Level 5 CMMC - CMMC Practices

AM.3.036  

Reference: CMMC 1.02

Family: AM

Level Introduced: 3

Practice:
Define procedures for the handling of CUI data.

CMMC Clarification:
Establish procedures for handling CUI. Procedures should include how to categorize data as CUI and how to provide and enforce access control for CUI. It also includes guidance on how to receive, transmit, store, and destroy CUI. The procedures should account for both physical and digital CUI.

Example
As a manager for a government program that contains CUI, you have established procedures for handling government identified CUI. These procedures account for both physical and digital CUI, and include:
• identification of CUI when provided government labeling and guidance;
• controlled environments to protect CUI (e.g., put it in a designated system or folder);
• steps to reasonably ensure that unauthorized individuals cannot access CUI; and
• protections for the confidentiality of CUI (e.g., electronic or physical CUI when in transit).

The organization should define procedures for the proper handling of CUI. These procedures typically involve establishing controls to protect and sustain sensitive information. Examples of controls an organization may implement through data handling procedures include policies (data categorization, protection, disposal, backup), access controls for data, regular backups and physical security protections.

Source: CMMC v1.02

Source: CMMC v1.02