Last Updated on July 14, 2021
Any organization that is pursuing Cybersecurity Maturity Model Certification (CMMC) Level 3 compliance has Controlled Unclassified Information (CUI), as well as Federal Contract Information (FCI). For a secure and cost-effective control environment, is it important to separate CUI and FCI into separate “enclaves”? Or is it better to just treat FCI like CUI for simplicity?
To get a certified third-party assessment organization (C3PAO) auditor’s up-to-the-minute view on how best to prepare for a CMMC assessment, including how to handle CUI, a recent episode of The Virtual CISO Podcast features Stacy High-Brinkley, VP of Compliance Solutions at Cask. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.
When to separate CUI and FCI
Stacy notes that her own SMB, Cask, is “going full CUI” rather than keeping CUI and FCI separate. She also notes that some organizations aren’t entirely sure what CUI is.
“When you get into the bigger companies, yes, they’re going to have a CMMC Level 1 enclave and a Level 3 enclave, so that they can process a little bit quicker on their feet,” remarks Stacy. “Let’s say their contract shop is just FCI and maybe their shop that’s handling all the CUI is totally VLAN’d off with totally different processes and hardware in place, etc.”
“I think for the smaller companies, from what I’ve seen so far, they’re going ‘ML 3’ because they’re not sure [how to separate out CUI correctly] and they don’t want to get left behind or not be able to bid on a contract,” Stacy adds.
Is your FCI really CUI?
John notes that, for some DIB manufacturers he’s worked with, “… occasionally the FCI becomes CUI because there’s enough specificity in the contract itself with regards to the manufacturing process, or a dimension.”
“In the smaller companies, we’re seeing the same thing,” adds John. “It might be the easiest thing to just roll everything into a single CUI enclave. But with bigger companies, I agree with you completely because now you’re into ERP systems that they’re tracking the contracts in, legal and contractual systems… And now all of a sudden, you don’t want those to be ‘CUI relevant.’”
Why a CMMC Level 3 assessment also covers FCI
If a DIB org engages a C3PAO to perform a CMMC Level 3 audit, is that by definition also an FCI audit? Or does the FCI environment have its own scope and undergo a separate CMMC Level 1 audit?
Stacy explains: “So if they’re going for CMMC Level 3, we go in and do an assessment for Level 3. That is, we go all the way from Level 1 up to Level 3. If they say, ‘Oh, that’s just FCI,’ well, they’re going to get ML3 anyway because we’re assessing them for ML3. Unless they’re going to say, ‘This is just FCI. We only want a Level 1 assessment for this shop over here.’ Then they could possibly get a Level 1 assessment and certification over here and a Level 3 over here. But if you’re already doing Level 3 over here…
“So, yeah, I haven’t seen that yet,” summarizes Stacy. “I’ve seen either Level 1 or Level 3.”
If you have security and/or compliance responsibility for a DIB company, this podcast episode with Stacy High-Brinkley is packed with useful insights.