All Department of Defense (DoD) contractors that process, store or transmit controlled unclassified information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts
– and documenting CUI data flows is an important requirement.
To get started, organizations must identify and tag/mark their CUI data, deploy software to manage the workflow off those tags, map the flows in a network diagram and ensure employees
are properly trained on all aspects of CUI handling and security. Documenting everything as it changes over time is the most difficult part. This piece provides a step-by-step process for creating NIST-compliant CUI data flows.
The DoD’s CUI program standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits the kinds of information to protect, defines what is meant by "safeguard,"
reinforces existing legislation and regulations, and promotes authorized information-sharing. Since DFARS’ implementation on Dec. 31, 2017, all DoD contractors that process, store or transmit CUI must meet the DFARS minimum security standards
or risk losing their DoD contracts.
While it is critical to set standardized controls for the way information is handled, the process of implementing CUI markings across agency data is complex, time-consuming, and sometimes unclear. Yet all agencies are required to use CUI markings on all
data that is not classified.
Fortunately, a lot of these requirements will be fleshed out within the Cybersecurity Maturity Model Certification (CMMC) as it matures. (The CMMC is a DoD certification and compliance process designed to certify that contractors have the requisite controls
in place to protect sensitive data.)
To effectively automate CUI workflows, organizations must start with two steps:
Figure 1 depicts a documentation example from Sumo Logic. It is mostly based off NIST 800-53 rev4 for FedRAMP, but it closely ties into NIST 171 and demonstrates data flow inside and outside regulatory boundaries.
Assessors look for documented data flows (DFD) more than anything else. A DFD is a method to identify the flow of regulated data (FCI/CUI). It does not have to be fancy, but it needs to accurately reflect two considerations:
With the CMMC, everything starts from a data flow perspective:
To follow best practices to create data flows, you should consider:
Ensure employees are properly trained as the “people factor” can be the weakest link in many organizations. Organizations Seeking Certification (OSCs) should consider training personnel on CUI best practices, which include, but are not limited
General security best practices, including:
Assign control ownership and document it. Most organizations create NIST-compliant CUI data flows and ensure access is approved based on policy by assigning control ownership and documenting procedures.
After addressing the core documentation requirements, the time-consuming process begins of putting it into practice. To ensure NIST-compliant CUI data flows:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 10, 2021
By IANS Faculty
Identify the key features to look for in a SOAR solution and the top use cases for information security teams to consider.
June 8, 2021
Identify key steps security teams should take, and pain points to watch, when returning to the office working environment.
June 3, 2021
Explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging.