Actifile for CMMC

Finding and Managing CUI and FCI for CMMC (& NIST 800-171)

Actifile can help MSPs and MSSPs, RPOs and their RPs, and organizations, to scope CUI and FCI and prepare the necessary evidence for their CMMC assessment. Actifile provides evidence for up to 16 top level data centric controls that are applicable to CMMC.

Actifile can help the following stakeholders

RPOs and their RPs

Must scope FCI, FOUO and CUI as part of the CMMC assessments, identify gaps in compliance and prepare the POA&M.

MSPs and MSSPs

Should scope their clients FCI, FOUO and CUI data posture in advance of an RPO quote.
And must subsequently implement the controls as required by the RPO and/or specified in the POA&M.

DoD contractors

Customers may want/need to scope their FCI, FOUO and CUI data posture in preparation for an RPO quote and to help decide what level of CMMC is applicable.

Assessors (C3PAO)

Need to see that the relevant data is identified, accounted for and protected, and that all the controls are implemented as applicable.

What evidence and controls can Actifile provide?

Find CUI, FCI and FOUO data

CUI & FCI classification policies are pre-built.

Find out where it is and how much of it is out there.

Verify it isn’t where it shouldn’t be.

Provide DLP controls on the data

Find shadow IT applications.

Monitor CUI usage.

Prevent CUI exfiltration.

Help prevent malware from accessing CUI

Persistent file level encryption is the last line of defense against data stealing malware and ransomware.

Prevent CUI from ending up on portable media

Control transfer of CUI and other sensitive data to portable media.

If data needs to be on portable media, make sure it is encrypted using FIPS 140-2 validated cryptography module.

Encrypt CUI, FCI and FOUO data using FIPS 140-2 validated encryption

Encrypt the data, and verify that the encryption is FIPS 140-2 validated.

Show that CUI is encrypted in accordance with CMMC.

Provide evidence that the cryptographic module is FIPS140-2 validated.

Mapping of Actifile Capabilities to CMMC (& NIST 800-171) controls

CMMC

NIST 800-171

Control Description

Actifile

LEVEL 5

SI.5.223

3.14.2e

Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

logo

LEVEL 4

AC.4.023

3.1.3e

Control information flows between security domains on connected systems.

logo

LEVEL 3

SC.3.193

NA

Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter)

logo

SC.3.191

3.13.16

Protect the confidentiality of CUI at rest.

logo

SC.3.177

3.13.11

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

logo

MP.3.125

3.8.6

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

logo

MP.3.123

3.8.8

Prohibit the use of portable storage devices when such devices have no identifiable owner.

logo

AC.3.014

3.1.13

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

logo

SC.3.022

3.1.19

Encrypt CUI on mobile devices and mobile computing platforms.

logo

SC.3.185

3.13.8

Implement cryptographic mechanisms to prevent unauthorized disclosure of Controlled Unclassified Information (CUI) during transmission unless otherwise protected by alternative physical safeguards.

logo

AM.3.036 

NA

Define procedures for the handling of CUI data.

(Use Actifile as part of the procedure to identify when CUI is introduced into the network and track it through its lifecycle to its destruction)

logo

LEVEL 2

RE.2.138

3.8.9

Protect the confidentiality of backup CUI at storage locations.

logo

AU.2.041

3.3.2

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

logo

AC.2.016

3.1.3

Control the flow of CUI in accordance with approved authorizations.

logo

AC.2.006

3.1.21

Limit use of portable storage devices on external systems.

logo

LEVEL 1

AC.1.003

3.1.20

Verify and control/limit connections to and use of external information systems.

logo