InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
All Department of Defense (DoD) contractors that process, store or transmit controlled unclassified information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts
– and documenting CUI data flows is an important requirement.
To get started, organizations must identify and tag/mark their CUI data, deploy software to manage the workflow off those tags, map the flows in a network diagram and ensure employees
are properly trained on all aspects of CUI handling and security. Documenting everything as it changes over time is the most difficult part. This piece provides a step-by-step process for creating NIST-compliant CUI data flows.
READ: What is the NIST Privacy Framework?
The DoD’s CUI program standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits the kinds of information to protect, defines what is meant by "safeguard,"
reinforces existing legislation and regulations, and promotes authorized information-sharing. Since DFARS’ implementation on Dec. 31, 2017, all DoD contractors that process, store or transmit CUI must meet the DFARS minimum security standards
or risk losing their DoD contracts.
While it is critical to set standardized controls for the way information is handled, the process of implementing CUI markings across agency data is complex, time-consuming, and sometimes unclear. Yet all agencies are required to use CUI markings on all
data that is not classified.
Fortunately, a lot of these requirements will be fleshed out within the Cybersecurity Maturity Model Certification (CMMC) as it matures. (The CMMC is a DoD certification and compliance process designed to certify that contractors have the requisite controls
in place to protect sensitive data.)
To effectively automate CUI workflows, organizations must start with two steps:
Documented Data Flows (DFD)
Assessors look for documented data flows (DFD) more than anything else. A DFD is a method to identify the flow of regulated data (FCI/CUI). It does not have to be fancy, but it needs to accurately reflect two considerations:
With the CMMC, everything starts from a data flow perspective:
To follow best practices to create data flows, you should consider:
Ensure employees are properly trained as the “people factor” can be the weakest link in many organizations. Organizations Seeking Certification (OSCs) should consider training personnel on CUI best practices, which include, but are not limited
General security best practices, including:
Assign control ownership and document it. Most organizations create NIST-compliant CUI data flows and ensure access is approved based on policy by assigning control ownership and documenting procedures.
After addressing the core documentation requirements, the time-consuming process begins of putting it into practice. To ensure NIST-compliant CUI data flows:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.