Finding and Managing CUI and FCI for CMMC (& NIST 800-171)
Actifile can help MSPs and MSSPs, RPOs and their RPs, and organizations, to scope CUI and FCI and prepare the necessary evidence for their CMMC assessment. Actifile provides evidence for up to 16 top level data centric controls that are applicable to CMMC.
Actifile can help the following stakeholders
RPOs and their RPs
Must scope FCI, FOUO and CUI as part of the CMMC assessments, identify gaps in compliance and prepare the POAM.
MSPs and MSSPs
Should scope their clients FCI, FOUO and CUI data posture in advance of an RPO quote.
And must subsequently implement the controls as required by the RPO and/or specified in the POAM.
Customers may want/need to scope their FCI, FOUO and CUI data posture in preparation for an RPO quote and to help decide what level of CMMC is applicable.
Need to see that the relevant data is identified, accounted for and protected, and that all the controls are implemented as applicable.
What evidence and controls can Actifile provide?
Find CUI, FCI and FOUO data
CUI & FCI classification policies are pre-built.
Find out where it is and how much of it is out there.
Verify it isn’t where it shouldn’t be.
Provide DLP controls on the data
Find shadow IT applications.
Monitor CUI usage.
Prevent CUI exfiltration.
Help prevent malware from accessing CUI
Persistent file level encryption is the last line of defense against data stealing malware and ransomware.
Prevent CUI from ending up on portable media
Control transfer of CUI and other sensitive data to portable media.
If data needs to be on portable media, make sure it is encrypted using FIPS 140-2 validated cryptography module.
Encrypt CUI, FCI and FOUO data using FIPS 140-2 validated encryption
Encrypt the data, and verify that the encryption is FIPS 140-2 validated.
Show that CUI is encrypted in accordance with CMMC.
Provide evidence that the cryptographic module is FIPS140-2 validated.
Mapping of Actifile Capabilities to CMMC (& NIST 800-171) controls
Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
Control information flows between security domains on connected systems.
Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter)
Protect the confidentiality of CUI at rest.
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Encrypt CUI on mobile devices and mobile computing platforms.
Implement cryptographic mechanisms to prevent unauthorized disclosure of Controlled Unclassified Information (CUI) during transmission unless otherwise protected by alternative physical safeguards.
Define procedures for the handling of CUI data.
(Use Actifile as part of the procedure to identify when CUI is introduced into the network and track it through its lifecycle to its destruction)
Protect the confidentiality of backup CUI at storage locations.
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Control the flow of CUI in accordance with approved authorizations.
Limit use of portable storage devices on external systems.
Verify and control/limit connections to and use of external information systems.