InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
All Department of Defense (DoD) contractors that process, store or transmit controlled unclassified information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts
– and documenting CUI data flows is an important requirement.
To get started, organizations must identify and tag/mark their CUI data, deploy software to manage the workflow off those tags, map the flows in a network diagram and ensure employees
are properly trained on all aspects of CUI handling and security. Documenting everything as it changes over time is the most difficult part. This piece provides a step-by-step process for creating NIST-compliant CUI data flows.
The DoD’s CUI program standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits the kinds of information to protect, defines what is meant by "safeguard,"
reinforces existing legislation and regulations, and promotes authorized information-sharing. Since DFARS’ implementation on Dec. 31, 2017, all DoD contractors that process, store or transmit CUI must meet the DFARS minimum security standards
or risk losing their DoD contracts.
While it is critical to set standardized controls for the way information is handled, the process of implementing CUI markings across agency data is complex, time-consuming, and sometimes unclear. Yet all agencies are required to use CUI markings on all
data that is not classified.
Fortunately, a lot of these requirements will be fleshed out within the Cybersecurity Maturity Model Certification (CMMC) as it matures. (The CMMC is a DoD certification and compliance process designed to certify that contractors have the requisite controls
in place to protect sensitive data.)
To effectively automate CUI workflows, organizations must start with two steps:
Figure 1 depicts a documentation example from Sumo Logic. It is mostly based off NIST 800-53 rev4 for FedRAMP, but it closely ties into NIST 171 and demonstrates data flow inside and outside regulatory boundaries.
Assessors look for documented data flows (DFD) more than anything else. A DFD is a method to identify the flow of regulated data (FCI/CUI). It does not have to be fancy, but it needs to accurately reflect two considerations:
With the CMMC, everything starts from a data flow perspective:
To follow best practices to create data flows, you should consider:
Ensure employees are properly trained as the “people factor” can be the weakest link in many organizations. Organizations Seeking Certification (OSCs) should consider training personnel on CUI best practices, which include, but are not limited
General security best practices, including:
Assign control ownership and document it. Most organizations create NIST-compliant CUI data flows and ensure access is approved based on policy by assigning control ownership and documenting procedures.
After addressing the core documentation requirements, the time-consuming process begins of putting it into practice. To ensure NIST-compliant CUI data flows:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 14, 2021
By IANS Faculty
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.
October 7, 2021
Gain insights into what other security teams are asking our Faculty members on how best to communicate with executive leadership about ransomware.