The Keys to CMMC Compliance-#2
Second CMMC series webinar answered questions about CUI.
In case you missed this event, the recording is available here.
ATS and OCD-Tech hosted our second live webinar focused on all things CMMC. The first webinar in February focused on introducing the CMMC to Defense contractors and today’s webinar was all about CUI.
CUI stands for Controlled Unclassified Information. Understanding what it is, and if you handle it, is the very first step in your CMMC journey. If your company handles, or may need to handle, CUI then you will need to obtain the CMMC maturity level 3.
If you do not handle CUI, then you only need to obtain a CMMC maturity level 1 certification. If you handle CUI you will also need to understand where that information resides in your network-because everywhere that CUI resides is considered in-scope for your CMMC assessment.
Even if you don’t handle CUI, wherever federal contract information (FCI) resides is also in scope for the CMMC maturity level 1. Getting a handle on your data, determining if it’s CUI (or not), and determining where that information flows are the most important first steps in preparing for the CMMC.
In today’s webinar on CUI, we introduced the concept of the CUI Life Cycle (CUI Life Cycle (dodcui.com)). Authorized holders of CUI have requirements at each stage in the CUI life cycle. The CUI Life Cycle is a framework by which to consider the information you’re handling and where it fits within the information life cycle to help determine the applicable requirements that apply to your information currently.
From creation through destruction, there are requirements for handling CUI at every stage which also has implications for the information systems and physical spaces that touch CUI.
Our next webinar in our series will focus on misunderstandings about CMMC. Register here for “Myth-busting CMMC Compliance” April 7 at 1 p.m.