InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
All Department of Defense (DoD) contractors that process, store or transmit controlled unclassified information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts
– and documenting CUI data flows is an important requirement.
To get started, organizations must identify and tag/mark their CUI data, deploy software to manage the workflow off those tags, map the flows in a network diagram and ensure employees
are properly trained on all aspects of CUI handling and security. Documenting everything as it changes over time is the most difficult part. This piece provides a step-by-step process for creating NIST-compliant CUI data flows.
READ: What is the NIST Privacy Framework?
The DoD’s CUI program standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits the kinds of information to protect, defines what is meant by "safeguard,"
reinforces existing legislation and regulations, and promotes authorized information-sharing. Since DFARS’ implementation on Dec. 31, 2017, all DoD contractors that process, store or transmit CUI must meet the DFARS minimum security standards
or risk losing their DoD contracts.
While it is critical to set standardized controls for the way information is handled, the process of implementing CUI markings across agency data is complex, time-consuming, and sometimes unclear. Yet all agencies are required to use CUI markings on all
data that is not classified.
Fortunately, a lot of these requirements will be fleshed out within the Cybersecurity Maturity Model Certification (CMMC) as it matures. (The CMMC is a DoD certification and compliance process designed to certify that contractors have the requisite controls
in place to protect sensitive data.)
To effectively automate CUI workflows, organizations must start with two steps:
Figure 1 depicts a documentation example from Sumo Logic. It is mostly based off NIST 800-53 rev4 for FedRAMP, but it closely ties into NIST 171 and demonstrates data flow inside and outside regulatory boundaries.
Assessors look for documented data flows (DFD) more than anything else. A DFD is a method to identify the flow of regulated data (FCI/CUI). It does not have to be fancy, but it needs to accurately reflect two considerations:
With the CMMC, everything starts from a data flow perspective:
To follow best practices to create data flows, you should consider:
Ensure employees are properly trained as the “people factor” can be the weakest link in many organizations. Organizations Seeking Certification (OSCs) should consider training personnel on CUI best practices, which include, but are not limited
General security best practices, including:
Assign control ownership and document it. Most organizations create NIST-compliant CUI data flows and ensure access is approved based on policy by assigning control ownership and documenting procedures.
After addressing the core documentation requirements, the time-consuming process begins of putting it into practice. To ensure NIST-compliant CUI data flows:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
May 19, 2022
By IANS Faculty
Understand potential security risks for executives on social media. Find information on attack trends and guidelines to help identify potential attacks and keep both social media accounts and the organization secure.
May 17, 2022
Learn how to make progress with zero trust, including common zero trust use cases, success stories, tooling guidance and tips for effectiveness.
May 12, 2022
Gain an understanding of the role executives play in incident response (IR). Find guidance on key actions to take before, during and after a security incident.