Can You Create CUI? CMMC Scope, ERP Systems, and Contractor Risk Explained

Welcome And The CUI Trap

Hey there. Welcome to the CMMC compliance guide podcast. I'm Stacy. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're tackling a question that causes a lot of confusion for small aerospace manufacturers and machine shops. Many companies assume that if their customer doesn't mark something as controlled unclassified information, then it isn't CUI. But the reality is a little more complicated. In fact, there are situations where a supplier can actually create CUI during the course of performing contract work. That's something many shops don't realize until they're starting their CMMC journey. So in today's episode, we're going to walk through some of the most common questions manufacturers ask about CUI, system scope, and how compliance decisions are actually made. Okay, Brooke, let's start with something we hear a lot from manufacturers.

Absolutely.

Many shops use ERP systems like JobBoss, E2, or ProShop, and they want to know if those systems automatically fall into scope for CMMC. So if a company never stores CUI inside their ERP system, does that keep the ERP out of scope?

It does keep it out of scope for CUI. You need to be honest with yourself and make sure that you don't actually store any CUI in that platform. Some people don't, uh a lot of people do. If it's uh and I will tell you this, uh if it's on-premise uh or uh on a server in your under your control, and maybe there's a server in Azure or something like that. But uh if it's if it's something like that in your network, uh that's you can uh you can put that in scope if there happens to be CUI in it. But uh there are very, very few of these vendors that are actually uh that have cloud platforms that are compliant. So if it's a cloud platform, I can almost guarantee you it's not. There, like I said, there are very few, but they have to be FedRAMP, moderate, authorized, or equivalent or higher. So, or FedRAP moderate or higher than auth-authorized or equivalent when however you want to phrase that. Um so uh there's there's very few of those that are. Um if you do use one that's in the cloud, uh it is possible to still use it. You just have to make sure you keep, again, uh keep CUI out of it. Uh you all again, you've got to be honest with yourself and make sure that there's no CUI or derived CUI, uh, which I think we'll probably get into here in a minute. Um anyway, make sure none of that uh is in the system.

Another common question we hear is whether a shop can isolate CUI instead of securing their entire network. Some companies ask if they can just put CUI on a separate computer or system. Does that approach actually work?

It can work. Uh it really depends on your workflow. Um that's generally we call that an enclave. So you uh scope out a separate little network uh, you know, that's protected. Truly an enclave would be n, you know, nothing can get in and out, right? Uh that's not realistic, so then you start poking little holes in the enclave, and depending on what kind of little holes you poke in the enclave will depend on what else comes in scope. So the uh it is possible uh and suggested to scope CUI down as much as possible because that makes uh there are there are all sorts of things, uh controls that uh you know that you discover along the way that you'll go, oh wow, that's uh I have to do everything in the network that way. You know, that's gonna that's either gonna be costly or that's gonna be tough to do or or something. So uh if you can scope it down, um I I would say scope it down as much as possible. So if you can scope it down uh less than the entire network, that'd be ideal. Sometimes sometimes you can't. Sometimes, you know, 100% of your network or 100% of your work is uh DOD work and uh and CUI and uh it's easier at that you can still do that, but it's easier at that point to consider it scoping a few things out of it that that may not need to be in it. So um however you do that, however you phrase it, it is good to scope it down as much as as much as possible.

Drawings Are Not The Whole Story

Aaron Powell Another misconception we hear a lot from manufacturers is that CUI only applies to the drawings their customers send them. Is that actually how CUI works?

Aaron Powell No, unfortunately it's not. Uh so hopefully you're getting drawings that have uh CUI markings on them or documents that have uh CUI markings with portion marking. Um I highly doubt you're actually getting that if you're a subcontractor. Um some of our uh clients who are subcontractors do get a document or two that are marked properly. Um generally uh you know somebody will tell them they if they ask, you know, hey, is this C UI or not? And they'll say, Oh yeah, everything, everything is C UI for this contract. That's you know, it's not really accurate. And you can only, as a subcontractor, you can ask and you can, you know, uh push a little bit. And you of course don't want to bite the hand that feeds you, you know. Um but uh whatever uh whatever they give you, that is CUI kind of got off the topic a little bit, but whatever they give you that may be CUI, a document, a drawing, something like that, uh we'll stick with the drawing. If you then take and make uh you know some uh break out some parts and make some uh drawings of those, that is very likely going to be CUI still. And so you have to mark those documents accordingly, right? And you have to protect them accordingly. Uh you can't just say, oh yeah, it's it doesn't have any identifying information on it, so it's it's uh it's not CUI. Uh in fact, I wrote it down or copied it down so I could make sure I got it uh read it uh set it properly. Um but CUI uh controlled unclassified information is information the government creates or possesses, or that an entity creates or possesses for on or on behalf of the government that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. So that right there, uh anything that is uh I'll read another one here in just a second, but that's basically telling you if it's part of that contract that it's it's gonna be uh very likely considered CUI. Uh the next one is CDI, which has covered defense information. Um that is a subset of CUI, generally thought of like uh as CTI-controlled technical information. So uh that is uh collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of a contract. So if you're handling any of those documents and you create, possess, uh, develop, receive, transmit, use uh on behalf of that contract, then that is that's likely going to be CUI. If you truly use something that's uh you know off an off-the-shelf product as part of that larger component, for instance, um that off-the-shelf product is is not CUI. Uh if it's you know uh a piece that you uh that you sell to uh different manufacturers, different regular commercial manufacturers, but you also sell the exact same thing to uh to uh the DOD under that contract, then that may not be CUI. However, I will tell you it's always better to be safe than sorry. So uh if you're gonna do that, you really gotta be you can't be um willy-nilly about it. You've got to really make sure that uh that it really is. The other thing I would say, if you're gonna if you're gonna say it's not CUI and you don't have to protect it or mark it like CUI, I would document the heck out of that and and say why, write down why you said that, how you came up with that conclusion, uh what supports that, uh, all that kind of fun stuff. So you have something defensible should anything ever happen.

Derived CUI Like CNC G Code

Aaron Ross Powell So this leads into another big question. If CUI isn't limited to drawings, can a machine shop actually create CUI while performing contract work?

Aaron Ross Powell Yes, it's uh very much related to the last one we just talked about. Uh think of uh G-code that tells a uh CNC machine where to go through whatever it's doing at, right? It's basically just a map of of uh of points of where to go to grind or cut or whatever. Um that G-code uh that's still gonna be considered. That's something you create, that's not anything the government goes, hey, here's this G-code, please please make this. So uh you that G-code that you make is is derived CUI, and that's that's still gonna be CUI and still has to be protected. Now you may say, well, you know, my CNC machines, you know, they can't accept uh uh, you know, FIPS encrypted data, for instance. That's true, most of them can't, or a lot of them can't, however they may get it. Uh but there are ways to handle that. There are ways around that. Um there are all also alternate safeguards uh that you can take as well. So uh but uh yes, you can create CUI, and it's generally going to be derived CUI from whatever you're doing as part of that contract.

Who Decides What Is CUI

We also hear a lot of confusion about who actually decides what counts as CUI. Manufacturers often get different answers from consultants, customers, and other IT providers. So who ultimately determines what qualifies as CUI?

Aaron Powell Well, really the uh definitions come from the NARA CUI uh registry uh and says what type of uh you know what the different types of CUI are. Then the the uh program managers and contract managers decide what on there is actual CUI. Uh you you actually can't determine that something is CUI. Well, there's even a little bit of uh back and forth about this, but generally you can't mark something C UI. You're not supposed to mark something C UI that's not C UI, that you haven't been told is C UI. So if they tell you it's C UI or it's marked as C UI, then it's C UI and everything that you create that's derived from that would be C UI. But something completely new, uh made out of whole cloth, and that's not necessarily uh that's not necessarily CUI. So um the it really it's the government that's gonna going to be uh deciding what really is CUI. Uh they'll hand that down to the contractors, they'll hand that down to the subcontractors, and so on.

When One System Expands Scope

Aaron Ross Powell Another concern we hear from manufacturers is about scope expansion. If one system in the company handles CUI, does that automatically bring the entire network into scope for CMMC?

Cost Reality And Upgrade Decisions

Well it depends on how you build your network and how you scope everything. So it absolutely could. Uh but it also uh doesn't have to. So this goes back to the whole scoping and figuring out what systems need to be in scope, what shouldn't, how are you gonna separate those? Are you gonna create some you know uh secured VLANs? You know, how are you gonna separate those? So um it all comes down to figuring out what really needs to be in scope and what doesn't. Uh but if you don't do anything to separate those systems, and they're all on the same network, they're all playing together, you know, all that kind of fun stuff, then then yeah, they're they're in scope.

Aaron Powell Another big concern we hear about from small shops is cost. Many manufacturers assume they'll need to buy expensive servers and new hardware to become compliant. Is that actually required?

Aaron Powell It's not actually required. It it depends on your workflow, it depends on uh you know how you're doing things and and really uh depends on how you want to build it out. It depends on uh you know, that's gonna be a business decision as to how much of that uh DOD work that requires uh CUI safeguarding uh or safeguarding CUI depends on how much of that work is you know uh how much how big of a percentage of your business that is, right? And what all you need to do. Um so in some instances, yeah, you'll need to buy some new servers. For instance, if you have a uh uh an MRP program uh running on a Windows 2008 R2 server, uh hint hint, uh Windows 2000 R2 is uh 2008 R2 is is not in support anymore. And uh uh I'll say you can't use it, but with a caveat. So you could use it as long as you do all the proper to security things will which will make it pretty unusable for for most people. Um but uh you know if you've got if you need quite a few systems to connect to an MRP that's running on an old server like that, uh, you know, you the OS is out of date, the uh software is out of date, and none of them can get security patches, the you know servers so old there's they're not issuing any firmware updates anymore, uh, you know, then then you've got a problem and you you need to figure something out. You may need to buy a new server, a new software, uh, or you may decide you want to go down to spreadsheets. You know, it may you know who knows? Uh and you still have to store those somewhere. So um it doesn't necessarily mean you have to buy new servers, uh, but a lot of times, or sometimes it does, depending on your infrastructure, right? Uh it could also mean that you know maybe you want to spill up an instance of uh Microsoft uh 365 GCC high and use that to store all your all your information in. That's a it's a good solution. Doesn't work for everybody, but that's a good solution. So um you know it it really it is gonna take some money to be compliant. Uh it that's just the cold hard fact of the matter, you know. Um this basically requires you to make sure that you keep up with security, uh you systems stay managed, you know, that you don't just turn them on and forget about them, right? Uh so the unfortunate part is that that all costs money. You know, it's like having a car. If you have you know, if you have a car, you got to get your uh get your oil changed, you gotta get your transmission fluid changed, you gotta get uh fuel filters changed, you gotta get, you know, there's all sorts of you had to put money into that car uh to to keep it running right. They're you know, just on a system, just like a car, a few things can break or not work right, and you know, it's no big deal. You can keep on driving it, you know, it's okay. But really, to keep that in good condition and secured and working properly, you need to spend some money on it. So same I was gonna say the same thing, not necessarily say that it's the same thing, but the same concept, put it that way.

Compliant Cloud Options For ERP

One last question we hear about is cloud hosting. Some companies wonder if they can run their ERP system in a compliant cloud instead of buying servers. Is that possible?

Yes, uh that is possible depending on exactly what you're talking about. But um if you have, for instance, an on-premise version uh of the software uh and you want to run it in the cloud to make it more redundant, um easier to get to for a dispersed workforce, you know, uh then yeah, you can absolutely run it in, you know, a compliant cloud, um, you know, Azure GCC, GCC high. Um you can run it in there and it'd be I mean, there are other things you still have to do to it. You can't just turn it on and there and everything's okay. You still have to go through the same process because essentially those are just virtual machines. So I would caution again, uh, what I brought up earlier is that uh, you know an ARP vendor's cloud platform, um, very likely for a lot of shops that use you know Job Boss and all those kinds of software, um, they don't have a compliant version. So you need to figure out if you really want to stay on the cloud version, if you want to keep uh CUI in it or not, uh all that kind of fun stuff, uh, because that's gonna require some decisions on what exactly you want to do.

Free Help And How To Reach Us

Awesome. Well, Brooke, thank you as always for providing your insight.

Absolutely.

If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.