Does your company process, produce/manufacture, or repair various parts under USML for the Department of Defense? Or do you offer defense services or broker items controlled under the International Traffic in Arms Regulations (ITAR)? Then you are part of the Defense Industrial base (DIB). There are an estimated 350, 000+ companies in the DIB, with many in the precision metalwork industry. However, manufacturing on shop floor comprises many processes, from consulting, drafting, drawing, casting, and assembly, among many others.
In all these processes, information is generated, disseminated, shared, and stored among various teams or individuals involved. For instance, any drawings, BOMs, 3D CAD models, and other forms of data relating to the part being produced/manufactured are shared by various employees in the company. All this information is considered Controlled Unclassified Information (CUI) and must be handled according to the existing laws, government-wide policies, and regulations in line with NIST SP 800-171 Rev 2.
Therefore, secure management of CUI from its creation, sharing, dissemination and storage is critical. In fact, the DoD released CMMC as a unifying standard for implementing cybersecurity measures geared towards protecting CUI across the DIB. Although it has a lower sensitivity than Classified Information, CUI might also have potentially serious ramifications should it fall into the wrong hands. Therefore, the US government created the CUI program through Executive Order 13556 in November 2010. It mandated that all CUI be shared and protected under strict guidelines under NIST 800-171 to prevent any access by unauthorized personnel.
In the future, those wishing to continue providing services or doing business with the Department of Defense will have to be certified under some level in CMMC 2.0. CMMC requirements aside, controlling who can access, create, share, or even store CUI within the Defense industry has become increasingly important. It is important to note that the requirements for safeguarding and disseminating CUI flow down the DoD supply chain and subcontractors through DFARS 252.204-7012. Hence, no matter the size of your business, you are subject to the CUI dissemination, and safeguarding controls set out in NIST SP 800-171.
Authorized Holder and Controlled Environment
So, who should handle CUI in your shop? If you indeed receive or generate CUI at your company or shop, and it’s essential in fulfilling your contracts with the DoD, then 32 CFR 2002.4(d) considers you an Authorized Holder. The Code of Federal Regulations also considers an organization/company, agency, or group permitted to handle or designate CUI as an Authorized Holder.
To ensure that your company can properly handle CUI, it is recommended that it should have a Controlled Environment. 32 CFR 2002.4(f) defines a controlled environment as a space or area with adequate procedural or physical controls for CUI protection from unauthorized disclosure or access.
Remember, anything falling under EAR or ITAR flow down is also considered CUI. Knowing that your workspace or shop has many workers (janitors, cleaning crew, among others) that might not have a lawful government purpose to access CUI, then having a controlled environment is critical. Keep in mind that any unlawful access to this information constitutes a violation. When considering a controlled environment, ask yourself;
- Who works on the floor of your machine shop?
- Who has unescorted access to your machine shop during and after normal business hours? At times, the maintenance and cleaning crew may access areas where CUI is being processed, presenting a risk to this information.
- Do you have a suitable area for sensitive discussions?
- Is there a visitor escort policy?
If you want to get ahead of the CUI requirements, you should take a proactive approach. This includes understanding CUI, its implication in your daily workflows and operations, and how to manage/handle it securely. For example, in most machine shops, CUI is generated and shared. This information is printed in dozens on paper, stored in filing cabinets, shared among shop workers, sitting in the machinist tool boxes as set up books or instruction manuals, as CAD drawings on laptops, and carried around by the machine shop’s salespeople as they move around visiting clients. The CUI can also be in drawings and 3D models, and other various places, both digitally and physically.
All locations where CUI is stored are called CUI boundaries and footprints. If the CUI footprint is large, you will find it more expensive and challenging to secure. Handling the way controlled unclassified information flows in your machine shop starts with process documentation. This can be outlined in the following steps:
Determining the Kind of CUI in Your Machine Shop
What is CUI, and what isn’t? This should be the first question you ask yourself as an Authorized Holder. Although there’s a wealth of information over the internet that can help you distinguish what CUI is and isn’t, 32 CFR 2002.4(h) is possibly the best place to start. Classifying what data is and isn’t CUI will help you build systems and policies for proper CUI management. It will also help you institute proper data protection measures for non-CUI data. Generally, all data related to a DoD or government contract could be considered CUI. This includes CAD models, Drawings, specifications, equipment manuals, contract details including shipping addresses, qualities, shipment items, etcetera.
Determine the CUI Data Lifecycle
Upon determining that you generate or receive CUI in your machine shop, you should determine its entire lifecycle in your organization. This includes how you come into the possession of the CUI (that is, through the mail, portals, emails, etcetera), the point where it is generated, and how you store it (either physically or electronically). Other things include how CUI is shared between workers, how it is used on the floor of your machine shop, and how the CUI is archived and disposed of. Additionally, you must determine where the CUI touches hardware/software, processes, and people to determine the CUI boundary or footprint.
What Should an Authorized Holder Do With CUI?
After determining your CUI boundaries, ask yourself, can I minimize those boundaries? Are there steps that I can take on my shop floor to simplify the footprint? Can I remove some unnecessary steps in the information handling process? Below are some basic requirements you should implement regarding CUI as the Authorized Holder.
- Train their employees on CUI. This includes educating them on CUI, the importance of managing its access, and the ramifications if it isn’t properly managed.
- Build systems and create policies to ensure proper CUI monitoring, protection, and auditing.
- Ensure that only authorized/appropriate people can access the controlled unclassified information. CUI also shouldn’t be disclosed to unauthorized entities or persons, whether electronically or physically.
- All electronic systems handling CUI should be monitored, audited, and protected.
- Teach the employees about the requirements of NIST 800-171. This will ensure that they can properly protect the CUI. However, you might have to seek help from a CMMC or NIST 800-171 consultant or an RPO to train them.
- Label and mark the CUI. The authorized holder or the CUI designator should mark and label the CUI in a manner which meets CMMC and NIST requirements. If you’re printing the documents for use on your shop floor, such as CAD drawings, they should be marked as CUI. As explained by ISOO, the CUI Executive Agent, CUI can be marked in various ways.
Managing CUI in Your Machine Shop Floor
Data classification is critical in managing CUI on your shop floor and remaining compliant with the applicable guidelines, laws, regulations, and government-wide policies, especially NIST 800-171 and CMMC. However, the classification can be a tedious and time-consuming process unless automated. Fortunately, there are various tools that you can use for CUI classification, with Titus and Azure Information Protection being the most popular. In addition, there are sensible things that you can undertake to manage CUI properly. Remember that proper management of CUI is the only way of ensuring NIST and CMMC compliance. Below are some of the measures that you can take:
Don’t Print Things
CAD models, drawings, customer purchase orders, BOMs, job travelers, and other documents are considered CUI. When printed documents are floating all around your shop floor, the CUI boundary and the complexity of the compliance practices dramatically increase. With the technological advancements today, there isn’t any reason to have so many printed documents lying around your shop floor.
Centralize Where Electronic Files Containing CUI are Stored
Do you save CUI on individual personal computers, on insecure cloud storage such as Google Drive and Dropbox, or on any other non-secure area? You should stop that. This considerably increases the CUI boundary, making it difficult to manage it effectively. Instead, you should store the files in a minimum number of locations, and they can be authenticated and secured properly.
Implement Least Privilege Access On CUI
A CNC inspector or programmer should look at the CAD drawings, but a cleaner or janitor doesn’t. Similarly, a project manager should be able to see the customer purchase order, but a machinist doesn’t. Hence, you should institute controls to limit the individuals or groups to only view what’s relevant for their job. This ensures that you comply with Section 3.1.5 of the NIST SP 800-171.
Separating Employee Duties
The other measure you should take towards CUI management is to separate the duties of various employees working on your shop floor. This ensures that no employees potentially abuse the authorized privileges, helping reduce the risk of malevolent activity. In separating duties, you should divide the mission functions, production functions, support services, and other activities that happen inside your machine shop. The processes should also be subdivided into subprocesses to ensure that you can properly implement the principle of least privilege access explained above.
Ensure Non-Privileged Users Don’t Execute Privileged Functions
Even on your machine floor, privileged workers should only perform some functionalities. For instance, only authorized and privileged employees should be able to establish system accounts, conduct system integrity checks, administer cryptographic key management, or even patch security vulnerabilities on systems holding CUI.
However, non-privileged users might circumvent various protection measures, unintentionally or intentionally, posing a high-security risk. Therefore, to ensure that you can trace unauthorized or unprivileged access to controlled environments or systems on your shop floor, it is recommended that you implement logging. This will help you deal with both advanced persistent and insider threats.
Physical Access Control
It is only sensible that your shop floor should have various physical access devices, from locks to fingerprint scanners. They are essential in creating a controlled environment. Hence, to ensure that CUI is effectively protected, you should manage and control these physical access devices such as card leaders, locks, biometric scanners, etc.
Further, you should periodically inspect the logs to ensure any unauthorized access is noted and reported. Additionally, all visitors to the shop floor should be escorted at all times. Their activities should also be monitored to ensure that they don’t access, overhear, or observe CUI if they don’t have any lawful government purpose.
Protect the Machine Shop Systems After Personnel Actions Such as Transfers or Terminations
Protecting the controlled unclassified information after and during personnel actions includes returning the property belonging to the shop and conducting exit interviews. The shop system property includes identification cards, hardware authentication tokens, building passes, admin technical manuals, and even physical keys. Employees who are terminated or transferred to another office should return all these items.
During the exit interviews, you should remind the terminated employees of non-disclosure agreements (NDAs) and ensure they understand the constraints of being a former employee. Further, you should ensure that any configurations they had made on machine shop systems are cleared and their access permissions revoked.
Remove Any CUI on Machine or Equipment Being Taken Offsite for Maintenance
Does any machine or information system need to be taken offsite for maintenance? First, you should ensure that ANY existing CUI is removed. The guidance on media sanitization for machines or information systems can be found on NIST SP 800-88. This includes any system maintenance conducted by non-local entities such as in-contract, in-house or warranty maintenance agreements.
You can do many things to manage CUI on your shop floor, provided you remain compliant with NIST SP 800-171, CMMC, and DFARS 7012 on incident reporting. The last thing you want is to be fined because a particular terminated employee can remotely access the machine shop systems or left with some documents containing CUI.
Managing Shared Computer Logins or Accounts
On most shop floors, privileged users, administrators, employees, applications, and services use shared accounts to access the information they need to complete an activity. What if an employee that doesn’t have a legitimate government purpose within the shop floor accesses the information through a shared account? Doesn’t this constitute a CUI compliance violation? It does. This underscores the inherent risks of using the same computers and account credentials to authenticate multiple users.
Sharing computer logins presents considerable compliance and security risks from accidental, intentional, or indirect misuse of shared privileges. Therefore, proper management controls must be instituted. Regardless of how savvy your IT team is, it will still experience the following complexities when managing shared accounts:
- Reporting and auditing privileged access are time-consuming and complex because it is impossible or difficult to attribute any session activity in the shared account to a single entity.
- Hardcoded and embedded passwords are prone to misuse by external or internal attacks on the network.
- Static passwords can leave your machine shop easily, while manual password rotation is often unreliable.
- A2A (Application-to-application) and A2DB (application-to-database) passwords are, in most cases, left out of the management strategy.
The foregoing clearly shows that the use of shared passwords and accounts puts the CUI at risk of unauthorized access. Although there are many “best practices,” ensuring that every user has their password is the surest way to ensure that CUI on your shop floor remains protected. Section 3.5.2 of NIST SP 800-171 requires the authentication of identities of users, processes, and devices as a prerequisite before granting access.
The section lists the INDIVIDUAL authenticators as password cryptographic devices, amongst others. Hence, the authentication of every user before access to CUI is necessary and a NIST requirement. Section 3.5.8 of NIST SP 800-171 requires that you prohibit the reuse of any password for a particular period.
However, if you use shared credentials, Azure Information Protection (AIP) can be used for labelling, classification, marking, and protection. With this suite, you can configure a label with the necessary rules for detecting sensitive data such as CUI. In addition, the labels can classify and protect the documents in shared environments, meaning that you can impose restrictions on who can see or access your content. With AIP, you can track document access, track document misuse or leakage, control and track how content is used, analyze data flows, detect any risky behaviors and institute corrective measures.
AIP uses Azure Rights Management Services (Azure RMS) to protect your data. Azure RMS can be integrated with Microsoft cloud applications and services like AZURE AD and Office 365, ensuring that it can protect the data both on the cloud and on-premise. It uses identity, authorization and encryption policies. Like AIP labels, the protection applied through Azure RMS remains with the documents regardless of location.
This ensures that the user is in control of their documents despite being in a shared environment. A user can also use the Azure RMS to set access rights on the documents, restricting access to others. Through AIP labelling, you can intimate any other user with a lawful government purpose that the document contains CUI for proper handling. You can learn more about Azure Information Protection to help you protect CUI in your machine shop here.
Do you own a machine shop or a company doing business or providing services to the DoD? If you do, you should seriously consider how you handle or manage any CUI generated or received. How do you store it, and what control mechanisms have you instituted for its safeguarding and disseminating the information? In its very definition, CUI should be handled in a manner compliant with the existing laws, regulations and government-wide policies. Remember, CUI is government-owned, meaning that even if you generate it, you do it on behalf of the US government. Its dissemination and safeguarding requirements flow down to subcontractors and members of the DoD supply chain in accordance with DFARS 7012.
Therefore, you must put adequate measures to safeguard any electronically or physically stored CUI information to ensure compliance with regulations such as NIST 800-171, CMMC, and DFARS 7012. Do you need help managing CUI on your shop floor? Or do you need assistance training your employees on proper CUI handling and management? At Cleared Systems, we can help. Contact our experienced professionals today to ensure that all your employees understand the proper handling of CUI. We also can configure your systems and automate CUI marking and rights management to ensure there isn’t unauthorized access to controlled unclassified information.