Last Updated on April 5, 2021
Like all organizations that do business with the US Department of Defense (DoD) and a growing number of other US federal entities, staffing agencies will soon need to comply with the Cybersecurity Maturity Model Certification (CMMC) framework at the level specified in their contract.
Most staffing firms would logically anticipate that they’ll need to implement only the CMMC Level 1 controls, which relate to Federal Contract Information (FCI). But some are hearing that new contracts could mandate CMMC Level 3, a much larger set of controls intended to secure Controlled Unclassified Information (CUI).
Why would staffing agencies that don’t deal with CUI be looking at CMMC Level 3? Is there any way out of it? Could it be a mistake?
To help government staffing agencies are voicing about CMMC compliance, Pivot Point Security CISO and Managing Partner, John Verry, targeted this topic on a special episode of The Virtual CISO Podcast.
John notes that many government staffing agencies are SMBs that don’t think they have any CUI in their environment—only FCI. But sometimes, even within the language of contracts themselves, FCI can “morph” into CUI.
“Both FCI and CUI can have sneaky elements,” shares John. “FCI generally is any information relating to a contract. But, on occasion, the FCI can rise to the level of becoming CUI in and of itself.”
John continues: “A very common example of that would be if the contract includes… Let’s say you’re manufacturing something that’s going into munitions and the specifications for the product that are included in the contract rise to the level of CUI. But generally speaking, in talking with staffing agencies, these jobs get posted somewhere and they’re not typically including CUI. So, I think in a staffing agency, it’s probably unlikely that the FCI would become CUI.”
Another concern John has come across, which could impact some staffing agencies, is the fact that regulations involving CUI don’t stop at CMMC Level 3.
“So as an example, it might be covered by CUI, but it might also be ITAR [International Traffic in Arms Regulations] … an additional data classification requiring additional treatment. So, if you’re placing bodies someplace where those additional classifications could arise, if that data does leak into your environment, you’re going to have additional requirements beyond just that CMMC CUI,” John states.
In short, when scoping your CMMC environment, you need to look carefully at how data is moving in and out of your systems. You could be “touching” information; through emails from people you’ve placed, for example, that needs higher levels of protection.
If your government staffing business has been told it needs to comply with CMMC Level 3, you’ll certainly want to watch this special podcast show with John Verry.