Back to Control Explorer



Control Acronym



Asset Management

CMMC Level


800-171 Control #


CMMC Description

Define procedures for the handling of CUI data.

CMMC Clarification

Establish procedures for handling CUI. Procedures should include how to categorize data as CUI and how to provide and enforce access control for CUI. It also includes guidance on how to receive, transmit, store, and destroy CUI. The procedures should account for both physical and digital CUI. Example As a manager for a government program that contains CUI, you have established procedures for handling government identified CUI. These procedures account for both physical and digital CUI, and include: * identification of CUI when provided government labeling and guidance * controlled environments to protect CUI (e.g., put it in a designated system or folder) * steps to reasonably ensure that unauthorized individuals cannot access CUI * protections for the confidentiality of CUI (e.g., electronic or physical CUI when in transit).

800-171 Description

800-171 Discussion


Other Source Discussion

The organization should define procedures for the proper handling of CUI. These procedures typically involve establishing controls to protect and sustain sensitive information. Examples of controls an organization may implement through data handling procedures include policies (data categorization, protection, disposal, backup), access controls for data, regular backups and physical security protections.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AM.3.036.[a] the organization establishes and maintains one or more processes or procedures for handling CUI data.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15