[Free Download]
Questions and Answers for the DoD Mandatory CUI Training
Identifying and Categorizing CUI
When trying to determine if your organization has CUI, try asking yourself these questions:
- C – Is the data originally Created by the government and provided to you in association with the contract?
- U - Is the data going to be Used to deliver your contractual responsibilities to the government?
- I - Can the data type be Identified within the sub-categories listed on the NARA CUI registry?
These three criteria should help you navigate figuring out whether the data you're handling is CUI.
Here's something else that might help you identify whether or not you're handling CUI. This a copy of what the DoD typically workshops in their public documentation. We changed the verbiage a little bit for simplicity's sake.
The first question is, are you dealing with classified or truly unclassified information?
Next up, does the information fall within a law, regulation or government-wide policy? If not, it's not CUI.
All of the proprietary data you have – if you're not delivering on a contract and it doesn’t call it out as something unique to the government – it's probably not CUI.
If it does have a law, regulation or government-wide policy, you'll need to look up those categories in the National Archives or the DoD CUI Registry. We'll do that in the next step.
Before we do, though, let's take a quick look at a Microsoft tool you can use to help find CUI.
Identifying CUI with Microsoft 365
Microsoft Purview helps defense contractors identify Controlled Unclassified Information (CUI) in their IT systems to comply with CMMC 2.0 requirements.
The following blog discusses how Organizations Seeking Certification (OSC) can effectively identify CUI in their current IT environment using the Microsoft 365 platform:
Identifying CUI with Microsoft 365 For CMMC
How to Identify CUI Outside of Microsoft 365
As you work through the process of identifying CUI, one question that might come up is around how to find CUI data outside of Microsoft 365.
Locating data containing CUI outside of your Microsoft 365 environment is a bit of a process. You'll need to map all your internal processes and data flows to identify potential areas where CUI might be residing outside of Microsoft 365.
We have a CMMC Level 2 solution with a specialized CUI scoping project dedicated to addressing precisely this challenge. Our team can provide the necessary expertise to guide you through the process of identifying and relocating the non-M365 data containing CUI securely.
If you're interested in learning more about our CMMC Level 2 solution and CUI scoping project, reach out to us here.
Walkthrough of CUI Categorization
For this example, we're going to use the National Archives CUI website. Visit the website, then click on Category list.
You’ll see a column called Organizational Index Groupings with the CUI categories underneath.
One of the examples we like to talk about when it comes to CUI is Controlled Technical Information, which is found next to the Defense section.
If you click Controlled Technical Information, you’ll see a category description. This one has a long category description, but it’s basically telling you what CTI is, where the reference documentation is located, that DFARS 7013 has the definition and other helpful information.
As you read through it, you might start to think that everything is CUI. But if you look all the way down at the very bottom of the Controlled Technical Information page, you’ll see a table with a heading titled Safeguarding and/or Dissemination Authority.
This is going to tell you which reference document to look at to determine if this applies to you. It’s also going to tell you if it's Basic or Specified CUI as well as the banner marking that you're going to need if/when you mark it.
But if you click the link under the Safeguarding and/or Dissemination Authority heading, a document will be opened that will tell you things like which types of systems that you need, how you need to configure them, which type of a cloud environment you need to use – and it’s all wrapped up in this document.
For the sake of this example, do a search in the document for “Controlled Technical Information” and you’ll see the definition of what CTI is.
It even goes into things like distribution statements that you might see coming from the DOD.
But this poses another great question. You might think, “Okay, I get the word “controlled,” is there a better definition of what "technical information” is?
If you scroll over within that same clause, it actually tells you that “technical information” means technical data or computer software as those terms are defined in the referenced DFARS clause.
And if you look at what that clause is called, Rights in Technical Data for Non-Commercial Items, you can tell something just from that: it means this definition does not apply to consumer off the shelf items. If you can go to Walmart and pick up, then this clause doesn’t apply.
But to dig a little deeper, you’ll next want to do a Google search for the clause that’s referenced in the document. In this case, it’s “DFARS 252.227–7013”. If you do a Google search for it, you’ll find a page on Acquisition.gov with the document on it.
As you're going through that page, you'll see that it covers definitions of computer database, computer program, and computer software.
This is what helps you refine and understand if the data you're handling is actually going to be CUI, or in this case Controlled Technical Information.
Read more: Identifying CUI with Microsoft 365 For CMMC
Common Mistakes with Identifying CUI
It's important to remember that not everything is CUI.
For example, some companies think their budget should be considered CUI. They might be concerned about different ERP systems and other kind of technologies they have with budget information. And, to be safe, they think it wise to consider it CUI.
But if we look at the CUI categories on the DoD CUI Program site and go to Financial, then go to Budget and look at the actual summarization of the category, what we’ll find it that a budget is only CUI Specified when it's a budget for federal agencies. As long as you're not a federal agency, it's not CUI.
Another thing to consider is whether this CUI has a government-wide policy, law, or regulation in place that applies to contractors. Going back to our budget example, if you're not a federal agency reporting your budget to the Office of Management and Budget, then there's no reason to consider it CUI.
Marking CUI
This video from the US National Archive explains how organizations can properly mark CUI data. Summit 7 does not own the rights to this video.
How do I protect CUI?
- Implement NIST SP 800-171 if you have not already done so.
- Prepare for third-party (C3PAO) or government-led assessments.
- Reach out to a service provider who is able to help you identify CUI and provide next steps for CMMC 2.0 compliance.
Protecting CUI with Microsoft 365
Free On-Demand Webinar:
Many contractors in the DoD supply chain have already chosen to handle sensitive data such as CUI and ITAR data in the Microsoft Government Cloud. Microsoft has two versions of M365 that are suited for handling CUI, Microsoft 365 GCC High and Microsoft 365 GCC.
GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3) should deploy to Microsoft 365 GCC High.
Resources for getting started with protecting CUI in Microsoft Government:
The graphic below represents the Microsoft Platform as it relates to relevant compliance frameworks such as CMMC, DFARS 7012, ITAR regulations.
