The Defense Department has issued two new resources for contracting officials regarding the identification of controlled unclassified information and how it should be identified on government documents.
Controlling the flow of CUI is critical to the Pentagon's Cybersecurity Maturity Model Certification program, which aims to make acquisition officials and government contractors more aware of DOD information that is communicated throughout their supply chains.
The Pentagon released a "Quick Reference Guide" brochure last week, which outlines categories of CUI and examples of how it should be marked in DOD documents. DOD also added a slide deck on CUI cleared for publication on April 1 that goes into more depth on its CUI website.
The CUI program is a government-wide standard established by the National Archives and Records Administration. DOD has developed a mandatory CUI training for Pentagon contracting officials.
"The course provides information on the 11 training requirements for accessing, marking, safeguarding, decontrolling and destroying CUI along with the procedures for identifying and reporting security incidents," according to the training website.
CMMC level three focuses on the need to protect CUI and is largely built upon National Institute of Standards and Technology Special Publication 800-171.
Certified third party assessment organizations (C3PAOs) that want to participate in the CMMC program must achieve a CMMC level three certification through the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center before they can start conducting government contractor assessments. The CMMC-AB has conditionally approved 99 C3PAOs that will be able to conduct assessments.
At a CMMC "Town Hall" last week, CMMC-AB Vice Chairman Jeff Dalton provided an update on the C3PAO role and status of assessments.
"Only one has been attempted. . . . And they had minor issues," Dalton said in a written response to a question from a "Town Hall" participant on the assessments. "We're working on it. We want to solve this as much as anyone!"
The CMMC-AB collected questions from participants during the "Town Hall" to be asked live during the meeting and also responded to others through the chat function on the Zoom platform.
Sources have indicated there could be larger issues with getting the C3PAO assessments completed and that another company may have failed its DIBCAC audit since the "Town Hall" event. To achieve compliance with CMMC, contractors and C3PAOs alike need to meet all of the controls and processes at their desired CMMC level.
During Dalton's presentation at the event, he said: "We are in the process right now of just starting to see our C3PAO licensees be assessed by the DCMA DIBCAC and they have already had a few assessments started and one completed so that it is starting to get rolling now and we are starting to see some action there. CMMC third-party assessment organizations can meet all of our prerequisites but until they are certified at CMMC level three, they cannot conduct assessments."
CMMC does not allow contractors to submit a program of action and milestones -- known as a POA&M -- that they will meet the necessary controls at a later date. DOD did not respond to requests for comment on the status of the C3PAO assessments.