CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Handling CUI Correctly: Compliance Risks and Best Practices
Submit any questions you would like answered on the podcast!
Worried about mishandling Controlled Unclassified Information (CUI)?
In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey break down what CUI really is, why it matters in defense contracting, and the biggest mistakes contractors make when handling it.
You’ll also learn the real-world risks of CUI mishandling, how assessors check compliance during a CMMC Level 2 assessment, and the low-cost, practical solutions you can implement right now to protect sensitive data.
Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacy from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is all about controlled and classified information or CUI. We're going to talk about what it really is, why it matters, and the most common mistakes contractors make when handling it. If you've ever worried about accidentally mishandling sensitive data, this one's for you. All right, Brooke, let's start simple.
Brooke:Alrighty, let's do.
Stacey:What exactly is CUI and why does it matter so much in defense contracting?
Brooke:Well, CUI is unclassified but uh controlled information that the government possesses or creates that requires safeguarding or dissemination controls to those with a lawful government purpose for handling that CUI. That's what CUI actually is. I think probably the uh the line share of CUI is going to be controlled technical data. So it's gonna be drawings, it's gonna be specifications, it's gonna be uh anything related to all that. But it could also be uh depending on what you do with the uh with the Department of Defense, it could be uh personally identifiable uh information, PI, or it could be uh a lot of uh electronic health uh uh personal health information, EPHI. Uh could be any of those things. So there's there's a whole giant long list of uh of CUI classifications, but really for the DOD, the line share of that is gonna be controlled technical information, which is like I say gonna be drawing specifications, uh things like that that result from manufacturing things.
Stacey:So, Brooke, what are the biggest mistakes you see companies make when handling CUI?
Brooke:Uh the biggest mistakes, uh you know the the probably the biggest mistake is sending CUI unencrypted through email. They get it unencrypted, they know it's CUI or think it's CUI, uh, or maybe if it it's even marked, but if they get it through email, they just go ahead and send it through email. So um uh mishandling that CUI through email is is probably the biggest thing uh that we see. Uh so really you have a a duty to say if you get something that is that looks like CUI, and you have a duty to say, hey, Mr. Contracting Officer or Mrs. Contracting Officer, this document you sent or this email you sent uh sure looks like CUI. Uh is this is this in fact CUI or is it not? So uh they should be able to answer and say, you know, no, it's not, or yes, it is, and from there you can say, well, it's not marked. Uh can you mark it properly? And so they should mark it and send it back. Probably the next biggest biggest thing would be uh just storing all your CUI with everything else, right? On your on your network, in your environment, in your if you have an enclave, if you have a CUI enclave, you're probably already aware and splitting it out. Um but CUI access needs to be limited to those who who uh should have access to that CUI. In other words, HR shouldn't have it, probably. I don't see why they would, but depending on and if your HR person is also a uh machinist, then you know maybe so. But uh or you know, if your HR does other things, uh maybe they do. But it depends on how big your organization is or or rather how small it is. Uh, you know, accounting probably shouldn't have it. Uh if there's somebody that only works on commercial projects and has nothing to do with the Department of Defense projects, they should be scoped out. They should not be have access to that. So having access to uh CUI on personal devices, so you have a phone, uh you have email on it, and maybe you have uh access to OneDriver SharePoint, and and uh lo and behold, you can get it all get to all that CUI on your mobile device, and nobody ever thinks about the phones, the cell phones. Uh, you know, so they uh they just don't even think those, they don't scope those in, and uh lo and behold, a lot of those have access to that CUI. And so if they they have access, if you're not gonna scope out those phones, then they have to be they have to be controlled. They have to meet the all the applicable 110 controls and 320 assessment objectives. Uh so that's another really big one. Making sure that uh f flow down occurs. So not only in your organization, but if you subcontract out uh some something, you know, most people subcontract out something. They don't do everything just like Lockheed and Raytheon and all them subcontract, they, you know, you'll you'll probably subcontract out some pieces too. And uh anything that is CUI that is subcontracted out, they have to be the same level as you're supposed to be. So uh and the flow down rule says that you're supposed to make sure that they're that they're the same level as you. That doesn't mean you have to go assess their environment. Uh but if you have to have, if you're supposed to meet DFARS 252-204-7012, then they do too. You know, if they have to be level two certified, or if you'd have to be level two certified, so they do they. So there are some caveats to that. You know, if you are sure, 100% sure that what you are sending them is just off-the-shelf stuff and has nothing to do with uh any CUI and they they don't get anything, any information that could be even misconstrued as CUI, then that probab that may be an off-the-shelf item and they may not have to be. But you're gonna have to make sure that you that's documented and if it's part of that project, you're gonna have to make sure that you know and document that. So those are the biggest things that uh that we see with uh mishandling CUI.
Stacey:Now that we've covered those big mistakes, what happens if a contractor mishandled CUI?
Brooke:Well, there's a mil about a million things that can happen, but uh you know, one of the things that can happen is if uh you send it through email and and uh somebody's email is compromised, then you know that that becomes a really big deal. You know, there's uh there'll be a cyber incident opened up, it'll be investigated, uh the whole nine yards. So if it's investigated and somebody figures out if the government figures out that uh you did something wrong, then uh you very well may be fined. I mean there's there's fines out there in the millions of dollars right now uh to uh to people that have uh two companies that have uh mishandled this. You could lose your contract, um you could lose your then the way you'd lose your contract is that you uh you may no longer meet all the 110 controls that you said you met. Uh and uh if that's not the case, then this and this contract requires that, then you may lose that contract, or you may not be able to get any new contracts. Uh you know, whatever the case may be. If it's something that they determine that you said you were doing and you're they determine that you're just plain not doing it, uh then that is a false claims act. And a false claims act, again, there's there's plenty of examples out there of uh false claims act and those are there's plenty of those that are in the millions of dollars of uh of fines right now as well. So there could could be depending on what it is, there could be jail time too. Don't know. They'd probably have to be pretty serious, I would hope. Uh but uh but they've they haven't ruled that out, so there could be jail time as well. If you're trying to get assessed and uh the assessor discovers through their you know, examine interview and and test not quite covering something like you said you would be, uh like you said you are, uh or maybe you just didn't say you are and you should be, they it could uh cause you to fail an assessment as well. And that's a big deal also because of all the previous things. Loss of contract, uh uh loss of future contracts, etc.
Stacey:When a contractor goes through a CMMC level two assessment, how do assessors check CUI handling?
Brooke:The basic method is they'll examine, interview, uh, and or test. So they don't necessarily have to do all three of these things for each control or each uh assessment objective, but they have all three of those available to them. Sometimes it doesn't make sense to do all three uh or one of them or something like that. But uh they do have those uh three options. So examine, they'll examine your policies, your plans, and your procedures, uh, they'll examine your proof, you know, any list or anything that you have, they'll examine all that, test MFA is required to access your uh, for instance, MFA is required to access your CUI, then they'll say, hey, log on and let me see that you in fact do have MFA turned on. You'll log in, you'll do your MFA, and they'll go, Great, thank you very much. Uh interview. Uh they they'll interview you, they'll interview your staff. Uh there won't be any surprises here. They'll they'll work all this out with you ahead of time. You know, uh you'll say, Here's my scope, here's my initial set of documentation for you, uh, and the people that are in scope, and they'll say, All right, well, we want to talk to uh A, B, C, D, and E, right? And so uh you'll know that, you'll approve that, or you can say, Hey, well Johnny's gonna be out on vacation for the next two months or whatever it might be, and uh and so they'll choose somebody else. So uh but you'll work all that out ahead of time, and there's no sub shouldn't be any surprises about any of that. But that's how they determine whether you're uh how you're handling CUI and whether you're mishandling handling it or not.
Stacey:Let's talk solutions. What are some of the low-cost, practical, best practices small contractors can use to handle CUI the right way?
Brooke:Sure. Uh so um probably one of the best things you can do, if you can do it, not everybody can, but is to create a CUI enclave. And we've talked about about that ad nauseum. And I'm I'm if you look for you know how to implement a CMMC somewhere, there'll be something about uh a CUI enclave. So sometimes it makes sense, sometimes it doesn't. Uh some sort of CUI enclave makes sense, whether it's you know, really small uh or incorporates everybody. If it incorporates everybody, that's more likely to be a uh small uh company. Um where you know people wear a lot of hats. Uh if you're in a larger company, it's a lot easier to separate out those jobs that are in it. Well, it's more easy it's more easy to separate those jobs out that are CUI versus the ones that are not. So it's easier to do that. Uh but it also depends on how much of your business is is DOD work and see and include CUI. Uh so creating an enclave is probably the the easiest single thing to do to minimize cost. Kind of on the enclave uh soapbox, there's a million different ways to do that. If you can uh but there are there are some better ways to um uh to implement that that are a little lower cost than others. Um we'll just I'll go ahead and say it Provela is one of those. It may or may not fit you. You need to make sure you look into it and understand it and see if it it'll work for you or not. But uh that's a lower cost solution that may work for for you for CUI, uh CUI Enclave. Uh limiting access, whether it's through uh an enclave tool like that or um or just a uh server uh uh on site, then uh make sure you limit access appropriately and and uh again limit that to only the people that need access. Uh if you do have a server on site, you know, s uh a good idea is to uh separate out uh the data, uh commercial data from the DOD data, uh put them on two different virtual servers. That'd be a really easy thing to do, you know. Uh sometimes you'll run across some controls that you don't really want to implement for your uh commercial data and that you need to for your CUI data. And if you split it out, uh virtual server uh as a virtual machine is an easy thing to create, an easy thing to spool up. Um I'd say you you can do that also in uh in the cloud as well, but we're talking about lower cost solutions and the cloud, although it's uh ongoing the cost is easier to uh handle uh than a new server or something. Uh cloud is is not cheaper. So it's it'll be more expensive in the end. And then when you document everything, uh work very hard to make sure that you keep uh everything very, very organized. And it may see counter it may seem excuse me, it may seem uh counterintuitive, uh, but really uh a GRC tool helps you do that. That is another expense. So uh you have to consider that, but uh consider the fact of you know what happens with your documents. You always over time you always have document sprawl and uh you know your folders get put in different places, your you know, your versions of documents grow and and you know it gets it gets hard to handle. And this when you do all your documentation properly with uh uh CMMC, it's not gonna just be, you know, 15 documents. It's it's more likely gonna be, you know, 40 or 50 or more documents, you know. Uh so especially when you start adding in all your proof and everything else, it's gonna be a lot more than that. Uh so uh all that uh that leads to document sprawl. Easy way to handle that is in a GRC tool. And personally, I think in the end, uh it'll up end up saving you some money or at the very least some headache and some time, which time is money. So you have to figure that out. You know, what do you charge other people for your time and figure out if it's uh if it's worth it or not? So I happen to think it's worth it. Other people may not, but uh uh that's my that's my two cents right there.
Stacey:Are there any recent updates or enforcement actions contractors should have on their radar?
Brooke:There is. So we talked about it in the last uh podcast, and I think that one is up uh and ready to share. So yeah, okay, Stacy agrees. It's Stacy's the one that put it up, so she knows. Uh so the 48 CFR uh has been published uh and uh so it's it's live, uh the clock is ticking, uh it goes into effect on November 10th. Uh for the 48 CFR again is the one that puts CMMC in effect on contracts. Uh so there are four phases to that. The first year uh starting on November 10th of 2025. Uh basically what you're doing right now. Uh you have to self uh self-attest uh that you're doing what you say you're doing. Uh poems are limited to 180 days, uh, all sorts of fun stuff, but you have a year to do that until November 11th, 2026, uh November 10th, 2026. And when that will be uh the level two certifications will start being required on contracts. Again, there's some caveats to that. There may be some uh some requirements by uh prime contractors or something for you to get yours earlier. The government did leave a little wiggle room for themselves, they could require a little earlier on a contract or two here or there or later. So uh but bait that's the basics of that 48 CFR. So that 48 CFR is a big one. So the FARCUI rule, I believe, is in the uh proposed stage still, uh if I recall properly. Um but it's basically uh they've always said they wanted to take this whole CMMC idea and uh get the DOD going on it and use the DOD as guinea pigs, I guess, and uh and then roll it out to the rest of the federal government. Uh who knows exactly how to look, but they want to control that CUI, right? Um and so uh they're rolling out the CUI rule uh to the rest of the government, and that that kind of kicks off the process of some CMMC like uh rule for the rest of the federal government, and that's big um and it'll be a big change. So we'll see how well that goes. But uh that's that's the big thing coming.
Stacey:If you have any questions about what we covered, reach out to us. We're here to fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact information at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
