CMMC – Alive Data

CUI Marking

February 19, 2021February 24, 2021

There is a lot of scuttlebutt surrounding the marking of CUI.

If you are a SUB, your PRIME is responsible for identifying CUI and providing instructions on how to mark the documents.

NOTE: Do not assume everything is CUI – remember, you must be at CMMC Leve 3 or NIST 800-53 to hold and manage CUI.

For general instructions on CUI, see https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

DIB Frameworks

January 29, 2021February 18, 2021

Compliance Frameworks

Federal Acquisition Regulation Clause (FAR)

15 Practices
Self Attestation

Defense Federal Acquisition Regulation Supplement DFARS

NIST 800-171
Self Attestation
SSP & POAM

The Federal Information Security Management Act (FISMA)

NIST 800-53

CMMC

Cybersecurity framework and maturity model that combines the above + additional practices identified by the DOD and industry
CMMC-AB

CMMC Levels

January 22, 2021February 18, 2021

5 CMMC Levels

Level 1 – Basic Cyber Hygiene

Federal Contract Information
- 17 Practices

Level 2 – Intermediate Cyber Hygiene

Federal Contract Information
- 72 Practices (L1 + 55 Practices)

Level 3 – Good Cyber Hygiene

Controlled Unclassified Information
- 130 Practices (L2 + Practices)

Level 4 – Proactive

CUI + Controlled Technical Information
- 156 – (L3 + 26 Practices)

Level 5 – Advanced/Progressive

CUI + Controlled Technical Information
- 171 (L4 + 15 Practices)

CMMC

January 18, 2021February 18, 2021

Cyber Security Maturity Model

CMMC is a cybersecurity framework and maturity model

Combination of maturity processes + cybersecurity best practices
Co-developed by DOD and industry
Primarily combines FARS -21 & DFARS 7012
Additional practices defined by DOD and Industry
CMMC is broken into 5 maturity Levels, spanning 17 domains (originating from FIPS) and 171 practices
CMMC-AB is the governing body Formal Assessments Required