CMMC AM.3.036 - Define CUI Procedures

CMMC AM.3.036 - Define CUI Procedures

Requirement text: AM.3.036: Define procedures for the handling of CUI data.

DISCUSSION FROM SOURCE: CMMC
The organization should define procedures for the proper handling of CUI. These procedures
typically involve establishing controls to protect and sustain sensitive information.
Examples of controls an organization may implement through data handling procedures
include policies (data categorization, protection, disposal, backup), access controls for data,
regular backups and physical security protections.

CMMC CLARIFICATION
Establish procedures for handling CUI. Procedures should include how to categorize data as
CUI and how to provide and enforce access control for CUI. It also includes guidance on how
to receive, transmit, store, and destroy CUI. The procedures should account for both physical
and digital CUI.

Example
As a manager for a government program that contains CUI, you have established procedures
for handling government identified CUI. These procedures account for both physical and
digital CUI, and include:
      • identification of CUI when provided government labeling and guidance;
      • controlled environments to protect CUI (e.g., put it in a designated system or folder);
      • steps to reasonably ensure that unauthorized individuals cannot access CUI; and
      • protections for the confidentiality of CUI (e.g., electronic or physical CUI when in
        transit).

References
• CMMC

    • Related Articles

    • CMMC IR.2.096 - Develop Incident Response Procedures

      Requirement text: IR.2.096: Develop and implement responses to declared incidents according to predefined procedures. DISCUSSION FROM SOURCE: CERT RMM V1.2 Responding to an organizational incident is often dependent on proper advance planning by the ...

    • CMMC MP.2.120 - Limit Access to CUI on System Media

      Requirement text: MP.2.120: Limit access to CUI on system media to authorized users. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Access can be limited by physically controlling system media and secure storage areas. Physically controlling system ...

    • CMMC SC.3.193 - Restrict Publication of CUI on Internet Sites

      Requirement text: SC.3.193: Implement a policy restricting the publication of CUI on externally-owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter). DISCUSSION FROM SOURCE: CMMC Define and enforce a policy that restricts ...

    • CMMC MP.2.119 - Protect System Media Containing CUI

      Requirement text: MP.2.119: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System media includes digital and non-digital media. Digital media ...

    • CMMC PS.2.128 - Protect CUI during Personnel Terminations and Transfers

      Requirement text: PS.2.128: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Protecting CUI during and after ...