720-891-1663

Uncategorized

DoD is Actively Preparing for CMMC, Are You?

Leave a comment

While some people are still hoping that CMMC will go away, the folks inside the Pentagon are working to get ready for it.

Two cases:

First, the office of the secretary of defense released a memo last month on the requirements for contractors regarding CMMC. Please contact me if you don’t already have a copy of the memo.

    To: summarize some of the key points —

    • It says that even if your contract, for some reason (say it is small) is exempt from the FARs, DoD says the contractor still has to protect controlled unclassified information if they get any.
    • This is the big one. The only CUI categories for which a self assessment are going to be allowed are the ones OUTSIDE OF the four DoD CUI categories. Meaning that if you have controlled technical information, DoD critical infrastructure information, Information DoD distribution statement B through F on it or the other DoD CUI categories, you are going to, ultimately, need a third party certification.
    • The memo talks about how CMMC Level 3 is going to work, but 99 percent of the DIB is not going to see that, so I am not going to discuss it here.
    • There is a process now defined for granting CMMC certification waivers. The waiver does not change the security requirement, they only change the certification requirement.
    • Key to the certification waiver is a requirement for the agency to do market research to determine if having a certification requirement will impede competition or delay delivery of mission critical capabilities.

    Second, DoD released was a new CUI markings guide for contractors to use.

    The guide, for the first time says:

    “Contractors are authorized to create and mark CUI documents and can be listed as the POC in the CUI designation indicator block”

    It also lists the LDCs (the thing that if you violate you can go to jail for). Key to avoiding jail are the labels NOFORN (cannot be released to a foreign person or country) and REL TO USA (LIST) (can be released to certain foreigners that are explicitly listed in the label). The Limited Dissemination Controls have been around for a while but many contractors are not familiar with them.

    This guide also gives actual examples of how to mark CUI under the DoD rules, which are slightly different than the general NARA rules.

    The guide gives examples of how to mark text documents, Powerpoints, emails, spreadsheets, etc.

    It even explains how to handle CUI inside classified documents (yes, that is a thing).

    Bottom line is that DoD is moving ahead with CMMC and you can either be on the train or watch your contracts recede into the distance as a faint memory.

    Need to get ready. While it is never painless, we can make it less painful for you; please contact us.

    Facebooktwitterredditlinkedinmailby feather

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Copyright © 2025 CyberCecurity, All rights reserved. Privacy Policy