Back to Control Explorer
AM.3.036
Content
Control Acronym
AM
Family
Asset Management
CMMC Level
3
800-171 Control #
N/A
CMMC Description
Define procedures for the handling of CUI data.
CMMC Clarification
Establish procedures for handling CUI. Procedures should include how to categorize data as CUI and how to provide and enforce access control for CUI. It also includes guidance on how to receive, transmit, store, and destroy CUI. The procedures should account for both physical and digital CUI. Example As a manager for a government program that contains CUI, you have established procedures for handling government identified CUI. These procedures account for both physical and digital CUI, and include: * identification of CUI when provided government labeling and guidance * controlled environments to protect CUI (e.g., put it in a designated system or folder) * steps to reasonably ensure that unauthorized individuals cannot access CUI * protections for the confidentiality of CUI (e.g., electronic or physical CUI when in transit).
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
The organization should define procedures for the proper handling of CUI. These procedures typically involve establishing controls to protect and sustain sensitive information. Examples of controls an organization may implement through data handling procedures include policies (data categorization, protection, disposal, backup), access controls for data, regular backups and physical security protections.
CIS Control References
NIST 800-53 Control Ref.
CMMC Derived
CMMC
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
AM.3.036.[a] the organization establishes and maintains one or more processes or procedures for handling CUI data.