Protect CUI, FCI for Your Company’s CMMC Compliance

If your company does any business with the U.S. Department of Defense, you will be required to comply with CMMC 2.0 to be considered for future contracts. It doesn’t matter if you sell a product or a service, if DoD business is only a small part of your revenue, or if you are only a subcontractor. You will still be required to comply, even if the work you do hasn’t changed. 

Your business needs to start building a roadmap for CMMC Level 1 or Level 2 compliance. To do so, you’ll need to be familiar with CUI and FCI, and you’ll need an IT solution that can identify and securely store that data to get certified.

What Is CUI and FCI, and Do I Have Any?

One initial requirement for CMMC compliance is to identify the sensitive information itself. Controlled Unclassified Information (CUI), which is government created or owned information, is supposed to be marked, but it frequently slips through without markings. Further, it can be created in your own company—not just by the DoD. Most examples are predictable, but some may surprise you. These include:

  • Building drawings on military bases including floor plans, electrical, plumbing, HVAC, etc.
  • Personal information on DoD employees including contact, financial, health, and location
  • IT security information itself, including configurations and architecture
  • Product or service specifications and delivery schedules
  • Time-based information for products and services including ordering patterns and trends
  • Meeting schedules with DoD personnel and contractors
  • Delivery locations

Federal Contract Information (FCI) is not as critical as CUI but is typically easier to identify. It includes:

  • Contract terms and conditions
  • Contract payment and delivery schedules
  • Previous versions of contracts and markups

Based on these examples, most organizations have more CUI than they realize. Worse, they often don’t know where it is or even how to find it. That’s why it’s important to choose a solution that helps discover, mark, and move CUI to a secure environment.

Are You Ready To Handle CUI?

The problem with CUI is that many people need to use it to do their jobs. It can’t be confined to an elite few individuals with specialized training and experience. Most likely, representatives from many different departments in your organization will need to not only access it, but collaborate with each other on the information. That’s why you’ll need a full suite of document collaboration tools as well as accessibility options to help your users work with the data securely. 

To identify the users who need access to your CUI, start by contacting department heads and asking them to share a list of nominated users. Be cautious about accepting all users by default. Users should only be added to the list on a need-to-know basis. Remember that the weakest link is usually the human element, so reducing the number of users with access greatly reduces the attack surface for adversaries.

Beyond having the right tools and environment in place, you’ll need to train your users to:

  • Identify CUI where ever it exists in the organization
  • Know when they are creating new CUI
  • Mark it appropriately 
  • Move it to the secure enclave, which is a fully isolated virtual server
  • Know who can and cannot see the information
  • Know your official policies for document retention and archiving for CUI

You can use online tools provided by the government to help train your employees. For example, this tool provides a quick online video tutorial on CUI. 

How Do I Find My CUI?

Historically, you would need to train employees to find and mark all CUI themselves. However, Egnyte provides advanced tools to do it for you. First, besides the Egnyte repository itself, you can connect a wide variety of third-party file repositories to Egnyte. This includes Google, Microsoft SharePoint and OneDrive, Box, DropBox, and even your own on-premises file servers. 

Immediately, the Egnyte AI begins scanning every word of every file for sensitive information of all types. Rather than simply pattern-matching, it uses a machine learning engine to detect sensitive information based on surrounding context. For example, if you have personal information on DoD personnel, it can tell a driver’s license number from a partial number. Further, you can then fine-tune it by creating your custom list of keywords to search for things such as internal project names. 

Finally, you can create policies to alert you when CUI is discovered in the wrong locations so you can move it to your secure enclave or delete it. You can even use the same tools to create automated lifecycle policies for CUI for document retention purposes.

Where Will I Store CUI/FCI Information?

You’ll need to store your CUI/FCI information in a secure enclave, which is a specially designed and built environment for your sensitive information.  Large defense contractors have sizable teams of people who carefully architect, build, and maintain complex technology stacks that conform to the required security standards. However, as a smaller contractor, you can use a pre-built solution from Egnyte as your secure enclave that handles much of the complexity and reduces the burden on IT.

Egnyte’s security engineering team has constructed a secure, cloud-based technology stack that you can use as a secure enclave. It can help you comply with CMMC 2.0 requirements economically, quickly and easily. After you have stored your CUI information in the Egnyte CMMC Compliance solution, these AI tools mentioned above will continue to monitor your other repositories for “leaks” of CUI. 

Next Steps

Getting started is not easy. Your IT staff may not be trained in CMMC, and web searches are filled with dozens of “offers” to help you comply, varying from consulting to tools to products. That’s why Egnyte has put together a handy checklist to help you prepare for the journey. You’ll find simple advice on information to gather, and criteria for making decisions to get started. Click on the Download Now button below to get started today.

Get started with Egnyte today

Explore the best secure platform for business-critical content across clouds, apps, and devices.

Get Your CMMC Compliance Checklist

Are you prepared for CMMC? Discover the 11 things you need to achieve for CMMC readiness.

Share this article

November Product Rollup: Updates in Secure & Govern, Mobile and More
November 30, 2022
Rosie Fan
Read Article
How Cybersecurity Checklists Keep Cyber Insurance Costs Manageable
November 2, 2022
Lynn Ambrose
Read Article
Author
David Buster

Senior Manager, Security and Governance; Product Marketing

View All Posts
Don’t miss an update

Subscribe today to our newsletter to get all the updates right in your inbox.

By submitting this form, you are acknowledging that you have read and understand Egnyte's Privacy Policy

Thank you for your subscription!

Welcome to
Egnyte Blog

Company News
Product Updates
Life at Egnyte
Industry Insights
Use Cases