The Four Ws of Maintaining CUI in Your ERP

The Four Ws of Maintaining CUI in Your ERP

We get asked quite often how an organization’s ERP, or Enterprise Resource Planning software, is impacted by the need to protect CUI (Controlled Unclassified Information). It can be a complicated question for an organization to tackle, but a good starting point is to consider the “Four Ws.”

Where is Your CUI?

Do you have your CUI stored on premises, in the cloud, or is it a hybrid scenario? There are a lot of factors to consider in each of these situations, so pinpointing where your ERP and where your data lives is important.

Who Can Access Your CUI?

Access control is a central component of NIST 800-171. Who can access the CUI that is stored in your company’s ERP? Is it just employees? Do some of your vendors have access? Do you know if your MSP (managed service provider) or CSP (cloud service provider) can access the data? Ideally, as few people as possible will have the ability to touch this protected information.

What Data is Being Stored?

We cannot say this enough. You are within your rights to talk to your contracting officer about what type of CUI you will need to transmit or store as part of your contract. There are major implications tied to this kind of classification, so it is essential to understand this clearly from the start.

Why is the Protected Data in Your ERP?

There is nothing wrong about storing CUI in your ERP, but there should be a good reason for doing so. Ask yourself if it is there for easy access, better protection, at the direction of your prime, or simply for convenience. Of these, convenience is the weakest reason to store your CUI in an ERP.

If you would like to learn more about definitions, the pros, and the cons, view our webinar called Maintaining CUI in an ERP.

Show Policy

Download our CMMC for Manufacturers FAQs Today

Latest Resources

See all resources