Complying with New Cybersecurity Rules for Department of Defense Contractors: CUI and CMMC – What it Means for Businesses


Roxanne Beasley & Kelly French

In today’s federal contracting landscape, our industry must do more than deliver high quality services; we must also navigate the complexities of complying with national security requirements. Two key frameworks shaping this environment are the handling of Controlled Unclassified Information (CUI) and the Cybersecurity Maturity Model Certification (CMMC).

The Department of Defense (DoD) recently released its final update to CMMC, signaling a significant shift toward enforcement. While the current administration could potentially delay or pause implementation, most sources indicate the rule will move forward. For businesses working with the DoD or other federal agencies, understanding and preparing for these requirements is essential—not just for compliance, but for staying competitive in an increasingly security-conscious market space.

1. What is CUI (Controlled Unclassified Information)

  • Controlled Unclassified Information (CUI) is defined in Section 2002.4 of Title 32 CFR as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
  • The intent of CUI controls is to ensure the protection and proper handling of sensitive information as it relates to national security. These controls are used across government agencies and by federal contractors to ensure the security of sensitive data while maintaining operational efficiency.

What Isn’t CUI?

  • CUI is not classified information, which has strict handling and dissemination rules. The three most restricted government information categories, confidential, secret and top-secret, have been categorized as such because they could cause damage to exceptionally grave damage if that information ends up in the wrong hands. But we don’t suggest you drop your guard around CUI. Just because CUI is not classified does not mean it does not need protection. CUI has been determined by its authorized holder to require dissemination controls because its release could threaten national security.
  • CUI is not everything that isn’t classified. CUI is information for which there is a law, regulation or government-wide policy that states it must be safeguarded. Without a specific piece of governance, information is not considered CUI.
  • CUI is not intellectual property (IP). IP refers to creations of the mind, such as inventions, literary and artistic works, names and more that is protected by law in order to enable creators to earn recognition or financial benefit for it. Unless the IP was created for or included in requirements related to a government contract, it is not CUI.

CUI Categories

The National Archives and Records Administration maintains a registry of 125 total CUI categorized into 20 alphabetized index groups. These categories include a wide range such as:

  • personal identifiable information to information vital to national security, such as defense logistics and security protocols.
  • critical infrastructure details, cybersecurity plans, emergency response strategies, and export-controlled data.

Consequences for Mishandling CUI

Even though CUI isn’t classified, mishandling it can risk national security. As such, penalties apply for misusing, disclosing without authority, or mismarking CUI.

  • The improper handling of CUI may result in administrative or disciplinary action, up to and including loss of a federal contract.
  • Some misuses of CUI may also result in criminal penalties.

But the goal of CUI is to protect sensitive information. So if an unauthorized disclosure has occurred, the DoD Controlled Security Architecture Office and CUI Program Manager will take actions that focus on correcting the procedures, or lack thereof, that resulted in the unauthorized disclosure. A formal security inquiry or investigation is unlikely to happen unless disciplinary action is to be taken against a responsible individual.

2. How does it relate to all this CMMC talk?

The Cybersecurity Maturity Model Certification (CMMC) is a measure that DoD uses to protect CUI and federal contract information. In 2021, the five-tiered CMMC certification was streamlined into a three-tiered certification, known as CMMC 2.0, that verifies the implementation of security practices ranging from basic cybersecurity to advanced threat management.

  • Level 1 requires a self-assessment regarding the implementation of basic cybersecurity measures such as access control and data protection.
  • Level 2 increases security measures that, depending on the type of CUI, may or may not require an audit performed by a certified 3rd party organization, known as C3PAO.
  • Level 3 is the highest level of security measures that include continuous monitoring and security incident response plans, and rigorous audits with DCMA oversight and supply-chain checks.

Timeline for Implementation:

DoD is working to finalize the CMMC acquisition rule. Officials emphasize CMMC’s importance to national security, citing past data breaches involving major defense programs. While CMMC assessments aren’t yet required, some companies, including Scout, have already started the process. DoD is targeting to implement the rule by mid-year according to this four-phased implementation plan.

Phase 1:

    • Commencing in late 2024, DoD began including CMMC Level 1 and Level 2 self-assessment requirements in new solicitations.
    • During this phase, contractors are required to conduct self-assessments and affirm compliance with the respective CMMC levels when bidding on new contracts; formal certification is not yet mandatory.

Phase 2:

    • Starting approximately one year after Phase 1, DoD will require CMMC Level 2 certifications from contractors handling defined types of CUI as a condition for contract awards.
    • Contractors should obtain the necessary certifications by this time to remain eligible for relevant DoD contracts.

Phase 3:

    • Beginning one year after Phase 2, DoD will enforce CMMC Level 2 certification requirements for exercising option periods on applicable contracts awarded after the CMMC rule’s effective date.
    • Additionally, CMMC Level 3 requirements will start appearing in solicitations for contracts involving the most sensitive CUI.

Phase 4:

    • Initiating one year after Phase 3, DoD will incorporate CMMC requirements into all applicable solicitations and as a condition for exercising option periods on relevant contracts, regardless of their award date.
    • At this stage, all contractors and subcontractors must possess the appropriate CMMC certifications to engage in DoD contracts.

3. What it means for companies & how Scout is leading the way 

Companies who operate in the DoD contracting space must comply with CMMC requirements. While Level 1 compliance is generally readily achievable for companies, obtaining Level 2 compliance requires a significant investment of money and time. This also includes an independent audit of a company’s compliance measures, which further adds to the cost of compliance. The total cost for complying with CMMC requirements is significant, especially for a small business. However, the cost of not complying may mean firms are excluded from working for the DoD as a prime or a subcontractor. There is potential relief on the horizon, as legislation has been proposed to provide companies with an up to $50,000 tax credit for CMMC-related expenses.

With the support from the experienced cybersecurity professionals at Affinitas Technology Solutions, Scout has positioned itself from inception to establish security, policies, and procedures to meet CUI regulatory requirements. We are positioned to undergo Level 2 audit and certification this year. Whether you’re looking to strengthen your security practices or ensure compliance with federal regulations, we can help.

Contact us at hello@scoutenv.com to see how we can support your next project—we’re prepared to handle CUI when the work requires it.

About the Authors

Bringing over 17 years of experience in business operations, Roxanne Beasley is known for her versatility. She excels in Office Management, Technical Editing, HR, Public Involvement, and driving operational excellence through her leadership and process improvement skills. When not refining Scout’s CUI document management process, Roxanne loves traveling with her family. She is excited about her upcoming adventure to Vietnam, where she plans to visit Hoi An, Hanoi, and Ho Chi Minh City and savor the vibrant street food scene.

Kelly French is Scout’s Operations, Marketing, and Project Controls Specialist, bringing experience in Operations, HR, Logistics, and Administrative Services across large and small business environments. With strong skills in data collection, scheduling, multiple project management, she’s a natural at multitasking and delivering solutions. If you don’t see her on the ground learning about changes to CUI regulations, try looking for her in the sky as she trains to obtain her private pilot license.

News you can use!

Each month, you’ll receive FREE, short, practical summaries of environmental and engineering issues and small business tips to help you:

Be in the Know • Save Time • Win The Day!

  • This field is for validation purposes and should be left unchanged.

×

Contact us for a
FREE Consultation

Our team will contact you within 1 business day.

×

Sign Up for your FREE copy of “5 Mistakes people make doing environmental planning (NEPA)!”

  • This field is for validation purposes and should be left unchanged.

×