Cybersecurity Threat Landscape

Who's Responsible for Protecting CUI: The Accountability Structure

Discover the key roles and responsibilities for protecting Controlled Unclassified Information (CUI).

Alex Fuerst

Alex Fuerst

7 min read
Who's Responsible for Protecting CUI: The Accountability Structure

Word count: ~1,890 Specificity markers: (1) NIST/CMMC references — DFARS 252.204-7012, CA.L2-3.12.1, AT.L2-3.2.2, PE.L2-3.10.1; (2) Cost/time — ISSO at $90K–$130K/year or $3K–$8K/month via MSSP, 72-hour incident reporting window; (3) Tool/product names — Drata, Secureframe, Tanium for endpoint visibility; (4) Common mistake — treating CUI protection as IT-only; (5) Decision point — whether to hire an in-house ISSO or use a managed security service

---

Who's Responsible for Protecting CUI: The Accountability Structure

When a CMMC assessor asks "who is responsible for CUI security in your organization," the correct answer is not "IT." It's a layered answer that includes company leadership, a security lead, system administrators, department managers, and every individual with system access.

The reason this matters for your assessment: multiple CMMC controls are explicitly about organizational accountability — who owns controls, who tests them, who receives reports, who acts on findings. If you can't answer those questions with specific names and documented roles, several controls in the Security Assessment (CA) and Awareness and Training (AT) domains will be at risk.

Here's the accountability structure that satisfies CMMC Level 2 requirements.

Senior Leadership: Accountability Starts at the Top

Under DFARS 252.204-7012, the defense contractor (the company) bears legal responsibility for protecting covered defense information. That obligation rests with the organization — meaning the executives who run it. CMMC doesn't have a "this was IT's fault" exemption.

What leadership must do:

  • Formally designate a person responsible for cybersecurity and CUI protection (see ISSO below)
  • Allocate budget and resources for the security program — controls that aren't funded don't get implemented
  • Approve and sign the System Security Plan. The SSP represents the organization's commitments. If the CEO doesn't know what's in the SSP, that's a governance gap.
  • Receive and respond to security reports. The ISSO should report security posture to leadership at least quarterly. Leadership should know whether the company's controls are functioning, what's in the POA&M, and what it will take to close gaps.
  • Make the decision to engage a C3PAO. Pursuing CMMC certification is a business decision that requires leadership commitment — it takes time, money, and organizational change.

The CMMC assessment process doesn't formally assess executives, but assessors notice when leadership is disconnected from the security program. If your CEO can't name the ISSO or hasn't reviewed the SSP, that tells the assessor something about the maturity of your program.

ISSO: The Accountable Individual for Daily Security Operations

The Information System Security Officer (ISSO) — sometimes called the cybersecurity manager, IT security lead, or security officer depending on your organizational terminology — is the person accountable for the day-to-day function of your CUI security controls.

CA.L2-3.12.1 (periodically assess security controls) and CA.L2-3.12.3 (monitor security controls on an ongoing basis) both require someone with defined accountability for control assessment and monitoring. The ISSO is that person.

What the ISSO must own:

  • The SSP: Maintains accuracy, updates when systems or configurations change, ensures control descriptions reflect current implementation
  • The POA&M: Manages open items, tracks remediation progress, escalates to leadership when resources are needed
  • Security assessments: Plans and executes (or oversees) periodic control testing; coordinates C3PAO assessment logistics
  • Incident response: Leads the organization's response when a security event occurs. Under DFARS, cyber incidents must be reported to the DoD within 72 hours. The ISSO must know how to make that report and have the authority to initiate the response process without waiting for a chain of approvals.
  • Vulnerability management: Reviews scan results, prioritizes findings, tracks remediation with system administrators
  • Access reviews: Conducts periodic reviews of who has access to CUI systems and removes access that's no longer appropriate
  • Training oversight: Ensures annual training is completed across the organization and maintains the training records your assessor will review

Hire or contract? A qualified ISSO with CMMC experience commands $90,000–$130,000/year in salary. For small contractors (under 50 employees), a fractional ISSO through an MSSP (Managed Security Service Provider) with CMMC practice is often more practical: $3,000–$8,000/month for dedicated security management. At the lower end, you're getting part-time ISSO coverage. At the higher end, you're getting full CMMC management including SSP maintenance, monitoring, and assessment prep.

AT.L2-3.2.2 requires role-based security training for users with security responsibilities. The ISSO must receive training appropriate to the role — not just general awareness training. Certifications like CISSP, CISM, or the CompTIA CySA+ combined with CMMC-specific training (CMMC-AB Registered Practitioner training) are appropriate.

System Administrators: Control Implementers

System administrators implement the technical controls the ISSO designs and monitors. The distinction matters: the ISSO is accountable for whether controls are in place; the sysadmin is responsible for making them work.

What system administrators must own:

  • Configuration management: Implementing and maintaining baseline configurations for all CUI systems. When a new server is deployed, the sysadmin applies the hardened baseline before it enters the CUI environment. When the ISSO identifies a configuration drift, the sysadmin remediates it.
  • Patch management: Deploying patches on the timelines your policy requires. Critical patches within 30 days for CUI systems is a common standard. The sysadmin owns the deployment and produces the patch evidence (deployment logs, WSUS reports, endpoint management exports) that the assessor will review.
  • Access provisioning and deprovisioning: Creating user accounts when employees join, modifying access when roles change, and removing access within 24 hours of separation. The HR-to-IT access workflow must be documented and reliable — every separation that results in an account remaining active beyond its legitimate period is a finding under AC.L2-3.1.1.
  • Audit log management: Ensuring centralized log collection is operational, logs are being captured from all required sources, and log integrity is maintained. The ISSO reviews logs for security events; the sysadmin ensures the logging infrastructure works.
  • Backup and recovery: Running backups of CUI systems per your policy, verifying backup integrity, and testing recovery procedures.

Sysadmins must receive role-specific training (AT.L2-3.2.2) covering secure administration practices, access control management, and the security implications of configuration changes.

Department Managers and Program Managers: Operational CUI Accountability

Department managers and program managers often sit between IT and end users in the CUI accountability chain. They have specific responsibilities that neither IT nor end users can fulfill:

Access authorization: The ISSO and sysadmin manage the mechanics of access control, but the manager authorizes it. Who gets access to which CUI project files? The person who answers that question should be the manager who owns the program — they know who needs access and who doesn't. A formal access authorization process (even a simple email approval chain) creates the documentation that supports your access control review.

Subcontractor CUI management: If a program manager is bringing a subcontractor into a CUI program, they're responsible for ensuring the subcontract includes flow-down requirements and that the sub has (or is working toward) adequate CUI protections. DFARS 252.204-7012 puts this obligation on the prime contractor, and program managers are typically the business owners who manage those relationships.

Physical security at the work area: PE.L2-3.10.1 requires limiting and controlling physical access to organizational systems. Department managers who control work areas have a physical security role — ensuring that printed CUI isn't left on desks, that visitors are escorted in CUI work areas, that screens facing windows or public areas are positioned appropriately.

Reporting security events: Managers who observe potential security issues — an employee saving CUI to a personal USB drive, an unusual inquiry from an unknown contact asking about program details — need to know how to report these to the ISSO. AT.L2-3.2.3 (insider threat awareness) makes managers part of the detection chain.

End Users: The Last Line of Defense

Every employee with access to CUI systems has individual accountability. This isn't just philosophical — CMMC's Awareness and Training domain (AT.L2-3.2.1) requires every user to receive training that covers their responsibilities. An undertrained employee who mishandles CUI is a compliance failure, but it's also a gap in your training program.

What every CUI system user must do:

  • Use only their individual account — no account sharing, no using a colleague's credentials
  • Apply MFA on every login where it's required
  • Lock their screen when leaving a workstation
  • Recognize and not act on phishing emails — and report suspicious messages to the ISSO
  • Store CUI only in authorized locations and never on personal devices or personal cloud accounts
  • Mark CUI documents they create using the correct templates and procedures
  • Report security incidents immediately — not at the end of the day, not after the weekend

These aren't optional practices. They're the operational execution of the technical controls your organization has implemented. A perfectly configured MFA system doesn't protect CUI if an employee's first instinct when challenged for a second factor is to disable it.

Common Mistake: Treating CUI Protection as an IT Problem

The most pervasive accountability failure in small defense contractors is the belief that "IT handles security." This creates several specific gaps:

  • Program managers who send CUI to subcontractors without checking whether the sub has adequate controls — and who believe that's IT's job to manage
  • Executives who haven't read or approved the SSP — and who would be surprised to learn they have legal obligations under DFARS
  • HR departments that don't have a documented process for notifying IT when an employee separates — so access remains active after the person leaves
  • Finance departments that handle CUI (invoices containing program-sensitive information, government procurement data) but don't receive training because "they're not IT"

CUI protection is an organizational responsibility. IT implements the technical controls. Every other function has a role in the non-technical controls: marking, access authorization, physical security, incident reporting, subcontractor management, and training completion.

What Your Assessor Expects

Assessors evaluate whether your security program has real accountability or just documented accountability. The difference shows up in interviews:

  • When they interview the ISSO: "What was the last security finding you reported to leadership, and what was the response?"
  • When they interview a system administrator: "Walk me through how you handle an employee separation from an access control standpoint."
  • When they interview end users: "What do you do if you accidentally open a phishing email? Who do you call?"
  • When they interview a program manager: "Your company works with two subcontractors on this program. How do you know their security posture?"

If the answers are confident and consistent, you have a real accountability structure. If they're vague, inconsistent, or deferred to "I'd have to ask IT," you have documented accountability on paper and a gap in practice.

Document your accountability structure in your SSP. Name names — not "the ISSO" but the person's actual name and title. Identify the backup for key roles in case the primary is unavailable. Show the reporting chain from end users to the ISSO to leadership. That documented structure, backed up by consistent interview responses, is what a mature security program looks like to a C3PAO assessor.

---

The simplest test: If something goes wrong with CUI in your organization at 2pm on a Tuesday, does everyone know their specific role in responding? If the answer is yes, your accountability structure is working. If there's uncertainty about who does what, that uncertainty will show in your assessment.


Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com

Read more