Defense contractors and suppliers have anxiously been awaiting news on the roll-out date for CMMC 2.0. The DoD previously indicated it would publish a final or interim final rule in 2023 to formally implement the CMMC program and contractor compliance with its requirements. There is some indication that it will now be issued as a proposed rule in May of 2023. While the final rule implementing CMMC could be delayed until 2024, an organization that has DoD contracts must be prepared to comply with its requirements, including controlled unclassified information (CUI) markings, well before it goes into effect.
Preparing for CMMC 2.0 Requirements
You don’t need to wait until CMMC 2.0 is ready to start preparing. There are several steps you can take to jumpstart your compliance and reduce the risk of noncompliance when CMMC requirements begin to appear in contracts:
- Understand the types of data you access, store, or transmit on your systems.
- Is it federal contract information (FCI) or controlled unclassified information (CUI)?
FCI and CUI include information created or collected by or for the Government, as well as any information received from the Government. FCI is any information that is ‘not intended for public release.’ CUI requires safeguarding and may also be subject to dissemination controls. - Can it be segmented with access controls or other methods?
- Is it federal contract information (FCI) or controlled unclassified information (CUI)?
- Create or refine policies and procedures to demonstrate compliance with NIST 800-171 controls; and
- Make sure your organization’s key stakeholders understand the importance of CMMC compliance and the resources needed to achieve it.
CUI Marking Requirements Are Not New
The DoD’s requirements for handling FCI and CUI are not new. Defense contractors are already required to safeguard this information by the inclusion of contract clauses such as FAR 52.204-21 (for FCI) or DFARS 252.204-7012 (for CUI). CMMC 2.0 makes no change to information marking requirements identified in the CUI program (32 CFR Part 2002 and DoDI 5200.48). The intent of CMMC 2.0 is to require assessment against the mandatory cybersecurity standards such as NIST SP 800-171, only when the safeguarding of CUI is required.
With the expanded enforcement related to the protection of CUI and several regulations governing its handling, understanding CUI requirements is of utmost importance to all US Government agencies, Defense contractors, and suppliers.
If you have CUI it needs to be marked accordingly to inform or alert recipients and/or users that CUI is present and of any limited dissemination controls. Automating this process can be a challenge in Microsoft applications.
Managing Controlled Classified Information (CUI) Markings in Microsoft 365, GCC & GCC High
Download the Guide to Controlled Classified Information (CUI) Markings to learn about:
- Mandatory CUI tagging and visual marking requirements for Defense and the supply chain.
- The challenges of labeling and restricting access to CUI in Microsoft applications.
- How to automate CUI identification and application of visual markings in M365, GCC and GCC High.
- Adding ABAC policies to control CUI access and what authorized users can do with files if access is granted (e.g., print, save, email).
