3 Common Sense Tips for Managing CUI in a Machine Shop

March 14, 2022

Written by: Paul Van Metre

Any company which machines, makes or processes parts for the Department of Defense (DoD) is part of the DIB or the Defense Industrial Base. It’s estimated that more than 350,000 companies are included in this list, many of them in the precision metalworking industry. When these companies are provided with drawings, 3D CAD models, BOMs, and any other data related to the parts they need to make, all of that information is generally considered to be Controlled Unclassified Information (CUI). The secure management of CUI is a critical part of the CMMC (Cybersecurity Maturity Model Certification) which introduces new cybersecurity requirements for all firms that are part of the DIB. The US government has mandated that CUI also be protected and shared only under strict guidelines in order to prevent potentially harmful releases. In order to continue doing business with the DoD, all contractors will need to be certified to the CMMC 2.0 requirements in the future. Regardless of the CMMC requirements, the control of CUI is taking an ever increasing importance within the defense industry, prime contractors and at all levels of the DIB – and likely will trickle down to other industries as well.  No client wants their data stolen from a vendor’s server!!

If your company does receive CUI from your customers and it’s necessary to fulfill your contracts, then you are considered an Authorized Holder – An individual, agency, organization, or group of users that is permitted to designate or handle CUI. And your company would have a Controlled Environment – Any area or space with adequate physical or procedural controls to protect CUI from unauthorized access or disclosure. Hint: Anything that falls under the ITAR or EAR flowdowns will be considered CUI.

Companies who want to get ahead of the requirements and be proactive about how they manage CUI, are scrambling to understand what it means for them in their daily operations and workflows.  Most machine shops have CUI coming out of their ears. It’s printed on paper in dozens of filing cabinets, flowing around the shop floor in job travelers, sitting in machinist tool boxes in the form of setup books, or drawings, on the laptops of their sales people as they travel around visiting clients, and numerous other places, both physically and digitally. The entirety of the places and locations where CUI is stored is often called the CUI footprint or boundaries. The larger the footprint is, the more challenging and expensive it is to secure it. Getting a handle on the way CUI flows into and through your company starts with documenting your processes today. This can be outlined in a couple of different steps:

Step #1: Determine what kind of CUI you have in your company.  There is a wealth of information on the internet to help you learn more about what is and isn’t CUI.  This is often called data classification. Knowing which data is CUI and which data is not CUI, so you can appropriately build policy and systems for managing the CUI, without going overboard and managing non-CUI in the same manner. This link is to a free and open course managed by the DoD that anyone can take. You can even get a certificate of completion. This PDF from the DoD offers some more detailed information about CUI. This website from the National Archives has many resources available about CUI.  A good rule of thumb is that any data related to a government contract may be considered CUI including, but not limited to, drawings, CAD models, specifications, contract details such as quantities, shipping addresses, etc. I was even told once that knowing how many chickens are being sent to which Army bases to feed the troops is considered CUI.  If malicious actors can discern how many troops may be stationed in any particular area, based on how much food they’re eating, that’s information the government doesn’t want falling into the wrong hands. I’m not totally sure if that’s true, but either way, crazy, right?

Step #2: Once you know what CUI you have, you need to determine the entire lifecycle of that data in your organization.  This would include how it comes into your possession (emails, portals, mail, etc), how you store it (electronically and physically), how you use it, how you share it, and how you archive and dispose of it. Determine where this CUI touches people, software/hardware and processes. All of this will determine your CUI footprint.

Once you have determined your CUI footprint, you should ask yourself if you can minimize that footprint.  Are there steps in the process that can be removed, simplified, or are unnecessary?

Here are some of the basic requirements that any authorized holder must do with their CUI.

  1. Train your employees about CUI, what it is, the importance of managing access to it and what the ramifications are if it’s not managed properly.
  2. Create policy and build systems to ensure that CUI is monitored, audited and protected. Ensure that only the appropriate people are allowed to access CUI and it isn’t “disclosed” to any unauthorized person. This means both physical and electronic. Electronic systems need to be protected, monitored and audited.  Learn about the requirements from the latest version of NIST 800-171.  This will likely require some outside assistance from a cybersecurity expert.
  3. Mark and label CUI. All CUI must be labeled in a manner that meets the NIST & CMMC requirements. If you are still printing off documents for your shop floor, like drawings, those must be marked as CUI, and systems put in place that only US persons (for example) are able to see them. Cover sheets are one way to help with inadvertent disclosure, but are clearly not sufficient to limit access for someone trying to view a document who shouldn’t.

Here are 3 common sense tips for managing CUI in your machine shop:

  1. Stop printing things! – Drawings, CAD models, BOMs, customer POs, job travelers and other types of documents may all be considered CUI. If printed documents are floating around your facility, that dramatically increases the CUI footprint and complexity of your compliance practices. In 2022 there is no reason why so many printed documents are needed anymore.
  2. Centralize where you store electronic files. If you are saving CUI files on individual PCs, on non-secure cloud storage like Dropbox or Google Drive, or other non-secure areas, you need to stop that. Those broadly increase your CUI footprint in a way that is difficult or impossible to effectively manage. Files should only be stored in a minimum number of locations that can be properly secured, authenticated, etc.
  3. Limit access to who can view CUI. A CNC programmer or inspector clearly needs to be able to look at engineering drawings. A delivery driver does not. A project manager needs to be able to look at the customer PO, a machinist does not. So put in place controls to limit groups and individuals to only be able to view things that are relevant for their job.

How Can ProShop Help?

ProShop has a suite of new features that have been released to help shops with CMMC and NIST 800-171 compliance, which can be found here. So there are many very practical things that can be easily set up within your ProShop environment to help secure CUI. From setting minimum password complexity, to 2 Factor Authentication (2FA/MFA), session management, to limiting access from certain IP addresses, we have you covered. But the biggest areas of low hanging fruit are the #1 and #2 points above.  

#1 – Removing Paper from Your Shop Floor – When it comes to printing off documents that contain CUI, with ProShop, that becomes an unnecessary practice. ProShop is genuinely a paperless system. There isn’t a single step in the process of estimating a job, winning the order, making the parts, inspecting the parts, and shipping the job that requires a single piece of paper. If your client is OK with an emailed PDF of the packing slip, then it can be truly paperless end to end. But often the packing slip is the first paper that is generated, and that generally doesn’t contain CUI. Besides the much tighter control of CUI, there are SO MANY other benefits of eliminating paper off your shop floor. You don’t still load your CNC programs on punch tape, so why are you still managing all the critical aspects of your shop on paper? (BTW, We absolutely still maintain traceability of all jobs, just not with paper necessarily!)

You don’t use these👆. So why use these👇!?!

#2 – ProShop securely stores and limits access to electronic files – Most companies have a complete mess of files on laptops, PCs, servers, shared drives, thumb drives, cloud drives, backups, and more. Some are more organized than others, but it’s ubiquitous to have a loosely organized set of files all over the place. Besides increasing the risk of using the wrong CAD file, G-code, or drawing to make or inspect your parts, it’s a huge target for hackers and a totally insecure way to store CUI. Even with a password on your laptop, if you lost it and it fell into the wrong hands, the CUI contained on the hard drive can easily be retrieved. You’re not going to pass any cybersecurity audit by having files stored this way!  ProShop has a complete, secure file structure as part of its ecosystem. The data can be housed on secure ITAR approved GovCloud storage servers, or on-premise. ProShop generates the folders, limits read/write access to those folders based on the individual employee security credentials, and most importantly, eliminates the need to have files stored all over your network. If you download your client’s CUI data directly from their secure portal, to the ProShop file system, it’s possible to view and interact with those files without them ever being stored on any devices within the walls of your shop. This dramatically reduces the attack surface of storing CUI within your company network, thereby making compliance considerably simpler and far less expensive. Please reach out if you’d like to learn more.

We have developed our own File Management System Protects Sensitive Data and Facilitates Data Security Compliance. Learn more using the button below ⬇

Related Posts



Making the Case for Cloud Storage vs. On-Premise Servers in Manufacturing

5 Steps to Better Work Order Management

Beginner’s Guide to ERP

Privacy Policy
Terms of Service
magnifiercrosschevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram