Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #2078
    • Keymaster
    Jim Goepel
    Up
    0
    ::

    The DOD CUI Registry includes 105 categories of CUI. Which ones do you think are likely to need to be handled in environments certified above Maturity Level 3? I recognize that DoD has the final say on what maturity level will be required, but I think it will be interesting to compare industry consensus against their list, and hopefully this will help some companies as they begin their CMMC assessment preparation efforts.

    I put my guesstimate as to the maturity level next to each CUI category. What changes would you make?

    Critical Infrastructure:
    4 Ammonium Nitrate
    5 Chemical-terrorism Vulnerability Information
    5 Critical Energy Infrastructure Information
    4 Emergency Management
    3 General Critical Infrastructure Information
    3 Information Systems Vulnerability Information
    4 Physical Security (PHYSEC)
    5 Protected Critical Infrastructure Information
    3 SAFETY Act Information
    4 Toxic Substances
    4 Water Assessments

    Defense:
    4 Controlled Technical Information (CTI)
    5 DoD Critical Infrastructure Security Information
    5 Naval Nuclear Propulsion Information
    5 Unclassified Controlled Nuclear Information – Defense (USNI)

    Export Control:
    3 Export Controlled
    3 Export Controlled Research

    Financial:
    3 Bank Secrecy
    3 Budget
    3 Comptroller General
    3 Electronic Funds Transfer (EFT)
    3 Financial Supervision Information
    3 General Financial Information
    4 International Financial Institutions
    4 Mergers
    4 Net Worth
    3 Retirement

    Intelligence:
    5 Foreign Intelligence Surveillance Act (FISA)
    5 Foreign Intelligence Surveillance Act Business Records
    4 General Intelligence
    4 Geodetic Product Information
    5 Intelligence Financial Records
    4 Internal Data
    5 Operations Security (OPSEC)

    International Agreements:
    4 International Agreement Information

    Law Enforcement:
    3 Accident Investigation
    3 Campaign Funds
    3 Committed Person
    4 Communications
    3 Controlled Substances
    3 Criminal History Records Information
    5 DNA
    3 General Law Enforcement
    5 Informant
    5 Investigation
    5 Juvenile
    3 Law Enforcement Financial Records
    5 National Security Letter
    4 Pen Register/Trap & Trace
    3 Reward
    4 Sex Crime Victim
    5 Terrorist Screening
    4 Whistleblower Identity

    Legal:
    3 Administrative Proceedings
    4 Child Pornography
    4 Child Victim/Witness
    3 Collective Bargaining
    3 Federal Grand Jury
    4 Legal Privilege
    3 Legislative Materials
    3 Presentence Report
    3 Prior Arrest
    4 Protective Order
    4 Victim
    5 Witness Protection

    Natural and Cultural Resources:
    3 Archaeological Resources
    3 Historic Properties

    North Atlantic Treaty Organization:
    5 NATO Restricted
    4 NATO Unclassified

    Nuclear:
    4 General Nuclear
    5 Nuclear Recommendation Material
    5 Nuclear Security-Related Information
    5 Safeguards Information
    5 Unclassified Controlled Nuclear Information – Energy (UCNI)

    Patents:
    3 Patent Applications
    3 Inventions
    5 Secrecy Orders

    Privacy:
    3 Contract Use
    3 Death Records
    3 General Privacy
    4 Genetic Information
    4 Health Information
    4 Inspector General Protected
    4 Military Personnel Records
    3 Personnel Records
    3 Student Records

    Procurement and Acquisition:
    3 General Procurement and Acquisition
    3 Small Business Research and Technology
    3 Source Selection

    Proprietary Business Information:
    3 Entity Registration Information
    3 General Proprietary Business Information
    3 Ocean Common Carrier and Marine Terminal Operator Agreements
    3 Ocean Common Carrier Service Contracts
    3 Proprietary Manufacturer
    3 Proprietary Postal

    Provisional:
    4 Operations Security Information (OPSEC)
    4 Personnel Security Info (PERSEC)
    4 Privacy Information <– Not sure why this is here when there is a privacy category
    4 Sensitive Personally Identifiable Information (PII)

    Statistical Tax:
    3 Statistical Information
    4 Federal Taxpayer Information
    3 Tax Convention
    3 Written Determinations

    Transportation:
    4 Railroad Safety Analysis Records
    4 Sensitive Security Information

    #2234
    Participant
    Matt Gilbert
    Up
    0
    ::

    I think your analysis makes sense. I personally don’t think we will see level 4 or 5 assessments for some time. I am not aware of the assessment guides or training to prepare Assessors for ML4 or 5. I also think the requirement is that an assessor must have 15 level 3 assessments under their belt before they can qualify to become a CCA 5. Also I am hearing that 4 and 5 are going to get modified after the interim rule making and respond to questions is handled. So I guess we are a good 2 years out from seeing 4 or 5 requirements. But those CUI categories are good candidates for it.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.