New CMMC Rule: Treatment of Controlled Unclassified Information (CUI) in Transit
XQ + Meerkat Position Paper
Authors:
The newly introduced CMMC rule provides clarity on handling CUI during transmission. Specifically, the rule states that a common carrier’s information system is outside the contractor’s CMMC assessment scope, as long as CUI remains properly encrypted throughout transit.
Key Implications
This clarification means that effective endpoint encryption, such as XQ’s Zero Trust Data solution, ensures that any system storing or transmitting encrypted CUI is excluded from the CMMC assessment scope. This aligns with logical security principles, as properly encrypted CUI poses no meaningful risk.
Endpoint Encryption as a Compliance Strategy
By implementing robust endpoint encryption, contractors can:
Ensure CUI remains protected during transit and beyond.
Minimize the systems subject to CMMC assessment, simplifying compliance.
Reduce operational and regulatory burdens while maintaining security.
Logical Consistency and Compliance
It would be inconsistent to treat properly encrypted CUI as a security risk. Recognizing the effectiveness of endpoint encryption not only reinforces compliance efficiency but also promotes a clear, risk-based approach to data protection.
Summary
The new CMMC rule reinforces the critical role of endpoint encryption in securing CUI in transit. By utilizing XQ’s Zero Trust Data solution, contractors can confidently mitigate CUI transmission risks, streamline compliance, and strengthen their overall security posture.
References
Federal Acquisition Regulation (FAR). 2016. "Basic Safeguarding of Covered Contractor Information Systems." 48 CFR § 52.204-21. https://www.acquisition.gov/far/52.204-21.
Defense Federal Acquisition Regulation Supplement (DFARS). 2016. "Safeguarding Covered Defense Information and Cyber Incident Reporting." 48 CFR § 252.204-7012. https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm.
Cybersecurity Maturity Model Certification (CMMC). 2024. "CMMC Rule: Handling of CUI in Transit." U.S. Department of Defense.
National Institute of Standards and Technology (NIST). 2020. Security and Privacy Control Baselines for Federal Information Systems and Organizations. NIST Special Publication 800-53B. https://csrc.nist.gov/publications/detail/sp/800-53b/final.
Microsoft, "Understanding Compliance Between Commercial, Government, DoD & Secret Offerings," Microsoft Tech Community. https://techcommunity.microsoft.com/blog/publicsectorblog/understanding-compliance-between-commercial-government-dod--secret-offerings---f/4225436