Download our CMMC Guide for Manufacturers
Get your most frequently asked questions answered.
.jpg?ext=.jpg)
How should I maintain CUI in my ERP?
We get asked quite often how an organization’s ERP, or Enterprise Resource Planning software, is impacted by the need to protect CUI (Controlled Unclassified Information). It can be a complicated question for an organization to tackle, but a good starting point is to consider the “Four Ws.”
Where is Your CUI?
Do you have your CUI stored on premises, in the cloud, or is it a hybrid scenario? There are a lot of factors to consider in each of these situations, so pinpointing where your ERP and where your data lives is important.
Who Can Access Your CUI?
Access control is a central component of NIST 800-171. Who can access the CUI that is stored in your company’s ERP? Is it just employees? Do some of your vendors have access? Do you know if your MSP (managed service provider) or CSP (cloud service provider) can access the data? Ideally, as few people as possible will have the ability to touch this protected information.
What Data is Being Stored?
We cannot say this enough. You are within your rights to talk to your contracting officer about what type of CUI you will need to transmit or store as part of your contract. There are major implications tied to this kind of classification, so it is essential to understand this clearly from the start.
Why is the Protected Data in Your ERP?
There is nothing wrong about storing CUI in your ERP, but there should be a good reason for doing so. Ask yourself if it is there for easy access, better protection, at the direction of your prime, or simply for convenience. Of these, convenience is the weakest reason to store your CUI in an ERP.
If you would like to learn more about definitions, the pros, and the cons, view our webinar called Maintaining CUI in an ERP. Please feel free to contact us with any questions!
CMMC FAQs
What is a SPRS score?
Take a look at this post about SPRS to learn about what the acronym stands for, why SPRS scores are important, and more.
What does a C3PAO do?
Do you need to learn more about what a C3PAO should do for your organization? This post about C3PAO services will help you out.
How hard is CMMC compliance?
The road to CMMC certification can be intimidating. Just how hard is it, really? Take a look at this post about getting CMMC-certified to learn more.
About Smithers
Founded in 1925 and headquartered in Akron, Ohio, Smithers is a multinational provider of testing, consulting, information, and compliance services. With laboratories and operations in North America, Europe, and Asia, Smithers supports customers in the transportation, life science, packaging, materials, components, consumer, cannabis, dry commodities, and energy industries. Smithers delivers accurate data, on time, with high touch, by integrating science, technology, and business expertise, so customers can innovate with confidence. Smithers is an authorized C3PAO and can be found on the Cyber AB Marketplace.