- This topic has 1 reply, 2 voices, and was last updated 1 month ago by
Matt Gilbert.
-
AuthorPosts
-
February 25, 2021 at 11:29 pm #2078
- Keymaster
Jim Goepel
Up0The DOD CUI Registry includes 105 categories of CUI. Which ones do you think are likely to need to be handled in environments certified above Maturity Level 3? I recognize that DoD has the final say on what maturity level will be required, but I think it will be interesting to compare industry consensus against their list, and hopefully this will help some companies as they begin their CMMC assessment preparation efforts.
I put my guesstimate as to the maturity level next to each CUI category. What changes would you make?
Critical Infrastructure:
4 Ammonium Nitrate
5 Chemical-terrorism Vulnerability Information
5 Critical Energy Infrastructure Information
4 Emergency Management
3 General Critical Infrastructure Information
3 Information Systems Vulnerability Information
4 Physical Security (PHYSEC)
5 Protected Critical Infrastructure Information
3 SAFETY Act Information
4 Toxic Substances
4 Water AssessmentsDefense:
4 Controlled Technical Information (CTI)
5 DoD Critical Infrastructure Security Information
5 Naval Nuclear Propulsion Information
5 Unclassified Controlled Nuclear Information – Defense (USNI)Export Control:
3 Export Controlled
3 Export Controlled ResearchFinancial:
3 Bank Secrecy
3 Budget
3 Comptroller General
3 Electronic Funds Transfer (EFT)
3 Financial Supervision Information
3 General Financial Information
4 International Financial Institutions
4 Mergers
4 Net Worth
3 RetirementIntelligence:
5 Foreign Intelligence Surveillance Act (FISA)
5 Foreign Intelligence Surveillance Act Business Records
4 General Intelligence
4 Geodetic Product Information
5 Intelligence Financial Records
4 Internal Data
5 Operations Security (OPSEC)International Agreements:
4 International Agreement InformationLaw Enforcement:
3 Accident Investigation
3 Campaign Funds
3 Committed Person
4 Communications
3 Controlled Substances
3 Criminal History Records Information
5 DNA
3 General Law Enforcement
5 Informant
5 Investigation
5 Juvenile
3 Law Enforcement Financial Records
5 National Security Letter
4 Pen Register/Trap & Trace
3 Reward
4 Sex Crime Victim
5 Terrorist Screening
4 Whistleblower IdentityLegal:
3 Administrative Proceedings
4 Child Pornography
4 Child Victim/Witness
3 Collective Bargaining
3 Federal Grand Jury
4 Legal Privilege
3 Legislative Materials
3 Presentence Report
3 Prior Arrest
4 Protective Order
4 Victim
5 Witness ProtectionNatural and Cultural Resources:
3 Archaeological Resources
3 Historic PropertiesNorth Atlantic Treaty Organization:
5 NATO Restricted
4 NATO UnclassifiedNuclear:
4 General Nuclear
5 Nuclear Recommendation Material
5 Nuclear Security-Related Information
5 Safeguards Information
5 Unclassified Controlled Nuclear Information – Energy (UCNI)Patents:
3 Patent Applications
3 Inventions
5 Secrecy OrdersPrivacy:
3 Contract Use
3 Death Records
3 General Privacy
4 Genetic Information
4 Health Information
4 Inspector General Protected
4 Military Personnel Records
3 Personnel Records
3 Student RecordsProcurement and Acquisition:
3 General Procurement and Acquisition
3 Small Business Research and Technology
3 Source SelectionProprietary Business Information:
3 Entity Registration Information
3 General Proprietary Business Information
3 Ocean Common Carrier and Marine Terminal Operator Agreements
3 Ocean Common Carrier Service Contracts
3 Proprietary Manufacturer
3 Proprietary PostalProvisional:
4 Operations Security Information (OPSEC)
4 Personnel Security Info (PERSEC)
4 Privacy Information <– Not sure why this is here when there is a privacy category
4 Sensitive Personally Identifiable Information (PII)Statistical Tax:
3 Statistical Information
4 Federal Taxpayer Information
3 Tax Convention
3 Written DeterminationsTransportation:
4 Railroad Safety Analysis Records
4 Sensitive Security InformationMarch 18, 2021 at 8:17 am #2234ParticipantMatt Gilbert
Up0I think your analysis makes sense. I personally don’t think we will see level 4 or 5 assessments for some time. I am not aware of the assessment guides or training to prepare Assessors for ML4 or 5. I also think the requirement is that an assessor must have 15 level 3 assessments under their belt before they can qualify to become a CCA 5. Also I am hearing that 4 and 5 are going to get modified after the interim rule making and respond to questions is handled. So I guess we are a good 2 years out from seeing 4 or 5 requirements. But those CUI categories are good candidates for it.
-
AuthorPosts
- You must be logged in to reply to this topic.