Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations
The purpose of NIST 800-171 is a “security check-list” for federal agencies with regards to their interactions with “nonfederal” systems and organizations for “Controlled Unclassified Information”. What this means is that nonfederal (vendors usually) organizations have certain minimum standards to obtain, with regards to data protection, in order to operate with federal agencies.
The NIST 800-171 standards are a minimum standard to follow and the governing documents are ever evolving. AT-NET’s security team feels that the standard should be adopted by all organizations where financially practical. The NIST standards serve as a framework that is able to acclimate to an evolving cybersecurity landscape.
More information about the above standards can be found here.
Additionally, our customers are increasingly asked to allow the CCMC agent to review systems compliance.
CCMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CCMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
CCMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.