All Department of Defense (DoD) contractors that process, store or transmit controlled unclassified information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts
– and documenting CUI data flows is an important requirement.
To get started, organizations must identify and tag/mark their CUI data, deploy software to manage the workflow off those tags, map the flows in a network diagram and ensure employees
are properly trained on all aspects of CUI handling and security. Documenting everything as it changes over time is the most difficult part. This piece provides a step-by-step process for creating NIST-compliant CUI data flows.
READ: What is the NIST Privacy Framework?
What is the CUI Program?
The DoD’s CUI program standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits the kinds of information to protect, defines what is meant by "safeguard,"
reinforces existing legislation and regulations, and promotes authorized information-sharing. Since DFARS’ implementation on Dec. 31, 2017, all DoD contractors that process, store or transmit CUI must meet the DFARS minimum security standards
or risk losing their DoD contracts.
While it is critical to set standardized controls for the way information is handled, the process of implementing CUI markings across agency data is complex, time-consuming, and sometimes unclear. Yet all agencies are required to use CUI markings on all
data that is not classified.
Fortunately, a lot of these requirements will be fleshed out within the Cybersecurity Maturity Model Certification (CMMC) as it matures. (The CMMC is a DoD certification and compliance process designed to certify that contractors have the requisite controls
in place to protect sensitive data.)
How to Automate CUI Workflows
To effectively automate CUI workflows, organizations must start with two steps:
- Tag or mark CUI. Some types of information are simple to identify as CUI. For example, CUI that is “export control” information includes any information that is subject to export control through regulations such as the International Traffic
in Arms Regulation (ITAR) and the Export Administration Regulation (EAR). (ITAR covers items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect U.S. national security. EAR generally
covers “dual-use” items, which have both civil and military applications.) “Marked information” is also CUI. It includes any non-classified information marked with legacy or agency-specific designations, such as unclassified (U), for official use only (U//FOUO), official use only (OUO) and sensitive but unclassified
(SBU). In addition, some projects with no specifically marked information could include CUI. (A complete list of CUI categories can be found here.)
- Deploy software to identify and manage the workflow based off those tags. There is no silver bullet software but consider selecting a package that gives you the biggest bang for its buck or largest area of coverage. It should be able to mark the data
and track workflow in key areas, such as human resources (HR), facilities, IT, etc.
Documented Data Flows (DFD)
Assessors look for documented data flows (DFD) more than anything else. A DFD is a method to identify the flow of regulated data (FCI/CUI). It does not have to be fancy, but it needs to accurately reflect two considerations:
- What is being shared.
- Who the information is being shared with.
With the CMMC, everything starts from a data flow perspective:
- If you are a prime contractor, you must document your data flows with the DoD.
- If you are a subcontractor, you document your data flows with a prime contractor.
How to Create Data Flows
To follow best practices to create data flows, you should consider:
- Determining your assets. Asset inventories are reasonable expectations in numerous laws, regulations, and industry practices. CMMC is no different in expecting accurate IT asset inventories. Establish and maintain baseline configurations and inventories
of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- Defining boundaries and establish a simple network diagram. A network diagram needs to accurately reflect:
- System boundaries, e.g., logical, and physical segmentation.
- Key hardware components, e.g., firewalls, servers, databases, directory services, proxies, etc.
- Third-party service providers (TSPs), e.g., managed service providers (MSPs), bookkeepers, consultants, etc.
- Cloud service providers (CSPs), e.g., Amazon Web Services (AWS), Microsoft Azure, Office 365, etc.
- Subcontractors.
CUI Best Practices for Organizations
Ensure employees are properly trained as the “people factor” can be the weakest link in many organizations. Organizations Seeking Certification (OSCs) should consider training personnel on CUI best practices, which include, but are not limited
to:
- Identification
- Handling
- Sharing restrictions
- Storage requirements
- Transmission requirements
- Process for marking materials
- Requirements for disposal/destruction
General security best practices, including:
- Keeping network equipment secure
- Protecting credentials
- Data storage
- Emailing regulated data (CUI)
- Workstation security while present and when away from the desk
- Terms of use/acceptable use
- External media device handling
- Destruction of digital and non-digital media
- Awareness of malicious code commonly released in a phishing attack
Assign control ownership and document it. Most organizations create NIST-compliant CUI data flows and ensure access is approved based on policy by assigning control ownership and documenting procedures.
NIST-Compliant CUI Data Flows
After addressing the core documentation requirements, the time-consuming process begins of putting it into practice. To ensure NIST-compliant CUI data flows:
- Ensure you meet due diligence and due care requirements. Evidence of both due diligence and due care is needed to successfully pass a CMMC assessment. Documented policies and standards provide evidence of due diligence, whereas, documented and implemented
procedures provide evidence of due care. Documenting step-by-step procedures is the most time-consuming activity related to cybersecurity documentation.
- Create and update a Plan of Actions & Milestones (POA&M). Once you identify stakeholders and start getting into the details for how CMMC practices are implemented, deficiencies will likely be identified (e.g., with quality assurance reviews
on software). This is completely expected, but deficiencies must be tracked from identification through remediation via a risk register or POA&M document. This provides evidence of due diligence and due care specific to the identification
and remediation of CMMC-related deficiencies.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.