What Best Describes a Covered Contractor Information System?
A Covered Contractor Information System (CCIS) refers to an information system that is owned or operated by a contractor or subcontractor that processes, stores, or transmits Controlled Unclassified Information (CUI) on behalf of the US Government.
In the context of Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171, a CCIS is the environment where CUI is handled and thus must comply with specific cybersecurity requirements.
A CCIS:
- Includes all computing platforms, network devices, applications and components used to create, receive, maintain, or transmit CUI;
- Must implement controls mandated by NIST SP 800-171 to protect CUI from unauthorized access or disclosure;
- Are subject to cybersecurity assessments and audits for compliance verification; and
- May be segmented or isolated to reduce the scope of compliance requirements.
The security of a CCIS is critical because contractors that fail to protect CUI risk penalties, contract loss and damage to national security.