Weekly CUI Hotline Q&A: 6.5.26

83 episodes. 2,000+ questions and counting. Our weekly livestream is all about helping defense contractors navigate the intersection of contracts, CUI, compliance, cloud architecture, assessments, and supply-chain obligations under the DoD cybersecurity ecosystem. It’s free and it’s live so come hang out!

---

Transcript

[0:00] Jacob

All right, everybody. It is Friday. It’s Hotline time.

You guys know the drill. We’re live on YouTube and LinkedIn. You can go to cuihotline.org, call the number and leave us a message, fill out the form, submit a question, or send us a DM.

I spent most of today following up on questions that had mysteriously ended up in LinkedIn’s mysterious other inbox. If you aren’t aware, LinkedIn has two DM inboxes, and if you don’t manually go in and check, you’ll miss a lot of messages.

Sorry about that, everybody. We’ve worked through the backlog and gotten answers out. We’ll continue getting to questions as they come through.

We’ve got a lot to cover today.

Let’s start with our weekend review like we always do. Bit of a spicy one, Daniel.

[1:01] Daniel

Oh yeah.

Yet another prime contractor deadline notification has gone out to its supply chain.

As far as I’ve seen, this one wasn’t distributed publicly as a PDF letter. We saw it through an email that was forwarded to us.

This one came from Leonardo DRS.

A couple of things jumped out immediately.

First, the letter says CMMC readiness is a firm and non-negotiable requirement. That’s a strong opening.

Then it states that all applicable suppliers must achieve CMMC Level 2 certification through a C3PAO assessment.

Self-assessments are no longer sufficient.

And then comes the big one:

Suppliers who have not achieved certification by November 10 may be disqualified from award of new contracts and may be at risk of disruption to existing work with Leonardo DRS.

Outside of the RTX notification we talked about previously, this is probably one of the more heavy-handed supply-chain notices we’ve seen.

It’s basically saying: get compliant or get left behind.

Leonardo DRS is a major defense contractor with a large supply chain. This isn’t a small organization making these demands.

What are your thoughts, Jacob?

[3:03] Jacob

What I always find interesting about these notifications is that the word applicable is doing a lot of heavy lifting.

The message starts out sounding very absolute.

You need Level 2 certification.

You’ll be disqualified.

Then later it clarifies that the requirement applies to suppliers receiving CUI.

That naturally raises the question:

Am I actually receiving CUI?

If you’re a Leonardo supplier, that’s the question you need to ask.

Unfortunately, what many suppliers are likely to hear is some variation of:

“We’re not really sure, so you should probably just do it.”

This is an example of broad, blanket guidance that makes things easier for the prime contractor but harder for the subcontractor.

November 10 suddenly becomes a deadline whether it’s technically a regulatory deadline or not.

Then everything starts compounding.

You don’t know if you receive CUI.

The prime doesn’t give a definitive answer.

You’re told certification is mandatory.

You’re warned you could lose work.

Personally, I’d like these notifications to start by saying:

“If you receive the relevant data, then the following requirements apply.”

But they usually don’t.

If you’re part of the Leonardo supply chain, I’d encourage you to reach out and determine whether you actually receive CUI before assuming the requirement applies.

[4:45] Daniel

When we talk about implementation timelines, six months is already pretty aggressive.

The technical deployment is usually the easiest part.

The difficult part is everything surrounding it:

Executive buy-in.

Documentation.

Policies.

System Security Plans.

Determining who the affirming official will be.

Internal approvals.

We’ve even seen SSPs go through legal review before organizations are willing to sign off on them.

All of that takes time.

When you add it up, six months disappears quickly.

So what Leonardo is effectively saying—without explicitly saying it—is:

If you haven’t already started this journey, you’re probably not going to make it.

And honestly, this becomes a supply-chain forcing function.

Organizations are being pushed to meet requirements they should have been meeting since DFARS 7012 became effective years ago.

[6:00] Jacob

Six months is not much time if you’re starting from zero.

On the other hand, six months is a tremendous amount of time if you’re already compliant with DFARS 7012 and all you need is an assessment.

Assessment scheduling isn’t really the bottleneck right now.

The bigger issue is that people lump everything together under the umbrella of CMMC.

CMMC exists because organizations weren’t complying with DFARS 7012.

If you’re already compliant with DFARS 7012, getting certified by November isn’t necessarily a huge challenge.

If you haven’t done anything toward compliance yet, that’s a completely different story.

By the time you’re hearing about CMMC through a prime contractor notification, you’re already behind.

[6:56] Jacob

Purple Girl says hello.

That means we can officially get started now.

Purple Girl is here.

Can you feel it, everybody?

Can you feel it in the air tonight?

Because I can feel it.

[7:08] Jacob

If you didn’t watch this week’s podcast, go watch it.

Like and subscribe, but more importantly, go watch it.

We covered the CIRCIA rule.

After Colonial Pipeline and SolarWinds, Congress passed legislation requiring critical infrastructure organizations to report cybersecurity incidents.

Historically, there wasn’t a comprehensive mechanism forcing critical infrastructure owners and operators to report those incidents.

Congress directed CISA to build that framework through rulemaking.

In 2024, CISA released a proposed rule that was 457 pages long, supported by roughly 30 additional attachments.

It’s one of the most comprehensive cybersecurity rulemaking efforts I’ve ever seen.

And remember: final rules are usually even longer than proposed rules.

So buckle up.

[8:38] Jacob

One of the biggest concerns for the Defense Industrial Base is how CIRCIA handles small-business exemptions.

Most critical infrastructure sectors receive exemptions tied to SBA small-business definitions.

The DIB does not.

Why?

Because DFARS 7012 already applies regardless of company size.

The result is that DIB organizations are treated differently under the proposed rule.

The problem is that CIRCIA doesn’t care only about incidents involving CUI.

It wants reporting on cybersecurity incidents throughout the organization.

That means you could end up with:

DFARS reporting requirements for incidents involving CUI.

CIRCIA reporting requirements for incidents elsewhere in the enterprise.

Both operating inside the same company.

That’s a significant challenge.

[9:44] Jacob

Instead of publishing the final rule, CISA has announced additional town halls to gather feedback and potentially revise parts of the proposal.

We’ve been sounding the alarm on this for quite a while.

We’ve done podcasts.

We’ve done LinkedIn posts.

Now we’re encouraging people to attend the upcoming town hall and understand what this could mean for their organizations.

Because if the Defense Industrial Base shows up the way I think it will, it’s going to be a very lively conversation.

[10:21] Daniel

What I’m really interested in is the enforcement side.

Think about everything that’s already out there:

SEC reporting requirements.

CIRCIA.

DFARS 7012.

I wouldn’t be surprised if we see increasing Department of Justice involvement when organizations fail to report incidents they were required to disclose.

The reporting timelines are different too.

There are 72-hour reporting windows.

There are 24-hour ransomware payment notifications.

Those obligations can stack up quickly.

[11:10] Jacob

The similarities between DFARS incident reporting and CIRCIA reporting are actually pretty limited.

The 72-hour reporting window is about the only thing they really have in common.

Everything else is different:

Different reporting triggers.

Different report types.

Different follow-up requirements.

Different information requirements.

CIRCIA also gives CISA significant enforcement authority.

They can issue requests for information.

They can issue subpoenas.

They can make referrals to the Department of Justice.

They’re not playing around.

This is not a joke.

And importantly, it has nothing to do with CMMC.

Nothing to do with DFARS compliance.

It’s an entirely separate statute with its own requirements and enforcement mechanisms.

[12:06] Daniel

Can we take a quick detour and talk about GSA CUI?

We’ve had people reach out recently saying the links to GSA’s CUI guidance stopped working.

Someone contacted GSA and was told the material had been flagged for internal review.

So right now the status of that guidance is very much a question mark.

It’ll be interesting to see whether GSA moves forward with the effort as originally presented.

When agencies try to implement requirements without formal rulemaking, sometimes somebody internally says:

“Hold on. Maybe we shouldn’t be doing this.”

We’ll see where it goes.

[13:33] Jacob

It’s funny.

We talked about the GSA issue months ago and it spread everywhere.

Now the guidance has disappeared for internal review.

While they’re doing reviews, maybe somebody could also look into why the FAR CUI rule is still missing after all these years.

Just a thought.

[13:53] Jacob

Let’s get into some audience questions.

First question:

Our prime says the November deadline is getting pushed back, so there’s no rush to become Level 2 certified. True or false?

I haven’t heard anything official about deadlines being pushed back.

So I can’t say that’s true.

What I can say is that I haven’t seen any official policy supporting that claim.

More importantly, even if a prime pushes a certification deadline, DFARS 7012 is still the actual obligation.

And that’s the part people keep forgetting.
[15:00] Jacob

We’ve said this a million times:

DFARS 7012 is still the obligation.

Even if a certification deadline gets moved by a prime contractor, the work required to implement NIST 800-171 and become compliant with 7012 is still there.

That’s the part that consumes all the time.

If a prime says November becomes March, or November becomes next year, that’s great. Everybody likes more time.

But don’t make the mistake of thinking:

“CMMC got delayed, so I don’t need to work on compliance yet.”

That’s like getting an extension on an assignment and deciding not to study.

The implementation work still has to happen eventually.

[15:45] Daniel

And there’s another thing to consider.

Your prime contractor may have told you that.

What about the other primes you work with?

Very few subcontractors support only a single prime contractor.

One prime may be telling you not to worry.

Another may be preparing to require certification by November.

We’re seeing different approaches across the Defense Industrial Base, and what one prime says does not automatically become the position of every other prime.

[16:24] Jacob

Wouldn’t that be nice?

If one prime made a decision and everyone else followed it, life would be a lot easier.

Unfortunately, that’s not how it works.

[16:35] Jacob

Next question:

How can contractors get assessment costs reimbursed under contracts?

Daniel, take this one.

[16:41] Daniel

The answer is pretty straightforward.

You raise your prices.

There is no reimbursement mechanism specifically for CMMC implementation or certification costs.

There isn’t a charge-back model where you submit your assessment invoice and get reimbursed.

Think about it like this:

Company A builds a widget and includes compliance costs in its pricing.

Company B builds the same widget but ignores compliance costs.

Historically, Company B often won because lowest-price technically acceptable contracting dominated many procurements.

Now that cybersecurity requirements are enforceable, organizations have to account for those costs.

Compliance becomes part of the cost of doing business.

[17:59] Jacob

The government’s position has always been that these costs belong in overhead.

Your DFARS 7012 implementation costs.

Your CMMC costs.

Your cybersecurity program costs.

Those aren’t intended to be separate reimbursable line items.

They’re expected to be reflected in your indirect rates and overhead structure.

If your rates don’t account for them, you’re going to absorb those costs yourself.

That’s particularly painful for subcontractors operating under fixed-price arrangements because margins are already tight.

But that’s not really a CMMC problem.

It’s a supply-chain pricing problem.

[19:22] Daniel

One thing I’d encourage prime contractors to think about is proper CUI scoping.

If you’re pushing CUI requirements farther down the supply chain than necessary, you’re increasing costs for everyone.

Every unnecessary compliance requirement adds cost.

Every unnecessary certification requirement adds cost.

If primes scope CUI correctly and only flow requirements where they’re truly needed, they’ll end up with a more competitive supply chain.

That’s good for everyone involved.

[20:45] Jacob

CashMax made a good point in the chat.

A lot of procurement teams seem to be behind the curve compared to security teams.

We’ve actually seen situations where supply-chain security teams drafted letters and sent them out without procurement being fully aligned.

Then the letters had to be corrected or withdrawn.

Large organizations have the same communication challenges as everyone else.

Sometimes the left hand doesn’t know what the right hand is doing.

[21:23] Jacob

Here’s a great question.

A defense-focused intellectual property law firm receives CUI from its defense contractor clients, but it doesn’t receive DFARS flow-down clauses.

Would that law firm be considered in scope for CMMC the same way an External Service Provider would be?

This is a really good question.

We’ve had versions of it come up repeatedly over the years.

[22:15] Daniel

Let’s start by looking at the External Service Provider definition.

The scoping guidance generally describes ESPs as organizations that provide technical services or security-related services supporting an organization’s environment.

Examples include:

Managed Service Providers.

Managed Security Service Providers.

Certain cloud-related service providers.

The intent of the guidance appears heavily focused on technology and security support functions.

A law firm clearly receives CUI.

But receiving CUI alone doesn’t automatically make an organization an ESP.

[24:52] Jacob

My gut reaction is that a law firm is not an ESP.

They’re not providing technical support services.

They’re not operating security controls.

They’re providing legal services.

The challenge comes from a broader argument that some people make:

“The requirements should follow the data.”

Okay.

But where exactly does that requirement come from?

If you’re talking about DFARS flow-down obligations, those generally rely on subcontract relationships.

A law firm isn’t necessarily functioning as a subcontractor under the contract.

That’s where things get murky.

[26:33] Daniel

One thing worth pointing out is that nothing prevents a law firm from voluntarily pursuing certification.

You don’t have to be a defense contractor or subcontractor to hire a C3PAO and undergo an assessment.

We’ve seen law firms do exactly that because their clients requested it.

In practice, many law firms are choosing to certify simply because it makes them easier to do business with.

I’ve never seen one of those firms describe itself as an ESP.

They’re typically pursuing certification independently rather than as an extension of a client’s environment.

[27:43] Jacob

I’ve actually asked people inside DoD about this.

The response I got was essentially:

“They receive CUI, so the requirements follow the data.”

My follow-up question was:

“Based on what authority?”

Because lawyers are going to ask exactly that question.

Where does the requirement actually come from?

What contractual mechanism applies?

What regulation specifically says it?

That’s where the conversation tends to get fuzzy.

Now, from a business standpoint, a law firm may decide certification is worthwhile anyway.

If one law firm says:

“We don’t technically have to certify.”

And another law firm says:

“We’re already certified.”

Which one is easier for a defense contractor to choose?

That’s probably the more practical question.

[29:13] Daniel

Exactly.

Even if certification isn’t explicitly required, many organizations will choose the certified option because it reduces uncertainty.

And if future rulemaking expands requirements to include additional support functions—legal, HR, outsourced services, and so on—those firms would already be positioned ahead of the curve.

There’s definitely a risk-management argument for doing it voluntarily.

[29:39] Jacob

Here’s the bigger question this discussion raises.

Are Defense Industrial Base organizations considered critical infrastructure because they’re part of the DIB?

Or are they considered critical infrastructure because they’re handling information covered by DFARS 7012?

If CIRCIA applies to the organization as a whole and not just the CUI enclave, that opens an entirely different set of questions about scope and reporting obligations.

And once you start asking whether support organizations that receive DIB information are also part of that ecosystem, the boundaries become much less clear than people think.

That’s going to be a fascinating conversation as CIRCIA continues moving forward.
[31:11] Jacob

Here’s a question I don’t think we’ve covered before.

How long does a company have to complete a reassessment after a significant change occurs?

Let’s assume we’ve already determined that a significant change happened.

The question isn’t whether it qualifies.

The question is:

How much time do you have before you need a reassessment?

Is it entirely at company discretion?

Is sooner always better?

What’s the actual expectation?

[31:37] Daniel

As far as the rule itself goes, there isn’t a specific timeline.

I don’t know of any requirement that says:

30 days.

90 days.

180 days.

Nothing like that exists today.

That said, if I’m thinking conservatively, I wouldn’t introduce a newly in-scope asset for processing, storing, or transmitting CUI until the reassessment had occurred.

For example, let’s use the DoD FAQ scenario involving wireless networking.

Imagine you were certified in an environment that didn’t use wireless.

Wireless-related controls were marked Not Applicable.

Now you decide to introduce wireless capability.

Those controls suddenly become applicable.

My assumption is that DoD would expect reassessment before you begin using that capability for CUI.

The challenge is that the guidance never explicitly says so.

[33:12] Jacob

That’s the real issue.

Nothing tells us whether:

90 days is acceptable.

180 days is acceptable.

12 months is acceptable.

What happens if I change MSPs a year before my certification expires?

What happens if I acquire another company?

What happens if I make a significant architecture change?

There’s no defined reassessment window.

And let’s be honest.

An organization could claim:

“We wanted a reassessment but couldn’t find an available C3PAO.”

There’s no central mechanism tracking assessment availability.

Now, if the DOJ starts asking questions later, that’s probably not a great defense.

But the point remains:

The rule doesn’t currently provide a hard deadline.

[34:50] Daniel

This ties into another question we get all the time.

Could an organization use an operational POA&M as a bridge?

Let’s go back to the wireless example.

Suppose I introduce wireless into an environment that was previously assessed without it.

I document the implementation work.

I follow change management procedures.

I place the activity on an operational POA&M.

Does that create a workaround for the significant-change problem?

That’s where things get complicated.

[35:35] Jacob

That’s basically the same loophole people exploited under DFARS 7012 for years.

The issue is that operational POA&Ms don’t have the same timelines as POA&Ms created during assessments.

We’re left with this strange gap where:

Significant changes exist.

Reassessments exist.

No timeline exists.

Until the rule is updated, organizations are largely operating on judgment and risk tolerance.

If DoD decides this is important enough, I expect it to show up in a future revision.

[36:32] Daniel

I can’t wait for your CMMC 3.0 prediction episode.

There are a lot of things I could see showing up.

Security Protection Data doesn’t feel like it’s done evolving.

I could see stronger requirements around MSPs and ESPs.

Obviously, Revision 3 of NIST 800-171 is coming eventually.

There are also unresolved issues around FedRAMP reciprocity and FedRAMP 20X.

There’s a lot for DoD to figure out.

[37:18] Jacob

The irony is that if the next revision had happened when originally planned, some of these issues could have been pushed farther down the road.

Instead, the bureaucracy delayed things long enough that now they’re going to have to deal with all of them at once.

Which is great for people like me because I enjoy talking about regulations.

I’m sure it’s significantly less enjoyable for the people writing them.

[37:37] Jacob

Next question:

Have you seen organizations pass a Level 2 assessment with only a single internal IT person handling everything?

Daniel?

[37:46] Daniel

Yes.

Ironically, in at least one case, that person doesn’t work there anymore.

They’re making substantially more money somewhere else now.

And honestly, that’s not surprising.

People who successfully carry an organization through CMMC compliance become very valuable.

[38:04] Daniel

We’ve absolutely seen it happen.

But it’s usually a herculean effort.

And the risk is obvious.

If all of that knowledge exists in one person’s head and that person leaves, you’ve created a major operational problem.

[38:22] Jacob

Exactly.

If you’ve got a “CMMC person” sitting quietly in the corner, don’t be surprised if someone else hires them.

The demand for experienced compliance professionals is only increasing.

[38:51] Daniel

We even saw a Reddit post recently where someone said:

“I was the receptionist, and now I’m responsible for CMMC.”

That’s becoming more common than people realize.

Organizations are assigning compliance responsibility to whoever is available and willing to take it on.

That can be a difficult position to be in.

[39:17] Jacob

Here’s another one.

A midsized manufacturer has been told by its prime contractor that it needs Level 2 certification.

Its environment is managed by a local MSP that has never done CMMC.

The company doesn’t want to lose the MSP.

What should they do?

[39:30] Daniel

We’re seeing this constantly.

Some MSPs are deciding they simply don’t want to participate in the defense market anymore.

Others originally promised CMMC support but later realized how much effort was involved.

Then they quietly back away.

In the last week alone, I’ve spoken with multiple organizations whose MSPs effectively said:

“Sorry, we’re no longer doing CMMC.”

That’s a terrible position for the customer because they thought they had a trusted partner.

Now they’re halfway through implementation and suddenly need a new strategy.

[41:13] Daniel

At that point, organizations often need someone to come in and evaluate what’s already been done.

The challenge is that inherited work isn’t always good work.

We’ve seen environments where major portions of the implementation were incomplete despite assurances that everything was on track.

You have to validate the quality of the work before you can move forward.

[41:53] Daniel

If you want to keep your MSP, there are really only a few options.

You can help fund the training and consulting they need to become capable.

You can accept the risk and move forward together.

Or you can build a separate enclave managed by someone with proven CMMC experience while allowing the MSP to continue supporting the rest of the environment.

We’ve seen all three approaches work.

[42:48] Jacob

Here’s a CIRCIA-related side note.

Under the proposed rule, if one of your third-party providers experiences a reportable cybersecurity incident, that could create reporting obligations for you.

That means MSP selection becomes even more important.

You’re not just trusting them with your systems.

You may eventually be affected by their incidents as well.

[43:18] Daniel

Another thing we’ve seen repeatedly:

Organizations rely on verbal assurances.

The MSP says:

“Don’t worry, we’ll handle CMMC.”

But nothing is documented.

Nothing is contractually committed.

Then later the MSP decides not to pursue certification or capability development.

Now the customer has no leverage.

Get those commitments in writing.

[44:02] Jacob

And regardless of who your MSP is, make sure you have a break-glass administrative account.

If your MSP disappears tomorrow, you need a way to maintain administrative control over your environment.

That’s not a regulatory requirement.

It’s just common sense.

[44:45] Jacob

Next question:

We need to add new tools to our Level 2 environment in order to pursue Level 3.

Does that create a Level 2 reassessment loop?

Interesting question.

[45:22] Daniel

If the change qualifies as a significant change, then potentially yes.

If you’re introducing new security protection assets or other components that materially change the assessed environment, I would expect reassessment to become part of the discussion.

Some organizations pursuing Level 3 have already decided they’ll reassess Level 2 before moving forward.

Part of the challenge is that significant-change guidance affects both levels.

[47:33] Jacob

The interesting wrinkle is that DIBCAC isn’t assessing your Level 2 certification.

They’re assessing Level 3.

But once you invite DIBCAC into your environment, they’re going to see everything.

Level 3 introduces a completely different set of considerations.

And frankly, we’re only beginning to see those questions emerge now that Level 3 is becoming more real.
[48:45] Jacob

Here’s an interesting one.

Our High-Level Organization changed in SPRS and SAM.gov following an acquisition.

The HLO no longer matches our CMMC Level 2 certificate, but the in-scope CAGE code and CMMC UID remain the same.

Is this a significant change that requires reassessment?

Daniel, what’s your first reaction?

[49:19] Daniel

My immediate reaction is no.

The way I’m reading this, the legal entity name changed, but the assessed environment did not.

The CAGE code is unchanged.

The CMMC UID is unchanged.

The assessed system appears unchanged.

This feels more like a DBA or administrative naming issue than a substantive change to the environment itself.

The biggest challenge may simply be explaining to people that the company name changed while the assessed environment remained the same.

[50:03] Jacob

I had a similar reaction.

This is one of those questions that initially sounds scary, but the more you think about it, the less concerning it becomes.

I’ll share a semi-official answer that a little birdie may or may not have provided.

The basic idea was this:

If the assessed environment remains unchanged and the in-scope CAGE code and CMMC UID remain unchanged, then the HLO mismatch is primarily an administrative issue.

The recommendation would be to:

Reconcile the information in SPRS and SAM.gov.

Notify the contracting officer as appropriate.

Maintain documentation showing the relationship between the entities.

Now, if the acquisition results in meaningful operational changes to the assessed environment, that’s a different conversation.

But a simple ownership or naming change by itself does not appear to trigger reassessment.

[51:10] Daniel

That’s reassuring because when I first saw the question, I immediately thought:

“Oh no, this is going to be complicated.”

But the more we unpack it, the more it looks like an administrative reconciliation issue rather than a technical one.

[51:31] Jacob

Next question:

When will NIST SP 800-171 Revision 3 replace Revision 2 in the CMMC assessment guides?

The answer is straightforward.

Revision 3 becomes the assessment baseline when the CMMC regulation itself is revised through rulemaking and updated to reference Revision 3.

Until that happens, Revision 2 remains the enforceable standard.

The sequence is:

The regulation changes.

The contract language changes.

The assessment guides change.

Organizations begin getting assessed against the new requirements.

We’re not skipping directly to Revision 3 before that process occurs.

[52:58] Daniel

Interestingly, I received an email from ISACA this week asking reviewers to participate in Revision 3-related training and curriculum development.

That suggests some of the groundwork is already underway.

But curriculum development isn’t the same thing as regulatory adoption.

Until the regulations change, organizations still need to focus on Revision 2.

[53:20] Jacob

Exactly.

The preparation work is happening.

The actual transition has not happened.

As always, when rulemaking moves forward, you’ll hear about it because we’ll make plenty of noise.

[53:27] Jacob

Next question:

What are your thoughts on CMMC Level 1 and FCI?

A lot of government contractors still don’t have these controls in place even though they’re already required under the FAR.

Daniel?

[53:45] Daniel

My opinion is pretty simple.

Organizations should already be doing this.

The Level 1 controls represent basic cyber hygiene.

In today’s environment, I’m honestly surprised that more commercial organizations don’t impose similar expectations on their supply chains.

You don’t want critical business operations depending on organizations that are barely maintaining minimum cybersecurity standards.

We’ve all seen examples.

My favorite story is still the organization that believed its server was secure because it was locked in an attic behind a door.

That was their cybersecurity strategy.

Those kinds of assumptions don’t hold up anymore.

[55:25] Jacob

I have a few opinions.

First, I think the FAR basic safeguarding clause is largely ineffective because there’s no meaningful verification mechanism.

It’s self-attestation.

And we’ve learned repeatedly that self-attestation alone doesn’t create reliable outcomes.

Second, it’s absurd that the FAR CUI rule still hasn’t arrived after all these years.

This is fundamentally a FAR issue.

It shouldn’t be falling entirely on DoD to solve.

Third, I think CMMC inherited a problem it wasn’t originally designed to solve.

Level 1 exists partly because the FAR Council failed to modernize and enforce its own requirements.

If the FAR Council had done its job years ago, DoD wouldn’t have had to absorb that responsibility through CMMC.

[56:58] Jacob

I’ve even suggested before that if policymakers wanted to reduce the size and cost of the CMMC program, one option would be removing Level 1 entirely.

A huge percentage of affected companies sit at that level.

The irony is that Level 1 creates substantial administrative overhead while addressing a problem that arguably should have been solved elsewhere.

My fourth opinion is a niche one.

FIPS 200 was written as a set of security objectives.

Then people started treating those objectives like they were security controls themselves.

That’s not how the framework was originally intended to work.

It’s one of those things that drives a very small number of us crazy.

[58:09] Jacob

Mr. Davis asks:

Is MFA required on firewalls and other internal network devices if access to those devices is only possible through a workstation or VPN that already requires MFA?

That’s a good question.

I don’t want to answer it off the top of my head because I remember there being nuances in the assessment objectives.

My instinct is that an MFA challenge occurring before privileged access may satisfy the intent, but I’d want to go back and verify the exact assessment guidance before giving a definitive answer.

Shoot me an email and I’ll follow up with a more precise response.

[59:05] Jacob

Another question:

Are CUI Assets and Security Protection Assets both evaluated against all 110 requirements in NIST 800-171?

Not exactly.

CUI Assets are evaluated against the full set of requirements.

Security Protection Assets are evaluated based on which controls are applicable to the function they’re performing.

For example:

Active Directory.

Entra ID.

Firewalls.

These may not have every single requirement applied in the same way as a system directly processing CUI.

Applicability matters.

[59:56] Jacob

Last question of the day.

When you talk about commercial off-the-shelf products being exempt from certain requirements, are you using the FAR definition of COTS?

Yes.

We’re using the FAR definition.

[1:00:11] Daniel

One thing that confuses people is the distinction between a commercial item and a COTS product.

Those aren’t the same thing.

A lot of defense contractors start with a commercial product and then modify it to satisfy government requirements.

Once those modifications occur, you may no longer qualify as COTS.

That’s where many organizations get tripped up.

[1:01:22] Jacob

All right, everybody.

That’s our hour.

If we didn’t get to your question today, we’ll add it to the queue.

You can always submit questions at cuihotline.org, leave a voicemail, comment on the video, or send us a message.

And as always:

Like.

Subscribe.

Tell your friends.

Tell your family.

Tell your pets.

Thanks for joining us, and we’ll see you next week. Have a good one, guys.