CMMC Practice AM.3.036
Define procedures for the handling of CUI data.
Bold Coast Security Guidance
Data handling procedures should be part of a your organizations Acceptable Use Agreement. First you need to define what classifications of data you have, such as CUI, Confidential, and Public, and then you need to define how each category should be "handled".
We suggest building a table with a columns for each classification, then rows for each handling method, such as where it can be stored, does it need to be encrypted, how it it should disposed of, etc.
Don't forget this includes analog and digital copies of data, so it be sure to to think about how you store and dispose of paper too!
The organization should define procedures for the proper handling of CUI. These procedures typically involve establishing controls to protect and sustain sensitive information. Examples of controls an organization may implement through data handling procedures include policies (data categorization, protection, disposal, backup), access controls for data, regular backups and physical security protections.