Tomorrow in our CMMC Essentials class we will launch the module on Sensitive Data. This means defining the differences between Federal Contract Information, FCI, and Controlled Unclassified Information, CUI.

Data Thief - Hacker - Cyber Criminal
Data Thief - Hacker - Cyber Criminal flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license

We also need to cover the seventeen basic safeguards of protecting FCI and the responsibilities and the legal responsibilities of those with a legal need to access CUI:

  • Create
  • Designate
  • Label
  • Store
  • Disseminate
  • Destroy
  • Decontrol

At the same time the scenarios should focus on helping an Organization Seeking Certifcation rather than focus on if Assessment Objectives get met by the NPCs (nonplaying characters) in the story.

So in designing CUI scenario problems we have four major content goals:

  1. Definethe legal responsibility for authorized handling
  2. Identify domains, practices, and assessment objectives impacted by explicit mention of CUI
  3. Identify domains, practices, and objectives impacted implicity (think media protection policy)
  4. Create or evaluate a CUI plan or policy

I worked with Brian Rogalaski of Hexscapes on the example below. Tell us what you think.

Does it set to measure what we want it to measure? Does the scenario script provide enough detail while remaining vague enough to require additional information? How important is topic to what we want to measure? Does the scenario fir th audience of a CMMC Consultant and an MSP?

Yoxas Inc., a small manufacturer has severely limited the use of portable storage devices on external systems. Jill needs to give a presentation at a client site that will contain CUI. According to the technical restrictions in the Yoxas CUI policy, Jill must reach out to Kamal, Yoxas's security officer where she receives permission to use a USB drive.

What strategies would you suggest to Jill and Kamal take to make sure their use of portable storage devices stay compliant with CMMC Level Three practices and processes?

What specific CMMC Domains, practices, and assessment objectives get impacted by Jill removing CUI off-site?

What requirements must Jill and Kamal take to protect CUI based on NARA regulations?

Write a Section for the CUI Policy at Yoxas Inc. that covers the limited use of Portable Storage Devices.