Certification (CMMC). This certification ensures that contractors are adequately equipped to protect CUI and other sensitive data while working with the US military.
DoD contracts require contractors to achieve a particular CMMC Level:
- Level 1: Foundational: Organizations with minimal exposure to CUI need to implement 15 Practices based on NIST SP 800-171 and self-assess annually.
- Level 2: Advanced: Organizations with moderate exposure to CUI must implement all 110 Requirements from SP 800-171 and conduct third-party assessments every three years.
- Level 3: Expert: Organizations with extensive CUI exposure must also implement practices from NIST SP 800-172 and undergo government-led assessments every three years.
What Level of System and Network Configuration is Required for CUI?
CUI requires a moderate level of System and Network Configuration. This involves implementing the necessary security controls and conducting regular assessments as per the organization’s CMMC Level.
Streamlining DoD Compliance and CUI Protection
In recapitulating, protecting CUI as per the DoD’s guidelines entails understanding the DoD CUI registry, DODI 5200.48, NIST SP 800-171, and CMMC. While familiarizing your workforce with these complex systems can be a daunting task, partnering with a DoD compliance advisor can ease the process.
RSI Security has helped numerous organizations meet DoD compliance requirements, including mandatory CUI training. We prioritize your needs and work closely with your organization to ensure that all stakeholders understand their responsibilities.