CMMC and CUI: Does It Apply to You?

Just as the rest of the world has experienced much change in 2020 and 2021, there have been a lot of big changes for US Department of Defense contractors. New rules and regulations are being implemented every day in an effort to maintain cybersecurity and fend off the growing number of cyber threats.

The biggest change of all is the addition of the CMMC, a program that directly affects DoD contractors and the way they practice cybersecurity. Although the CMMC is still being implemented, it will be a mandated requirement by 2026 on all contracts.

In addition to CMMC, there’s another acronym that continues to come into the conversation, and that is CUI. CUI, short for Controlled Unclassified Information, plays a major role in the CMMC framework. But what is that role, and more importantly, how does it apply to you?

CMMC Explained

CMMC, short for Cybersecurity Maturity Model Certification, is a set of standards that are intended to unify cybersecurity measures and protocols across the Defense Industrial Base (DIB).

In the initial report on CMMC requirements, the DoD itself states that “cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year.”

DoD contractors handle a lot of sensitive information, and according to the above statement, that information is more at risk than ever. This is the entire reasoning behind the implementation of the CMMC; its overall goal is to protect our information and the US government as a whole.

It does so by certifying contractors in a way that is scalable across the board, giving the DoD assurance that anyone who works with them meets specific cybersecurity standards.

5 Levels of the CMMC

Because security is not a “one size fits all” concept, there are several levels that make up the certification process – 5 to be exact. Level 1 is the most basic, and cybersecurity requirements become more advanced as you move up to Level 5.

Here’s a quick breakdown of each Level of the CMMC:

  • Level 1: Basic Cyber Hygiene
  • Level 2: Intermediate Cyber Hygiene
  • Level 3: Good Cyber Hygiene
  • Level 4: Proactive
  • Level 5: Advanced/Progressive

Each contractor is required to meet a different level based on the nature of the contract and the information handled.

CUI Explained

Next, let’s move on to CUI. According to the Defense Counterintelligence and Security Agency (DCSA), Controlled Unclassified Information is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.”

Although this information is not considered “classified”, it is still extremely important, and therefore needs to be protected. Since it is not kept under the same strict controls as classified information, CUI is especially at risk of being compromised, and the loss of CUI is actually one of the biggest risks to national security in today’s day and age.

To put it into perspective, there are nearly 600,000 contractors who handle CUI in the DIB. All this information comes in many forms, including:

  • Controlled Technical Information (CTI)
  • Covered Defense Information (CDI)
  • For Official Use Only (FOUO)
  • Personally Identifiable Information (PII)
  • Nonpublic Personal Information (NPI)

While we won’t get into the details of each, the main thing to know is that CUI is the umbrella term encompassing the rest. These are just a few of the different examples, so feel free to check out the complete list of CUI groupings to get a better grasp on the significance of this information.

How Does CUI Fit Into the CMMC Framework?

The CMMC is meant to verify that contractors are taking the right steps to protect data and information from cyber threats, and what is much of that information considered? CUI.

More specifically, though, new regulations state that any contractor who handles, possesses, uses, shares, or receives CUI will require a CMMC Maturity Level 3 – which means Good Cyber Hygiene – or above.

How CUI Regulations Are Changing

Controlled Unclassified Information has been regulated under DFARS clause 252.204-7012. However, recently information controls have gotten more stringent under the clause’s interim rule (DFARS 252.204-7020).

With this rule in place, additional security measures are required – like submitting an SPRS Score, System Security Plan (SSP), as well as a Plan of Action and Milestones (POA&M). These requirements are still active, but eventually, CMMC Level 3 requirements for CUI will take over.

Keeping all this in mind, it’s never too early to start planning and budgeting if you’re working with CUI, and one of the best ways to do that is to invest in CMMC services. The process can get complicated quickly, so getting help from experts is the best way to reach the Maturity level you’re wanting or that’s required of you from the DoD.

Does CMMC and CUI Apply to You?

Currently, the CMMC applies to pilot DoD contractors, but by 2026, every DoD contractor will be required to go through the certification process.

As of right now, the exact timeline for when it’s necessary to meet CMMC requirements is unclear. The thing we do know, though, is that it will eventually filter down the supply chain and apply to you, so it’s essential to start taking the right steps to be compliant early on.

To be completely honest, though, it’s more than just DoD contractors who should be concerned with the CMMC and CUI. It’s not just these organizations who are affected by cyber threats – it’s everyone.

A cyber security incident happens every 39 seconds, meaning it’s more important than ever to get educated on how to stay secure. So while the CMMC and CUI currently apply to defense contractors, it’s not a bad idea for everyone to have an understanding of why cyber security is important and how to enhance it.


CUI is constantly being threatened and compromised, so the DoD’s solution to the ever-growing threats is the CMMC. While the CMMC is still extremely new, the hopeful goal is that it will bolster the cybersecurity infrastructure of the US.

As a defense contractor, it is your duty to protect the information you handle, which in turn protects the security of the nation. To ensure that you’re living up to your duty, get in touch today to learn more about the services we offer to help you become compliant and meet the stricter security standards of our time.

Get In Touch

With Us

Contact Number

E-mail Address

Follow Us