Form name: Data Management Policy Form owner: <President/CIO>

Version: 1.0 Last review and approval date: MM/DD/YYYY

Data Management Policy

1. Description
Data Management allows for cost-effective data security by identifying sensitive data types and their
handling requirements.

2. Purpose
This document is meant to provide guidance for data held by <COMPANY-XYZ>. It will identify the types
of data that <COMPANY-XYZ> employees may generate or encounter during business and any special
requirements for handling this data. This policy addresses the following cybersecurity domain defined
by the Cybersecurity Maturity Model Certification (CMMC): Asset Management.

3. Scope
All data which is held by, sent to, or sent from <COMPANY-XYZ>.

4. Data Management Requirements and Procedures

4.1. Proprietary Information

a) <COMPANY-XYZ> defines proprietary information as information that is internally developed to

enrich our services or products, giving our company a competitive advantage. This information may
be used entirely internally (such as consultant training materials or project guides), or it may be
provided to clients to support our project delivery.
b) <COMPANY-XYZ> will treat data in the following categories as proprietary information:
 Templates for policies, procedures, strategic documents, and other copyrighted works
 Training materials, both for internal and client use
 Documents labeled proprietary.
 Scripts, programs, and forms used as part of a compliance or assessment project

c) Handling requirements:
 Copyrighted works (not labeled proprietary) and training materials may be provided to
clients during a compliance project, typically as our consultant reviews those topics with a
client.
 Documents labeled “proprietary” should follow handling instructions within in the
document. If there are no instructions, keep the document internal to <COMPANY-XYZ>.
 Scripts, programs, and forms used as part of a compliance or assessment project shall stay
internal to <COMPANY-XYZ>.

d) Justification:

This document has been provided to our client for use internal to their Page 1 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Data Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

 Proprietary information gives <COMPANY-XYZ> a competitive advantage by reducing our

level of effort and improving the quality of our deliverables. Copyrighted works and training
materials are meant to be provided to clients. Documents labeled proprietary have no
reason to be provided whole to our clients, and they include guidance on how they should
be handled. All employees and contractors who have signed an NDA are authorized access
to proprietary information.

4.2. Officer-level Information

a) <COMPANY-XYZ> defines officer-level information as information that could cause harm to the
business if disclosed, and which has no reason to be shared with general employees or contractors.
b) <COMPANY-XYZ> will treat data in the following categories as officer-level information:
 Human resources (personally identifiable information, pay, evaluations and disciplinary).
 Financial (access to bank account or bank records, business plans, payments).
 Legal (registrations, tax IDs, legal guidance).
 Any other information stored in OFFICER-specific locations.

c) Handling requirements:
 All officer-level information shall be held confidential by <COMPANY-XYZ> officers.

d) Justification:
 This information can be used to harm our business, our employees, our contractors, or our
clients. The roles that need access to this information are very limited.

4.3. Federal Contract Information (FCI)

a) <COMPANY-XYZ> defines FCI as “Information not intended for public release. It is provided by or
generated by for the Government under a contract to develop or deliver a product or service to the
Government. FCI does not include information provided by the Government to the public.”
b) Handling requirements:
 FCI shall only be handled using <COMPANY-XYZ-INFORMATION-SYSTEM>.
 FCI shall only be shared as necessary to provide services.
 FCI shall not be posted to publicly accessible locations.
 Only team members supporting a client will have access to that client’s FCI.

c) Justification:
 FCI is not particularly sensitive. It is our responsibility to keep the government’s information
private and held on secure systems, but this should not restrict our ability to coordinate
internally to provide high quality service. Access may be granted to employees and
contractors who have signed an NDA and passed a basic background screening.

4.4. Controlled Unclassified Information (CUI)

a) <COMPANY-XYZ> defines CUI as “information that the government creates or possesses, or that an
entity creates or possesses for or on-behalf of the government. It also must fit into a category that

This document has been provided to our client for use internal to their Page 2 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Data Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

the United States Federal Government identifies as needing special safeguarding or dissemination
controls.” Reference 32 Code of Federal Regulations Part 2002.
b) General CUI handling requirements:
 CUI shall only be handled using <COMPANY-XYZ-INFORMAATION-SYSTEM>.
 CUI shall only be shared to authorized personnel.
 CUI shall not be posted to publicly accessible locations.
 <COMPANY-XYZ> will implement additional safeguards for the protection of CUI as
described in the Cybersecurity Maturity Model Certification (CMMC) level 2.
 Only specific devices and information systems may be used to store or transmit CUI, as
described in the FIPS Validation Strategy and Risk Assessment document.
 Only team members that are authorized for CUI, and are supporting a client, may view that
client’s CUI.
 CUI shall not be discussed verbally in situations where it may be overheard by unauthorized
persons.

c) The Protection of Sensitive Information Agreement shall be used to educate our staff and enforce
correct handling, labeling, and protection of CUI.
d) Before access to CUI is granted, all employees and contractors for <COMPANY-XYZ> must meet
requirements described in the Access Management Policy.
e) Justification:
 CUI, if disclosed, could be used to harm the United States’ interests. Adequate protection of
CUI is a requirement for <COMPANY-XYZ> to perform work as an assessment organization.

4.5. Non-Sensitive Data

a) COMPANY defines non-sensitive data as information that is unlikely to cause harm to <COMPANY-
XYZ>, our clients, or the United States if disclosed.
b) <COMPANY-XYZ> will treat data in the following categories as non-sensitive information:
 General communications and coordination both internal and external (information types
that are not discussed in another category).

c) Handling requirements:
 Follow Publication Review Procedure prior to public release of non-sensitive information.
Otherwise, no restriction.

d) Justification:
 Additional cost, effort, and discipline is required to properly handle sensitive information
categories. Non-sensitive information should not be heavily restricted by default.

4.6. Spillage Data

a) <COMPANY-XYZ> defines spillage data as information that is transmitted or held in a manner that
does not meet handling requirements for that type of data.
b) <COMPANY-XYZ> will treat data in the following categories as spillage data:

This document has been provided to our client for use internal to their Page 3 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Data Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

 Any data that meets the categories of information listed in this document, which has been
stored or transmitted in a way that violates the handling requirements.
 Any classified data in the government categories of CONFIDENTIAL, SECRET, or TOP SECRET.

c) Handling requirements:
 Notify <COMPANY-XYZ> IT department of a potential cyber incident related to spillage. The
IT department will begin incident response following the Incident Response Procedure.
 If classified data is received, <COMPANY-XYZ> IT department will take steps to prevent
access to the classified data, notify sender and other entities as required by law, and request
guidance.
 For other types of data, <COMPANY-XYZ> IT department> will assist in handling the data
according to requirements listed in this document (for example, move it to a system which is
authorized for CUI) and will sanitize the data from any system that violates handling
requirements.

d) Justification:
 Due to the nature of our work, clients may occasionally send us sensitive data via insecure
methods. This data should be moved to a secure location and deleted from any insecure
location. Employees and contractors of <COMPANY-XYZ> who provide support for spillages
will meet requirements for access to CUI data, as described in the Access Management
Policy.

5. Related Documents
 Access Management Policy
 Protection of Sensitive Information Agreement

6. Roles and Responsibilities

Position Responsibility
<CIO> Implement this policy, ensure activities performed as described.
<CISO> Review and advise <CIO> regarding cybersecurity concerns.
<IT Department> Respond to spillage events.
All users Handle data as required by this policy. Notify <IT department> if
spillage event occurs.

7. Regulatory Guidelines
a) All activities described by this policy must be compliant with the Department of Defense’s
Cybersecurity Maturity Model Certification (CMMC) and Defense Federal Acquisition Regulation
Supplement (DFARS) 252.204-7012.

8. Revision and Review History

Version Reviewed / Date Notes

This document has been provided to our client for use internal to their Page 4 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.
 Form name: Data Management Policy Form owner: <President/CIO>
Version: 1.0 Last review and approval date: MM/DD/YYYY

updated by
1.0 <Name> <Date> Initial approved version.

9. Authority
The responsible party for this policy is the <CIO>: <Name>.

The responsible party has authority to implement and enforce this policy within <COMPANY-XYZ> to
include disciplinary actions for non-compliant employees and contractors. The responsible party must
review this policy and related procedures, agreements, and forms at least annually.

Exceptions to this policy must be granted in writing by the responsible party and will be tracked in the
“<COMPANY-XYZ> – Policy Exception Tracking” file.

If you would like additional clarification about the information in this document or believe that this
policy is not being adhered to, please report your concerns to the <CIO> (<email@COMPANY-
XYZ.com>).

The signature should be from an executive in the organization, such as the President or CEO, who is
delegating authority to the CIO to perform these tasks.

Signature X

© 2021 Kieri Solutions LLC

This document has been provided to our client for use internal to their Page 5 of 5
legal entity and is not to be redistributed. This document may not be
disclosed to third parties without an executed non-disclosure. agreement.