CUI compliance: Building trust with the US Federal Government – and beyond

This audio was created using Microsoft Azure Speech Services

Building cybersecurity trust within customer relationships is a foundational value of how Schneider Electric does business with all types of organizations and industries. To build trust within federal governments and their agencies often requires that Schneider Electric adhere to stringent cybersecurity requirements.  

As an example, Schneider Electric has a long-term relationship with the U.S. federal government that involves engagements for modernizing and transforming its infrastructures with resilient, efficient, and sustainable digital solutions that support critical missions. For the U.S. Department of Defense (DoD), Schneider Electric is part of its U.S. Defense Industrial Base (DIB), which is “the network of people, organizations, facilities, and resources that provides the U.S. government…with defense-related materials, products, and services.” 

As a DIB organization, Schneider Electric must comply with any mandate the DoD issues as part of its contractual agreements. This includes compliance with the Cybersecurity Maturity Model Certification (CMMC) program, which was initially introduced in 2020.  

CMMC: A complex compliance framework  

The CMMC program is intended to safeguard any controlled unclassified information (CUI). CUI is sensitive, but unclassified data that is created or possessed by the federal government or other entities, such as DIBs, their subcontractors, or other designated partners who participate in its acquisition programs.  

The program provides a framework of industry standard security controls based on the National Institute’s (NIST) Special Publication (SP) 800-171 which is titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” SP 800-171 includes 110 practices and over 300 sub controls that any entity possessing CUI – whether a DIB or a subcontractor who may have exposure through a flow-down process – must adopt and follow. 

A best-practice approach for CUI compliance  

Because of Schneider Electric’s commitment to support the DoD, we began to ensure the appropriate CUI compliance immediately after the introduction of the CMMC program through these best-practice actions:   

• Creation of a dedicated team for policy, technology, and training: Because of the importance of CMMC compliance, Schneider Electric brought together a team of experts who are now responsible for developing and overseeing our CMMC policy, technology compliance, and training.
• Analysis of compliance gaps: When the CMMC 1.0 version of the program was first introduced, Schneider Electric evaluated its current state of CUI compliance. This process began with a rigorous self-assessment and identified key areas of improvement. This evaluation was based on the recommended procedures in the SP 800-171A assessment guide on how to protect CUI within a non-federal IT system.
• Certification preparation: CMMC requires compliance with the SP 800-171 standard and organizations like Schneider Electric must be certified to be able to bid on certain DoD contracts. We now have a comprehensive compliance action plan for certification when it is available.
• Development of a protected enclave for CUI access, storage, and processing: Key to Schneider Electric’s CMMC compliance is a dedicated IT environment, or an isolated area such as a CUI enclave. Our enclave is a stand-alone government-approved environment that meets the requirements of the CMMC program as well as those for handling export-controlled information such as international traffic in arms regulations data. Access requirements to the enclave are stringent and only people working directly on government projects who have been properly trained in CUI compliance are allowed access.
• Creation of a CUI compliance policy: In parallel to the above efforts, Schneider Electric developed an internal CMMC policy that supplements the company’s other cybersecurity policies with practices and controls as specifically defined and required by CMMC program. Designed to enhance the stringent protection of any CUI within the company, the policy’s objective is to ensure the appropriate cybersecurity controls and processes are implemented by our employees, contractors, and subcontractors who handle sensitive information on behalf of Schneider Electric.
• Plans for continuous improvement: Schneider Electric’s approach to cybersecurity governance always includes continuous improvement, and our approach to CMMC is no exception. The government has recently introduced CMMC 2.0 and has provided information on what will be in the upcoming iteration. While there is no specific date for its release, we are fully prepared for it and are ready for certification when the program is fully implemented by the DoD.  

Extending compliance beyond the US

Compliance with the CMMC program helps Schneider Electric and other cybersecurity thought leaders improve security not only for their customers, but for the world. In fact, other governments around the world are strengthening their cybersecurity requirements for handling their data and are aligning with the SP 800-171 standard.  

As an example, the Government of Canada recently announced the development of the Canadian Program for Cyber Security Certification (CPCSC), which will be mandatory for select federal defense contracts. This program will be streamlined with the U.S.’s CMMC program to facilitate certification for businesses like Schneider Electric that do business in both countries.