Good Afternoon,

Last December we uploaded an SPRS score and received a 30 something after having a company come in and do an assessment of our system. For the past ten months we have been working on fixing items that were wrong and re-doing our system to comply with 800-171. We created documentation, policies, an SSP, and a POAM. We're looking at accrediting our environment for CUI; but I couldn't necessarily find clear guidance on if we need an ATO or a Memorandum For Record from our DoD Sponsor.

I came across this document from May of 2022 from GSA: "IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112" and it seems like we need to go back to the beginning and get GSA involved in the process and for them to accredit our documentation and system after having a Third Party Assessor review it.

I mean I could be wrong, but if we upload a Score and the answer is that you're good to handle CUI, then how are we handling CUI properly if we don't meet many of the controls; i.e. marking documents properly, placing stickers on appropriate items, etc.

I guess the question is at what point are we accredited to handle CUI and what are the last steps once all the documentation is completed; do we need a Memorandum for Record (who would provide this), an Authority to Operate (who would provide this) or do we just upload a new re-self assessed SPRS score, POAM, and SSP and we're good to go to handle CUI?

Thanks for your help and comments.