What does it mean to control the flow of CUI?

While Department of Defense (DoD) contractors implementing NIST 800-171 and pursuing a CMMC Level 2 certification will encounter many security controls that require careful interpretation, it can be argued that none are more important than 3.1.3, which deals with controlling the flow of Controlled Unclassified Information (CUI). Identifying and subsequently controlling how CUI “flows” throughout the organization will, in many ways, determine the manner in which all other controls in NIST 800-171 will be implemented. Therefore, it is necessary to tread carefully when addressing this requirement. In this post, we’ll unpack this requirement and provide some examples of CUI flow control across typical small business environments. Be sure to download our CUI data flow diagram template, linked at the end of this blog, that you can use to begin identifying and controlling your own CUI flow.

CUI flow controlling in NIST 800-171

The single security control dealing with CUI flow in NIST 800-171 revision 2, which remains the current standard for those targeting a CMMC Level 2 certification, is found in the third safeguard of the Access Control family:

Control the flow of CUI in accordance with approved authorizations.

NIST SP 800-171 Control 3.1.3

Before moving into interpretations of this requirement, we feel it is important to remind those reading why this control is so significant in the grand scheme of things. Defense contractors handling, on their own systems, the Federal Government’s CUI are required to implement the 110 security controls in NIST 800-171 to protect that CUI. This compliance “regime” is all about protecting the CUI; not just forcing a bunch of small companies to do a lot of laborious cybersecurity tasks (though we totally understand if you feel that way). As we’ve heard it said many times, wherever the CUI goes, the requirements follow. And, while there is some nuance, the reverse is also true: where CUI does not go, the requirements do not follow.

This is a crucial component of CMMC/NIST 800-171 compliance, because it presents an opportunity for contractors to determine how CUI must flow throughout the organization to achieve key strategic initiatives. A contractor determining how CUI flows and which assets need to store/process/transmit this CUI to fulfill its commitment to the DoD — part of a larger process referred to as scoping — is at the discretion of the contractor. So, it’s nice that there is a control in NIST 800-171 specifically dedicated to identifying and controlling how CUI moves throughout the organization. Without it, who knows how many more would miss its importance and set themselves up for more-expensive-than-necessary NIST 800-171 implementation.

Identifying CUI flow also can have drastic ramifications for external service providers (ESP — managed service providers, managed security service providers, cloud service providers…) supporting defense contractors in their protection of CUI. As the DoD has alluded to in their CMMC Scoping Guide, there are instances in which ESPs, depending on how their tools/services are employed to facilitate the contractor handling CUI, themselves may need to pursue FedRAMP authorization or their own CMMC Level 2 certification. So, uncovering CUI flow not only can result in significant changes and expenses for defense contractors, but also for the external service providers assisting them.

Exploring how CUI flows

When we talk about CUI “flow”, we really are talking about how CUI is:

  • Shared with/sent to the organization, whether by the Federal Government, a prime contractor, a subcontractor, or anyone else in the DoD supply chain
  • Generated/created by the organization
  • Stored by the organization, whether on-premises or in cloud services
  • Accessed by the organization, such as via locally saved digital documents, physical copies, or a web interface
  • Sent outside of the organization, such as to other suppliers, customers, or vendors
  • Destroyed, such as via media sanitization

So, “flow” encapsulates how and where CUI moves into, within, and out of the organization:

Graphic Depicting How CUI Flows

While the graphic above is a simple depiction of CUI flow, it doesn’t really tell the full story nor is it enough to be considered a full CUI scope. In each phase, there are questions that must be answered that will determine whether that flow must be controlled differently. We explore these questions and the topic of controlling CUI flow more in the next section.

When identifying how CUI flows, the result should be a list or “artifact” of all of the assets (people/hardware/software) that handle (process/store/transmit) the CUI (grab a copy of our System Inventory spreadsheet for a template of such an artifact). Once the flow is finalized, the next step, then, would be to implement the 110 security controls in NIST 800-171 upon this list of assets. You’re probably starting to get the picture that the more CUI flows within the organization, i.e., the more assets it reaches, the greater the burden of NIST 800-171 implementation. Additionally, the longer and more expensive your CMMC assessment will be. Therefore, the need to “control” how CUI flows is necessary.

Controlling the flow of CUI

To understand what NIST means by “controlling the flow of CUI”, we return to control 3.1.3 and, more specifically, the five NIST 800-171A assessment objectives for this control. We list each objective then provide our interpretation for each.

Information flow control policies are defined.

NIST SP 800-171A Assessment Objective 3.1.3[a]

NIST uses the broad term “information” here, but it is important to remember that NIST 800-171/CMMC Level 2 is all about CUI protection. So, we recommend keeping this simple and focusing on CUI specifically, not other information types, especially if your company also operates across non-DoD sectors. This is not to say you shouldn’t limit other sensitive information flows; it just won’t matter for a CMMC assessment.

This first assessment objective is all about establishing how the organization permits CUI to flow into, within, and out of its environment. This includes answering questions such as:

  • Where does the organization receive CUI from? (e.g., its government customer or another contractor)
  • How is CUI shared with the organization? (e.g., a secure customer portal)
  • Who in the organization must receive CUI? (e.g., the Procurement Manager, Program Manager, Systems Engineers, etc.)
  • Who must the organization share CUI with externally? (e.g., a subcontractor or authorized vendor)
  • How does the organization share CUI externally? (e.g., a secure file sharing tool)
  • Who in the organization must send CUI externally? (e.g., the Program Manager or Systems Engineers)
  • How must CUI flow internally? (e.g., between workstations, other network devices, and cloud services)
  • Who in the organization must handle CUI internally? (e.g., the Procurement Manager, Program Manager, Systems Engineers)

Answering these questions will allow the organization to begin crafting actionable policies for expected CUI flow and perhaps uncover CUI flowing where it should not be.

Methods and enforcement mechanisms for controlling the flow of CUI are defined.

NIST SP 800-171A Assessment Objective 3.1.3[b]

Now that you’ve established some policies for expected CUI flow within the organization, it is time to begin describing how you are limiting CUI flow to what is expected. This will require specifying both procedural and technical means for limiting CUI flow. For example:

  • Describing the authorized tools used for sending CUI externally (e.g., DoD SAFE or another FIPS 140-2 validated filesharing solution)
  • Describing how CUI flows among workstations, cloud services, and other devices are logically controlled (e.g., IP filtering, MAC filtering, mobile device management, group permissions, user permissions, file/folder permissions, multi-factor authentication, email filtering, data-loss protection) 
  • Describing how CUI flows among workstations and peripheral devices (printers, USBs, etc.) are physically controlled (e.g., direct connection to printers, training users, RFID badges, employee screening, alarm systems)

Designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.

NIST SP 800-171A Assessment Objective 3.1.3[c]

This objective requires clearly documenting the expected use cases for organizational assets (hardware, software, people, and facilities) that are used to process, store, or transmit CUI. Don’t forget to include your cloud services! You can grab a copy of our free System Inventory spreadsheet to begin documenting this, if you haven’t already. In addition to documenting your expected use cases for CUI, it’s also a very good idea to put together a CUI data flow diagram, which should provide an easily understood visual depiction of how CUI flows into, within, and out of your environment. This diagram would appear similar to a network diagram, but rather than focusing on network topologies, its purpose is to clearly show direction of CUI flow across all asset types (hardware/software/people/facilities) as it moves into, within, and out of the environment. 

Authorizations for controlling the flow of CUI are defined.

NIST SP 800-171A Assessment Objective 3.1.3[d]

The “approved authorizations” piece of 3.1.3 tends to confuse some folks, but the premise is pretty simple. How does the organization determine the manner in which it authorizes CUI flows into, within, or out of its environment? Is this decision made by a single executive? A board? Has the process for approving new or changing existing CUI flows been documented?

Approved authorizations for controlling the flow of CUI are enforced.

NIST SP 800-171A Assessment Objective 3.1.3[e]

Now that processes for authorizing the initiating or changing of CUI flows are in place, can the organization demonstrate that these processes are followed? CMMC assessors will want to see evidence not only that the processes exist, but also that you are doing what you say you are doing. In other words, you’ll want to brainstorm some ideas of compelling evidence to prove how new CUI flows are implemented in accordance with your process for authorizing such CUI flows.

CUI flow examples in small business environments

Now that we’ve explored the concept of controlling the flow of CUI, we shift this blog to look at some examples of CUI flow being controlled within typical small business defense contractor environments. In this case, we look at two examples: a manufacturer with a physical facility and both on-premise and cloud infrastructure, and an R&D entity working entirely remote using a cloud enclave. The intent with this section is to provide some ideas for how you can create your own CUI data flow diagram. NOTE: these example diagrams only consider CUI assets and do not include other asset types (e.g., Specialized Assets, Risk-Managed Assets, and Security Protection Assets), as specified in the CMMC Scoping Guide, and therefore are only intended to be preliminary. Additionally, you should consider creating a diagram that overlays your data flow diagram with your network topology to provide a crystal-clear depiction of your CUI flow. At the end of this blog, you can download both diagrams, which you can then customize for your environment.

We start with a small business manufacturer. Let’s assume this manufacturer is a subcontractor to one DoD customer, a large prime contractor. Its workstations and manufacturing equipment are all on-premise, it stores CUI locally on a file server, which is backed up to a secure cloud storage. The manufacturer receives CUI from its prime via a secure customer portal accessed via the web. The manufacturer uses this same portal to send CUI back to the prime. Only a select few users need to handle CUI and are given dedicated workstations to do so. BYOD and handling of CUI outside of the facility are not permitted, and there is no corporate Wi-Fi; all CUI workstations are wired into the corporate network. Engineers move CUI from their workstations to the machine shop via removable drives and print and scan CUI when necessary. See the diagram below for an example of such an environment:

Sample CUI Data Flow Diagram for a Small Business Manufacturer

In most cases, the environment displayed above is not representative of most small business manufacturers just setting out on their NIST 800-171/CMMC compliance journey. Getting to the point where logical control of CUI is in place, such as limiting access to a subset of users, disallowing corporate Wi-Fi, no Bring Your Own Device (BYOD), network segmentation, etc… can take many months to implement. However, hopefully you can see the benefit of reducing the flow of CUI to as minimal a footprint as possible, as not having these logical controls in place would result in a much more complex data flow diagram.

Next up, we look at a small business research and development (R&D) entity that is helping develop cutting-edge software for the DoD. This firm operates entirely remote and does not have a physical facility. The firm restricts handling of all CUI to a FedRAMP Moderate (or equivalent) authorized enclave in the cloud, as they do not need to handle CUI in physical form. Access to the CUI enclave is restricted only to those in the organization authorized to handle CUI. BYOD is permitted as downloading CUI outside of the enclave is not feasible. Developers manipulate CUI in the form of source code using virtual desktops in the enclave, and this code is backed up to a secure cloud file storage platform. See the diagram below:

Sample CUI Data Flow Diagram for a Small Business R&D Firm

This is about as simple a CUI data flow as you can find (though not necessarily cheap to implement). This example serves to show that it is possible to control the flow of CUI down to a minimal number of assets, and many small businesses in the DIB are already doing so. In fact, some that don’t want to purchase a cloud enclave are using our Single PC Hardening Guide to minimize their CUI flow to only a single Windows laptop and local backup.

Wrapping up

We wrote this blog to introduce you to the concept of CUI flow, explain what NIST means by “controlling” your CUI flow, and provide some examples of how small businesses in the DIB are currently doing so. Hopefully, this blog sparked some ideas for how you can begin doing so in your unique environment. You can download the two sample CUI data flow diagrams, editable using Visio or PowerPoint, below.

If you need more guided help with identifying your CUI data flow and building the right diagrams, we recommend you grab a seat in our next CMMC Readiness Workshop, where we explore this topic in great detail. If you have any questions about this blog, or anything else, let us know!

Thanks for reading!

–Nathan

Download our CUI Data Flow Diagram Template

Your download will contain a .ZIP file with both a .vsdx (Visio) and .pptx (PowerPoint) version of the CUI data flow diagram templates.

Like this post? Share it!

Get notified when new blogs are published!

Unsure where to start with CMMC? Use code "CMMC10" to save 10% on our CMMC Readiness workshop!

Sign up now