AUTHOR: Jeff Smedley, CIO, Technology Strategist and CMMC Consultant
Streamlining Your System Security Plan (SSP)
The cost of CMMC is significant, and the way to positively impact that cost in the most effective way is to limit a company’s CUI exposure in business operations. Efficiency is gained the more that an established and compliant enclave is the repository for FCI and CUI, and external applications are devoid of FCI and CUI.
CUI Definition: Controlled Unclassified Information (CUI) is information that is not classified, but requires safeguarding or
dissemination controls:
- It can be created or possessed by the government or other entities on behalf of the government
- It’s defined as sensitive within the CUI Registry and DOI policy
- It’s required to be appropriately marked to convey sensitivity, handling, and safeguarding requirements
- It may be required for privacy, law enforcement, or other reasons
- It can’t be released to the public without further review
In the definition on the previous page for CUI, the key definition we will focus on is “It’s required to be appropriately marked to convey sensitivity, handling, and safeguarding requirements “. This is a very important criteria for discovering and determining the CUI in your environment. As you are building your inventory of CUI in your control for your company, discovery becomes much more straightforward if you search based on the definition of appropriately marked articles.
Define for your company if you are the adjudicating official for marking CUI, or is the DoD the adjudicating official. This information is extremely important for the determination of actual CUI.
Read the full whitepaper HERE >