CMMC Practice Requirement:

Define procedures for the handling of “Controlled Unclassified Information” (CUI) data.

CMMC Requirement Explanation:

The goal of the CMMC program is to protect “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI). By defining procedures for handling “Controlled Unclassified Information” (CUI) your employees can protect “Controlled Unclassified Information” (CUI) while they are handling it.

Example CMMC Implementation:

You need to label controlled unclassified information in accordance with the “Controlled Unclassified Information” (CUI) handbook from the national archives. Only store “Controlled Unclassified Information” (CUI) in authorized locations. This includes storing paper work containing “Controlled Unclassified Information” (CUI) in designated locked containers (file cabinets) and storing digital files containing “Controlled Unclassified Information” (CUI) on authorized systems. Only allow authorized individuals to access “Controlled Unclassified Information” (CUI). When destroying digital media containing “Controlled Unclassified Information” (CUI) do so using DoD 5220.22-M data wipe method or by physically destroying it. When destroying paper work that has “Controlled Unclassified Information” (CUI), destroy it so that it is unrecoverable. To accomplish the above you need to document procedures for handling “Controlled Unclassified Information” (CUI). This includes documenting who is responsible for labeling “Controlled Unclassified Information” (CUI), authorized storage locations for “Controlled Unclassified Information” (CUI), a list of persons authorized to access “Controlled Unclassified Information” (CUI), the requirements for protecting “Controlled Unclassified Information” (CUI), and the requirements for destroying “Controlled Unclassified Information” (CUI). You should train employees who are handling “Controlled Unclassified Information” (CUI) so that they follow your defined procedures for handling “Controlled Unclassified Information” (CUI).

Scenario(s):

- Scenario 1:

As part of your DoD contract your employees have to create blue prints for a DoD facility. Because they are created in support of your DoD contract you classify them as “Controlled Unclassified Information” (CUI). In accordance with your defined procedures for handling “Controlled Unclassified Information” (CUI) you label the blue prints to indicate that they are “Controlled Unclassified Information” (CUI). You store them in your company's lockable file cabinet that is designated to store “Controlled Unclassified Information” (CUI). Only authorized persons have keys to the file cabinet.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance