Can you clearly define what makes up your CUI environment? 

   NIST 800-171 & CMMC Compliance Scoping Guide For Controlled Unclassified Information (CUI)   

ComplianceForge is a leader in NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) compliance and built this guide as a free resource to help educate those organizations that must comply. This document is intended to help companies define what is in scope to comply with NIST 800-171 and appropriately prepare for a CMMC audit. A significant step towards becoming NIST 800-171 compliant and being able to pass a CMMC audit is understanding the scope of the Controlled Unclassified Information (CUI) environment.

 

Given that there are similarities between scoping for NIST 800-171 / CMMC and the Payment Card Industry Data Security Standard (PCI DSS), ComplianceForge leveraged the outstanding concepts that PCI Resources published in their PCI DSS Scoping Model and Approach by applying the scoping methodology to NIST 800-171 and CMMC. When you look at NIST 800-171 compliance scoping, it has some similarities to PCI DSS:

  • PCI DSS is focused on protecting the Cardholder Data Environment (CDE), which is where payment card data is stored, processed and transmitted.

  • NIST 800-171 is focused on protecting the CUI environment, which is where sensitive data (in regard to US national security) is stored, processed or transmitted.

  • Both cardholder data and CUI are considered “infectious” from the perspective of scoping.

 

Without proper segmentation and clear business processes, CUI “infects” the entire network and greatly expands the scope of compliance and audits.

 

From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CUI, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. We feel that NIST 800-171 should be viewed in the very same manner.

 

This guide is not endorsed by the National Institute of Science and Technology (NIST), PCI Resources or any other organization. This is merely an unofficial guide that ComplianceForge compiled to help companies comply with NIST 800-171 and CMMC. 

   Understanding The Intent of NIST 800-171 & CMMC   

If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., government contractors) comply with reasonably-expected security requirements by using the systems and practices that government contractors already have in place, rather than trying to use government-specific approaches.

 

NIST 800-171 also provides a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs, tailored to non-federal systems, allowing government contractors to comply and consistently implement safeguards for the protection of CUI. When it comes down to it, NIST 800-171 is designed to address common deficiencies in managing and protecting unclassified information. 

   Understanding Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012   

DFARS 252.204-7012 establishes the need to protect CUI by providing "adequate” protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. This DFARS clause requires compliance with NIST 800-171 on all “Covered Contractor Information Systems.”

  • Covered Contractor Information System (CCIS) means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “Covered Defense Information.”

  • Covered Defense Information (CDI) means unclassified "Controlled Technical Information" or other information, as described in the Controlled Unclassified Information (CUI) Registry.

  • Controlled Technical Information (CTI) means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

 

Examples of technical information include, but are not limited to:

  • Research and engineering data

  • Engineering drawings

  • Associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and

  • Computer software executable code and source code.

If you are unsure what CUI is, we highly recommend that you visit the US government’s authority on the matter, the US Archive’s CUI Registry

   NIST 800-171 & Controlled Unclassified Information (CUI)   

NIST 800-171 requires private companies to protect the confidentiality of CUI where it is stored, transmitted and/or processed.

 

The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and government/DoD contractors, as it applies to:

  • When CUI is resident in non-federal information systems and organizations;

  • When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and

  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

For more information on CUI, our friends at Ignyte Assurance Platform put this page together to help educate on the topics of CUI, CTI and CDI - https://www.dfars-nist-800-171.com/post/what-is-controlled-unidentified-information-cui-and-why-should-you-care

   Understanding Cybersecurity Maturity Model Certification (CMMC)    

For a more detailed explanation of CMMC, please visit: https://www.complianceforge.com/cybersecurity-maturity-model-certification-cmmc/

 

CMMC is a vehicle the US Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171,  based on five different levels of maturity expectations. DoD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DoD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB) and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. Interestingly, when NIST 800-171 was initially launched, the DoD would not accept any form of 3rd-party audit for evidence of NIST 800-171 compliance, but that is exactly what CMMC does, so a lot has changed in the past two years from how NIST 800-171 adoption was initially envisioned.

 

Think of CMMC as a procurement gate that a contractor must pass to even be eligible to bid on, win or participate on a contract - without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from the contract. It is conservatively-estimated that between 200,000-300,000 organizations will be in scope for CMMC, with many of those not being considered traditional defense contractors. The reason for that is the trickle-down effect of third-parties that have the ability to impact the confidentiality and/or integrity of Controlled Unclassified Information (CUI) where it is stored, transmitted and/or processed. This trickle-down will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.

Before you can get any use from this guide, you need to do the following steps:

  1. Document the System Security Plan (SSP) to clearly identify what makes up the CUI environment. This includes dataflows and all instances where CUI is stored, transmitted and processed.

  2. Create a logical network diagram of your network(s), including any third-party services, cloud instances and remote access methods. Both a high-level and low-level diagram is expected:

    • A high-level diagram can be “cartoonish” to depict broad concepts.

    • A low-level diagram needs to be detailed and identify the ports, protocols and services that are used across the CUI environment. This information should match what exists in applicable Access Control Lists (ACLs).

  3. Document an inventory of all systems, applications and services:

    • Servers

    • Workstations

    • Network devices

    • Mobile devices

    • Databases

    • Third-party service providers

    • Cloud instances

    • Major applications (including what servers and databases they depend on)

 

Note: If you are not willing to do the work to do the three steps listed above, you can stop reading this document and assume that every system, application and service in your organization will be considered in scope for NIST 800-171 and CMMC audits. The old adage of “if you fail to plan, you plan to fail” is very applicable in this scenario.

   Due Diligence & Due Care Expectations for NIST 800-171 & CMMC Compliance Scoping   

Disclaimer: This information is provided for educational purposes only. This website does not render professional services and is not a substitute for professional services. If you have compliance questions, you are encouraged to consult a cybersecurity professional.

 

© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.