A company receives data that they suspect is CUI, but it is not marked as such. What is an acceptable way for the company to handle unmarked potential CUI?
A.
Treat all data as CUI even if not marked.
B.
If data are not marked, then they are not CUI.
C.
Have a procedure for deleting unlabeled data.
D.
Have a procedure for proper handling of unlabeled data.
The CMMC Assessment Guide (Level 2) requires organizations to have a documented procedure for the identification and handling of unmarked potential CUI. The DoD guidance specifies that contractors cannot assume unmarked data is not CUI; instead, they must have a process to ensure unmarked potential CUI is handled properly until its classification is clarified.
Extract from Assessment Guide:
“Organizations must establish procedures for the handling of unmarked data that is suspected of being CUI. These procedures should define how unmarked information is protected until such time its status can be determined.”
Therefore, the correct answer is to have a procedure for proper handling of unlabeled data.
[Reference: CMMC Assessment Guide, Level 2, CUI Handling Practices., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit