CMMC and CUI Simplified Guide

 

Let's start with the basics... what is CUI?  Controlled Unclassified Information (CUI), is the highest level of information protection by the United States government that is not classified.  Data which is classified requires US security clearance to access, but CUI does not require a clearance.  It does, however, require those who hold and process CUI to handle it appropriately and ensure it is protected from falling into the wrong hands.  The designation of CUI can be complicated, as there are many different categories of CUI recognized by the government, and anyone can mark data as CUI using appropriate markings.

Our role in protecting CUI becomes even more complicated when we factor in CMMC. CMMC stands for the Cybersecurity Maturity Model Certification.  It's a set of rules that must be followed by government entities, contractors, or providers if those entities want to handle contract or grant CUI.  Without certification, such entities cannot handle grant or contract CUI, and cannot bid on or apply for grants or contracts that require CUI processing to take place.  CMMC has 3 levels.  Each higher level adds more requirements, and contracts or grants will specify which level must be met to satisfy the grant or contract.  Generally, this is indicated by a DARS 7012 or 7021 clause within the contract or grant language.

PSL at NMSU will be certified at level 2 to begin and will strive to reach level 3 certification in the future.  With a level 2 certification, PSL will be able to provide NMSU with the ability to bid on or apply for almost any grant or contract that handles CUI, since CMMC level 3 is extremely rare as a grant or contract requirement.  To be level 2 certified, PSL must be assessed by an auditing body every 3 years and must prove to the auditor that we are meeting all controls specified by the CMMC level we are attempting to certify against.

For the purposes of CMMC, only grant or contract-related CUI is assessed, however, the university has many other types of CUI that should also be protected.  This data includes personnel records, student records, and medical records.  While PSL does not specifically track or take responsibility for CUI that isn't directly related to a grant or contract, we do provide data storage and processing at the CMMC level 2 standard for university CUI that should be protected at that level if desired.  If you have CUI data that you feel should be protected but does not fall under CMMC please contact us for options. 

CMMC Control Categories:
Click here for the full list of controls

  1. Access Control (AC):
    What it Means: Like having a key to your room, we ensure only authorized people can access important information.
  2. Audit and Accountability (AU):
    What it Means: Think of this as keeping a record of who's been where and what they did, like having a digital security camera.
  3. Awareness and Training (AT):
    What it Means: We teach everyone the basics of keeping digital information safe, like a superhero training camp for our staff and students.
  4. Configuration Management (CM):
    What it Means: It's like arranging your apps on your phone to work smoothly. We make sure everything is set up correctly and stays that way.
  5. Identification and Authentication (IA):
    What it Means: Just like you have a username and password for your accounts, we make sure only the right people can log in to our systems. It's like having a secret handshake.
  6. Incident Response (IR):
    What it Means: If something goes wrong, we have a plan – like having a superhero team ready to fix any problems ASAP.
  7. Maintenance (MA):
    What it Means: Similar to taking care of your car with regular maintenance, we ensure our systems are always in top shape.
  8. Media Protection (MP):
    What it Means: Think of this as keeping your important documents in a safe. We protect our digital media to prevent unauthorized access.
  9. Personnel Security (PS):
    What it Means: Like checking IDs at the entrance, we ensure only trustworthy people have access to sensitive areas and information.
  10. Physical Protection (PE):
    What it Means: It's like having a security guard at the entrance. We take measures to physically protect our important information.
  11. Risk Assessment (RA):
    What it Means: Similar to checking the weather before planning a trip, we assess potential risks to keep everything secure.
  12. Security Assessment (CA):
    What it Means: It's like having a safety check for your car. We regularly check our systems to make sure everything is secure and working well.
  13. System and Communications Protection (SC):
    What it Means: Think of this like having a bodyguard for your computer. We protect the ways our systems talk to each other and the outside world.
  14. System and Information Integrity (SI):
    What it Means: We ensure our information is reliable and unchanging, like having a trustworthy friend.

Consequences for Mishandling CUI

The mishandling of Controlled Unclassified Information (CUI) can have serious consequences, both for individuals and organizations. The protection of CUI is essential to prevent potential harm and maintain the integrity of sensitive information. Here are some possible ramifications if someone mishandles CUI:

  • Legal Consequences: Individuals and organizations may face legal actions and penalties for failing to protect CUI. This can include fines, civil lawsuits, or even criminal charges, depending on the severity of the mishandling.

    Reputational Damage: Mishandling CUI can lead to a loss of trust and credibility. Individuals or organizations involved may suffer reputational damage, affecting their relationships with clients, partners, and stakeholders.

    Financial Consequences: Fines and legal expenses associated with CUI mishandling can result in significant financial burdens. Additionally, the costs of remediation, such as implementing enhanced security measures, can be substantial.

    Loss of Contracts and Opportunities: Organizations that handle CUI are often subject to contractual obligations regarding information security. Failure to comply with these requirements can lead to the loss of government contracts, business partnerships, and other opportunities.

    Security Clearance Issues: Individuals with security clearances may face reviews and potential revocation if found responsible for mishandling CUI. This can impact their current employment and future career prospects.

    Regulatory Compliance Issues: Organizations handling CUI are often subject to industry-specific regulations and standards. Failure to comply with these regulations can result in regulatory actions and additional consequences.

    Loss of Competitive Advantage: Mishandling CUI, especially if it involves proprietary business information, can lead to a loss of competitive advantage. Competitors may gain access to sensitive details that could compromise an organization's unique strategies or innovations.

    Increased Cybersecurity Risks: Mishandling CUI may involve cybersecurity breaches, leading to unauthorized access to sensitive information. This, in turn, can result in data leaks, identity theft, and other cybersecurity threats.

     

Overall, the ramifications of mishandling CUI extend beyond immediate legal consequences and can impact an individual's or organization's long-term viability and standing within their industry. It underscores the importance of implementing robust security measures and fostering a culture of awareness and responsibility regarding the handling of sensitive information.