When most organizations undergo a digital transformation, they do so with the goal of breaking down data silos to allow information to freely flow across their enterprise, typically for the first time. It makes it easier to share data, collaborate on projects, and more – both internally and externally.
Which sounds fantastic – until you start dealing with controlled unclassified information (CUI) and realize that data flowing freely outside of those silos is more difficult to track than you realized.
This is why data flow mapping is a critical part of NIST 800-171 compliance readiness. Accurate data flow mapping doesn’t just help you understand where CUI is being received and stored. It helps understand how it is processed, shared, and transmitted so that you fully understand the scope of what you’re dealing with. Only then will you be able to truly understand what you need to do in terms of CMMC level 2 requirements.
Why CUI Data Flow Mapping Matters Beyond Documentation
The reason why CUI data flow mapping is one of the critical NIST SP 800-171 CMMC level 2 compliance standards isn’t because it provides documentation. It’s because it offers visibility.
You don’t just see that CUI is moving throughout an organization, you see where it’s going and how. By clearly documenting this flow, organizations can more easily validate where CUI exists, explain how it is protected, and demonstrate readiness during assessment activities.
How CUI Movement Affects System Boundaries and Control Responsibility
To better understand how CUI movement impacts system boundaries and control responsibility, think about how intricate that movement can quickly become.
You’re not just talking about data moving from one internal system to another. There are cloud environments, vendors, endpoints, managed service providers (MSPs), subcontractors, and more. Every single touchpoint is a potential point of failure that absolutely falls within the assessment boundary.
Every single touchpoint also becomes a unique question of shared responsibility and control. Understanding these relationships on a case-by-case basis helps determine who is responsible for specific controls and what evidence they may eventually be required to offer to support CMMC compliance requirements.
Also, the other categories of assets that fall into the CMMC Assessment scope (i.e., Security Protection Assets, Specialized Assets, and Contractor Risk Managed Assets) find their applicable in relationship to CUI flow. For example, an Endpoint Detection and Response solution is only in-scope as a Security Protection Asset (SPA) if it provides a security function to other in-scope assets (e.g., CUI assets, other SPAs, etc.) or if it is handling Security Protection Data (SPD) relevant to in scope assets. You only know what other in scope assets are by knowing their relationship and proximity to CUI. So even assets that do not handle CUI in any way are impacted by the flow of CUI for their scoping!
What Teams Should Validate When Mapping CUI Data Flows
When mapping CUI data flows, the first thing teams should do involves validating CUI entry points. This means where the data first enters the organization through user interaction, system integrations, extended transfers, partner exchanges, and more. Again – you can’t protect something if you’re not even sure it exists at all.
From that point, you should work to trace and verify where that data is being stored so that all repositories are accounted for. This will include not only those systems that are kept on your business’ property, but more often than not file shares, cloud environments, backup and archival systems, and more.
User access is another crucial area for this part of the process, as you need to know who can access information at each stage to determine whether their access actually lines up with NIST 800-171 compliance solutions and standards. It’s at this stage of the game where you’ll identify the involvement of external providers, including people like the aforementioned MSPs and cloud storage providers.
All throughout this process, your teams should also validate encryption expectations for both data at rest and in transit to ensure protections are consistent with requirements. At rest refers to data that is being stored and not accessed, while in transit refers to data that may be in the process of being downloaded or uploaded to a cloud server, for example. Data repositories should be fully mapped and verified so there are no missing or undocumented storage locations.
Other parts of data flow would include how CUI exits the system or is destroyed. Knowing how a certain CUI document or file is sent to an external recipient or is transferred back to a customer, or what methods are used to destroy CUI that is no longer needed in the system are all pieces of the puzzle that could implicate system components that would otherwise not have been considered.
Finally, you and your team members should connect each element of the data flow to related evidence sources such as system configurations, access logs, monitoring records, security policies, and audit outputs. It’s not enough to say CUI on an on-premise hard drive is only accessed by X, Y, and Z people from A, B, and C systems. You’ll need documentation to back that up like access logs or monitoring records.
This makes sure the mapping you’re doing is not just theoretical, but supported by evidence that can be used during CMMC assessment preparation.
How IntelliGRC Helps Connect CUI Flows to Readiness Activities
All of this is why documented CUI flows are an invaluable tool to support not only asset scoping and control mapping, but evidence tracking, readiness visibility, and more. That’s also a big part of what the IntelliGRC platform was designed to do.
By linking CUI movement to the controls and assets that support it, organizations immediately gain better visibility into their readiness posture. But over the long-term, they can more efficiently prepare for assessments and avoid any unnecessary delays or costly issues that crop up unexpectedly. Having this level of insight and management within a single platform can help you enjoy all the benefits of the fast-paced digital world that we’re living in with as few of the potential downsides as possible.
If you have any additional questions about how CUI data flow mapping impacts NIST SP 800-171 CMMC level 2 compliance requirements, or if you’d just like to discuss your organization’s own NIST compliance software needs in a bit more detail, please contact the team at IntelliGRC today. You can also schedule your free demo of the IntelliGRC platform to see what a benefit it can be to your organization during this time.