Executive Summary
This article is the repeatable onboarding playbook Northern Data Solutions uses to stand up a defensible Controlled Unclassified Information (CUI) handling program for any customer pursuing CMMC 2.0 Level 2 (NIST SP 800-171 Rev. 2). It turns two foundational knowledge-base guides — on handling printed CUI and on CUI training — into a sequenced set of nine tasks across two workstreams, plus a recommended hardened-device proof-of-concept.
It is written to be customer-agnostic: throughout, OSC means Organization Seeking Certification (the customer being assessed), and "your own / OSC-specific" material is distinct from generic U.S. Government content. Each task notes its CMMC control(s), the shared responsibility between the customer and the Northern Data Solutions vCISO compliance team, an executive overview, and a checklist of deliverables.
Two Required Training Components
CMMC expects two distinct training components, and every OSC needs both:
1) DoD CUI Awareness training (generic, authoritative). The free DoD course covers identifying, marking, safeguarding, transporting, disseminating, decontrolling, and destroying CUI, plus incident reporting. Source: CDSE IF141.16 or the no-login DCSA version. Cadence: before access and at least annually. Supports AT.L2-3.2.1.
2) OSC-specific CUI Handling Procedure training (role-based). The organization’s own written procedure, delivered by having every CUI handler read it, electronically acknowledge it annually, and pass a short 5–10 question quiz. Supports AT.L2-3.2.2 — the organization-specific piece a generic course cannot satisfy.
Where awareness training fits. A general security awareness training platform — including the Cybersecurity Awareness Training in the Proactive Advanced Security package — provides strong general security-awareness, phishing-simulation, and insider-threat awareness that support the broad workforce-awareness requirements (AT.L2-3.2.1 and AT.L2-3.2.3). It does not include CUI-specific content; CUI awareness comes from the DoD course (Component 1) and OSC-specific handling from the procedure (Component 2). Awareness training and the two CUI components are complementary, not substitutes.
Start Here: The Gating Question
What does the OSC have today toward each of the two components? Both are required regardless of the answer — the question only determines how much is built versus validated.
Component 1 — DoD CUI awareness: is the DoD course assigned and completed annually, with certificates retained?
Component 2 — OSC CUI Handling Procedure: is there a written procedure that handlers read, acknowledge annually, and are quizzed on?
If partially in place: validate and collect the existing evidence — but for the awareness piece, adopt the DoD course rather than a third-party/internal course. It is free, auto-updates when DoD CUI guidance changes, and avoids assessor questions about the source of the material. Existing general awareness training is kept for awareness; it does not replace the DoD CUI course.
If none in place: build both components (Tasks 6–8).
Either way: the CUI handling procedure and its operational controls (Tasks 2–5) and the hardened-device proof-of-concept (Task 9) proceed regardless of the training answer.
Program Tasks at a Glance
Two workstreams — (1) DoD CUI Awareness content and (2) the OSC-specific CUI Handling Procedure (printed/hardcopy handling is one topic within it) — plus a hardened-device proof-of-concept. Throughout, work with your dedicated vCISO compliance team; the Compliance-as-a-Service (CaaS) program assists where noted below.
Task | Workstream | Shared Responsibility | Key control(s) |
|---|---|---|---|
1. Scope CUI & define the assessment boundary | Prerequisite | Customer + CaaS / vCISO — the CaaS program assists in building the assessment boundary | CA.L2-3.12.4 (scope) |
2. Author the OSC CUI Handling Procedure | Procedure | Customer + CaaS / vCISO — the CaaS program assists in authoring the SOPs | CA.L2-3.12.4; MP/PE/IR/AT |
3. Establish the CUI destruction standard | Procedure | Customer-led; vCISO-supported | MP.L2-3.8.3 |
4. Stand up the transported-CUI accountability log | Procedure | Customer-led; vCISO-supported | MP.L2-3.8.5 |
5. Confirm the CUI incident-reporting process | Procedure | Customer-led; vCISO-supported | IR.L2-3.6.1/3.6.2 |
6. Author & approve the CUI training policy | Training | NDS / vCISO drafts; customer approves | AT.L2-3.2.1/3.2.2 |
7. Assign & operate annual DoD CUI Awareness training | Training (DoD) | Customer-operated; vCISO-supported | AT.L2-3.2.1 |
8. OSC procedure training — read, acknowledge & quiz | Training (OSC) | Customer-operated; vCISO-supported | AT.L2-3.2.2 |
9. Recommended: hardened-tablet proof-of-concept | Improvement | Customer + Cyberwatch Advanced | AC/SC/AU families |
Task 1. Scope CUI & define the assessment boundary
Shared responsibility: Customer + CaaS / vCISO | Control(s): Prerequisite (informs CA.L2-3.12.4 SSP scope)
Work with your dedicated vCISO compliance team on this task — the Compliance-as-a-Service (CaaS) program assists in creating the CMMC assessment boundary. Before any device hardening or final control decisions, the OSC must know exactly where CUI lives — hardcopy and digital — and draw a defensible CMMC assessment boundary around it. Final scoped hardening (DISA STIG, FIPS-validated cryptography, OS/application allow-listing, SSP documentation) only occurs after scope is formally defined. Document CUI categories against the DoD CUI Registry now so downstream markings, dissemination controls, and destruction methods are accurate.
Inventory hardcopy CUI (where printed, stored, transported)
Inventory digital CUI (systems, repositories, endpoints)
Document CUI categories from the DoD CUI Registry
Draft the scope / CUI boundary statement
Task 2. Author the OSC CUI Handling Procedure
Shared responsibility: Customer + CaaS / vCISO | Control(s): CA.L2-3.12.4; supports MP.L2-3.8.1/3.8.2/3.8.3/3.8.4/3.8.5, PE.L2-3.10.1/3.10.6, IR.L2-3.6.1/3.6.2, AT.L2-3.2.2
Work with your dedicated vCISO compliance team on this task — the Compliance-as-a-Service (CaaS) program assists in authoring the standard operating procedures (SOPs). This is the organization’s single OSC-specific CUI Handling Procedure — and printed/hardcopy handling is only one topic within it. The procedure is the backbone of the role-based training in Task 8 and is referenced in the System Security Plan. It must minimally cover the ten topics below; the printed-CUI KB guide fully supports the printing, transport, and destruction topics, while the remaining topics extend the procedure beyond printed CUI.
Identifying CUI — what qualifies; categories from the DoD CUI Registry
Creating and marking CUI — banner, portion, designation indicator, dissemination controls (MP.L2-3.8.4)
Storage requirements — secure storage at rest (MP.L2-3.8.1, PE.L2-3.10.1)
Printing procedures — authorized printing, marking at creation, copy control
Transporting printed CUI — secure transport + accountability (MP.L2-3.8.5, PE.L2-3.10.6)
Sharing internally — need-to-know, authorized recipients (MP.L2-3.8.2)
Sharing externally — dissemination controls, encryption / secure transmittal
Mobile use and job-site use — alternate work sites and managed devices (PE.L2-3.10.6, AC.L2-3.1.18/3.1.19)
Incident / spillage reporting — recognize and report immediately (IR.L2-3.6.1/3.6.2)
Sanitization and destruction — approved methods + logs (MP.L2-3.8.3, NIST SP 800-88)
KB reference: Handling Printed CUI Outside a Controlled Facility
Task 3. Establish the CUI destruction standard
Shared responsibility: Customer-led; vCISO-supported | Control(s): MP.L2-3.8.3 (consistent with NIST SP 800-88 Rev. 1) — implements the “Sanitization and destruction” topic of the procedure
Cross-cut shredding is the baseline for printed CUI; an NSA/CSS-listed high-security shredder applies to the most sensitive material. Retaining a destruction log is what makes the control audit-defensible.
Procure or confirm a cross-cut (or NSA/CSS-listed) shredder
Write the destruction SOP
Start and maintain a destruction log
Task 4. Stand up the transported-CUI accountability log
Shared responsibility: Customer-led; vCISO-supported | Control(s): MP.L2-3.8.5 (NIST SP 800-53 Rev. 5 MP-5, AU-2) — implements the “Transporting printed CUI” topic
Media accountability during transport requires a documented check-out / check-in record for every hardcopy CUI item taken offsite: document identification, responsible individual, date/time removed, destination, date/time returned or destroyed, and destruction method where applicable.
Create the check-out / check-in log template
Brief authorized handlers on its use
Begin using the log for all offsite CUI
Task 5. Confirm the CUI incident-reporting process
Shared responsibility: Customer-led; vCISO-supported | Control(s): IR.L2-3.6.1, IR.L2-3.6.2 (NIST SP 800-53 Rev. 5 IR-4, IR-6) — implements the “Incident / spillage reporting” topic
Loss or compromise of hardcopy CUI is a reportable spillage; reporting obligations flow up to primes and the Government per the contract. Timely, documented reporting is both a control objective and legal risk-mitigation.
Define the internal report path (who, how, how fast)
Map contractual reporting obligations to prime / Government
Add incident reporting to the authorized-handler briefing
Task 6. Author & approve the CUI training policy
Shared responsibility: NDS / vCISO drafts; customer approves | Control(s): AT.L2-3.2.1, AT.L2-3.2.2; referenced in SSP (CA.L2-3.12.4)
Northern Data Solutions drafts the policy; OSC leadership reviews and approves it. The policy should require both components and a simple, evidenced cadence:
Require annual completion of the DoD CUI Awareness training (Component 1).
Maintain the OSC CUI Handling Procedure (Task 2).
Require every CUI handler to read the procedure, electronically acknowledge it annually, and complete a short 5–10 question quiz (Component 2).
Retain completion of both — DoD certificate and procedure acknowledgement/quiz — as audit evidence.
Training applies to everyone with access to CUI: anyone who accesses, creates, marks, stores, transmits, or destroys CUI; managers and supervisors; executives and owners; new hires before access and role-changers when duties shift; and subcontractors or on-site partners. Cadence: before access, when duties change, and at least annually.
KB reference: CUI Training: An Executive & Manager Guide
Task 7. Assign & operate the annual DoD CUI Awareness training
Shared responsibility: Customer-operated; vCISO-supported | Control(s): AT.L2-3.2.1 (evidence retained for assessment)
The Cybersecurity Awareness Training in the Proactive Advanced Security package delivers strong general security-awareness and phishing training and supports the broad awareness requirements (AT.L2-3.2.1, AT.L2-3.2.3), but it does not include CUI-specific content. The DoD publishes the authoritative, free CUI course that fills this gap: assign it to every CUI handler annually. The DoD course is preferred because it is free, auto-updates with DoD CUI guidance, and is a source assessors will not question. Retain each completion certificate and build an attestation roster referenced in the SSP.
Assign CDSE IF141.16 (cdse.edu/Training/eLearning/IF141/) or the DCSA no-login version (securityawareness.dcsa.mil/cui/index.html)
Set an annual cadence (before access, then yearly)
Collect a completion certificate for every handler
Build the attestation roster (names, dates, course/version)
Task 8. OSC procedure training — read, acknowledge & quiz
Shared responsibility: Customer-operated; vCISO-supported | Control(s): AT.L2-3.2.2 (role-based, organization-specific); documented in SSP
This is the role-based training the DoD course cannot provide. Every CUI handler reads the OSC CUI Handling Procedure (Task 2), electronically acknowledges it annually using the statement in Appendix A, and completes a short 5–10 question quiz on the content. Acknowledgements and quiz results are retained as evidence and referenced in the SSP.
Publish the procedure to all CUI handlers
Collect electronic acknowledgements annually (Appendix A wording)
Administer and record a 5–10 question quiz
Retain acknowledgements and quiz results as SSP evidence
Task 9. Recommended: hardened-tablet Proof-of-Concept (replace printed CUI)
Shared responsibility: Customer + Cyberwatch Advanced | Control(s): AC.L2-3.1.10/3.1.18/3.1.19, SC.L2-3.13.11/3.13.16, AU.L2-3.3.1/3.3.2
The defensible end-state is electronic access through managed devices. Pilot a hardened, managed tablet for a representative offsite use case — screen lock (AC.L2-3.1.10), device control with adaptive MFA and least privilege (AC.L2-3.1.18), encryption at rest (SC.L2-3.13.11/3.13.16), automated logging (AU.L2-3.3.1/3.3.2), containerized access with no local persistence, and remote lock/wipe — replacing the manual check-out log with a complete audit trail, provisioned via Cyberwatch Advanced.
Scope caveat: the POC device carries the full Identity and Access Management control set but is not the final scoped hardened build. Final hardening (DISA STIG, FIPS-validated cryptographic modules, OS/application allow-listing, SSP documentation) follows the scope/boundary definition in Task 1.
Decision: confirm whether to run the POC
Identify the offsite use case and 2–5 pilot users
Agree success criteria and evidence up front
Provision the POC device via Cyberwatch Advanced (full IAM controls)
Run the pilot for 30–60 days with user feedback
Make a go / no-go decision and roadmap
Worked Example (Illustrative)
Scenario: “Atlas Precision” (illustrative), a 35-person machining subcontractor that prints CUI engineering drawings for the shop floor and occasionally carries them to a customer site.
How the program applies:
Task 1: Atlas finds CUI in printed drawings, a shared network folder, and two laptops; the boundary is drawn around the engineering team and the shop-floor print station.
Task 2: One OSC CUI Handling Procedure is authored covering all ten topics; the printing, transport, and destruction sections come straight from the printed-CUI KB guide.
Tasks 3–5: A cross-cut shredder and destruction log are placed at the print station; a check-out/check-in log governs drawings taken to the customer site; the spillage report path is added to the procedure.
Gating answer: Atlas already runs general awareness training (Proactive Advanced Security package) but has no CUI course — so Component 1 is added (DoD IF141.16) and Component 2 is built (read/acknowledge/quiz the new procedure).
Task 9: Atlas pilots one hardened tablet for the engineer who visits the customer site, replacing the printed drawing packet — with the explicit note that production hardening follows scope definition.
How Northern Data Solutions Delivers This
This program is delivered through Northern Data Solutions’ service portfolio: Cyberwatch (third-party risk identification to baseline CUI flow and scope), Cyberwatch Advanced (the managed control set behind secure electronic access and the hardened-device POC), Compliance-as-a-Service (documents the procedure and training program in the SSP and maintains assessor-ready evidence), and the vCSO offering (policy ownership, scope/boundary decisions, and assessor liaison).
Next Steps
Run Task 1 (scope & boundary) with your dedicated vCISO compliance team — the Compliance-as-a-Service program assists in building the assessment boundary.
Run Task 2 (author the OSC CUI Handling Procedure / SOPs) with the same vCISO team — the Compliance-as-a-Service program assists in authoring the SOPs.
Operationalize Tasks 3–8. The Compliance-as-a-Service platform builds the System Security Plan (SSP), but evidence collection is required from the customer.
Decide on the hardened-tablet POC (Task 9).
Contact Northern Data Solutions to launch a CUI Handling Onboarding engagement.