Written by: Paul Van Metre
Any company which machines, makes or processes parts for the Department of Defense (DoD) is part of the DIB or the Defense Industrial Base. It’s estimated that more than 350,000 companies are included in this list, many of them in the precision metalworking industry. When these companies are provided with drawings, 3D CAD models, BOMs, and any other data related to the parts they need to make, all of that information is generally considered to be Controlled Unclassified Information (CUI). The secure management of CUI is a critical part of the CMMC (Cybersecurity Maturity Model Certification) which introduces new cybersecurity requirements for all firms that are part of the DIB. The US government has mandated that CUI also be protected and shared only under strict guidelines in order to prevent potentially harmful releases. In order to continue doing business with the DoD, all contractors will need to be certified to the CMMC 2.0 requirements in the future. Regardless of the CMMC requirements, the control of CUI is taking an ever increasing importance within the defense industry, prime contractors and at all levels of the DIB - and likely will trickle down to other industries as well. No client wants their data stolen from a vendor’s server!!
If your company does receive CUI from your customers and it’s necessary to fulfill your contracts, then you are considered an Authorized Holder - An individual, agency, organization, or group of users that is permitted to designate or handle CUI. And your company would have a Controlled Environment - Any area or space with adequate physical or procedural controls to protect CUI from unauthorized access or disclosure. Hint: Anything that falls under the ITAR or EAR flowdowns will be considered CUI.
Companies who want to get ahead of the requirements and be proactive about how they manage CUI, are scrambling to understand what it means for them in their daily operations and workflows. Most machine shops have CUI coming out of their ears. It’s printed on paper in dozens of filing cabinets, flowing around the shop floor in job travelers, sitting in machinist tool boxes in the form of setup books, or drawings, on the laptops of their sales people as they travel around visiting clients, and numerous other places, both physically and digitally. The entirety of the places and locations where CUI is stored is often called the CUI footprint or boundaries. The larger the footprint is, the more challenging and expensive it is to secure it. Getting a handle on the way CUI flows into and through your company starts with documenting your processes today. This can be outlined in a couple of different steps:
Step #1: Determine what kind of CUI you have in your company. There is a wealth of information on the internet to help you learn more about what is and isn’t CUI. This is often called data classification. Knowing which data is CUI and which data is not CUI, so you can appropriately build policy and systems for managing the CUI, without going overboard and managing non-CUI in the same manner. This link is to a free and open course managed by the DoD that anyone can take. You can even get a certificate of completion. This PDF from the DoD offers some more detailed information about CUI. This website from the National Archives has many resources available about CUI. A good rule of thumb is that any data related to a government contract may be considered CUI including, but not limited to, drawings, CAD models, specifications, contract details such as quantities, shipping addresses, etc. I was even told once that knowing how many chickens are being sent to which Army bases to feed the troops is considered CUI. If malicious actors can discern how many troops may be stationed in any particular area, based on how much food they’re eating, that’s information the government doesn’t want falling into the wrong hands. I’m not totally sure if that’s true, but either way, crazy, right?
Step #2: Once you know what CUI you have, you need to determine the entire lifecycle of that data in your organization. This would include how it comes into your possession (emails, portals, mail, etc), how you store it (electronically and physically), how you use it, how you share it, and how you archive and dispose of it. Determine where this CUI touches people, software/hardware and processes. All of this will determine your CUI footprint.
Once you have determined your CUI footprint, you should ask yourself if you can minimize that footprint. Are there steps in the process that can be removed, simplified, or are unnecessary?
Here are some of the basic requirements that any authorized holder must do with their CUI.
Here are 3 common sense tips for managing CUI in your machine shop:
How Can ProShop Help?
ProShop has a suite of new features that have been released to help shops with CMMC and NIST 800-171 compliance, which can be found here. So there are many very practical things that can be easily set up within your ProShop environment to help secure CUI. From setting minimum password complexity, to 2 Factor Authentication (2FA/MFA), session management, to limiting access from certain IP addresses, we have you covered. But the biggest areas of low hanging fruit are the #1 and #2 points above.
#1 - Removing Paper from Your Shop Floor - When it comes to printing off documents that contain CUI, with ProShop, that becomes an unnecessary practice. ProShop is genuinely a paperless system. There isn’t a single step in the process of estimating a job, winning the order, making the parts, inspecting the parts, and shipping the job that requires a single piece of paper. If your client is OK with an emailed PDF of the packing slip, then it can be truly paperless end to end. But often the packing slip is the first paper that is generated, and that generally doesn’t contain CUI. Besides the much tighter control of CUI, there are SO MANY other benefits of eliminating paper off your shop floor. You don’t still load your CNC programs on punch tape, so why are you still managing all the critical aspects of your shop on paper? (BTW, We absolutely still maintain traceability of all jobs, just not with paper necessarily!)
You don’t use these👆. So why use these👇!?!
#2 - ProShop securely stores and limits access to electronic files - Most companies have a complete mess of files on laptops, PCs, servers, shared drives, thumb drives, cloud drives, backups, and more. Some are more organized than others, but it’s ubiquitous to have a loosely organized set of files all over the place. Besides increasing the risk of using the wrong CAD file, G-code, or drawing to make or inspect your parts, it’s a huge target for hackers and a totally insecure way to store CUI. Even with a password on your laptop, if you lost it and it fell into the wrong hands, the CUI contained on the hard drive can easily be retrieved. You’re not going to pass any cybersecurity audit by having files stored this way! ProShop has a complete, secure file structure as part of its ecosystem. The data can be housed on secure ITAR approved GovCloud storage servers, or on-premise. ProShop generates the folders, limits read/write access to those folders based on the individual employee security credentials, and most importantly, eliminates the need to have files stored all over your network. If you download your client’s CUI data directly from their secure portal, to the ProShop file system, it’s possible to view and interact with those files without them ever being stored on any devices within the walls of your shop. This dramatically reduces the attack surface of storing CUI within your company network, thereby making compliance considerably simpler and far less expensive. Please reach out if you’d like to learn more.
We have developed our own File Management System Protects Sensitive Data and Facilitates Data Security Compliance. Learn more using the button below ⬇