Controlled Unclassified Information (CUI) in a manufacturing plant

Manufacturers who are primes or sub-contractors on U.S. Department of Defense contracts must protect controlled unclassified information. The Department of Defense has mandated this through DFARS 252.204-7012, requiring compliance with NIST SP 800-171. If you need to refresh your memory on the definition of CUI, please look for my security column in the November/December 2023 issue of Defense and Munitions.

CUI and your ERP

Many manufacturers use an ERP (Enterprise Resource Planning) system to manage their business. It’s possible CUI may be stored in the ERP, meaning the ERP would be within an assessment scope for CMMC. You may want to evaluate whether it’s necessary to store CUI data in your ERP.

CUI and CAD/CAM software

Manufacturers often ask whether CUI is still CUI after it has passed through CAD/CAM (Computer-Aided Design/Computer-Aided Manufacturing) software. The answer is, CUI is always CUI no matter how it has been transformed or rewritten. The information still requires monitoring and protection. Additionally, as the CAD/CAM software will often aggregate multiple CUI items and render the data into a single virtual model with highly detailed tolerances and specifications it not only remains CUI, but it in some cases is more critical to protect based on the aggregated virtual model. Lastly, the model codeloaded into the manufacturing machines remains CUI and now the machines may be in scope for the CMMC assessment as well.

Paper CUI

Another common question manufacturers ask is whether they have to protect paper drawings, plans, etc. that are marked CUI to the same standards as the digital data. The short answer is yes. The longer answer is that paper CUI may be harder to protect. CUI must be monitored: who has access must be controlled, monitored, and tracked. In the case of paper documents, locking them into a cabinet or safe at night is a good start, but who has access to the cabinet, who monitors and tracks each document, and who ensures that only people with a valid need to know access each document may become a major undertaking for the organization.

CUI and finished manufactured products

Manufacturers may not realize that products manufactured using CUI require additional protection. Products are not technically considered CUI, as CUI is applicable to information/data. A product manufactured using CUI falling under FAR 52.245-1 Government property may require additional protection in storage and shipping. This consideration may impact your organization in terms of controlling access to finished products, using extra caution in shipping the products, and additional controls for protecting these products until they are delivered to the customer or government. We highly recommend reaching out to your government program manager or contracting officer to determine how these products should be handled.

What questions do you have?

CUI can be a complicated subject. Not only is it hard to identify at times, but envisioning how it may travel through your plant and determining how to set the scope for your assessment can be complex at first. Contact me with any questions you have about handling CUI, how your plant processes CUI, or anything else that you need to know to comply with the CMMC requirement using the NIST SP 800-171 standard. https://www.smithers.com/cmmc-for-manufacturers

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.