Top 3 CMMC & CUI Management Questions Answered

Updated: Feb 12

Below is a Q&A with our Solutions Consultant, Jill Lawson regarding some of the top questions she comes across regarding CMMC & CUI management.


Q: Will CUI requirements change in the life of my contract?


A: CUI is a government created program that is governed by the DoD Instruction (DoDI) 5200.48: Controlled Unclassified Information. The DoDI 5200.48 was updated and released March 2020.


DoDI’s are routinely updated so ALWAYS read the fine print of each DD254, regardless of how routine it may seem. This is because the government, without notifying you, can change their guidance based upon the DoDI 5200.48 updates.


Here is an excellent article by NDIA that explains the DoDI 5200.48: https://www.ndia.org/policy/recent-posts/2020/3/16/dod-released-new-controlled-unclassified-information-instruction

Q: What business decisions will I need to make if there is a change with CUI management?


A: Business decisions will include:

  • The possibility of adding employees to manage CUI

  • Hardening cybersecurity within the company brick-and-mortar servers, plus remote devices

  • Hardening physical security

  • Creating multiple policies that will increase operational costs while raising the entire security competency of businesses in which you exchange money for deliverables.

Q: How can I mitigate financial, operational, and strategic consequences?


A:

  1. Understand that FCI, CUI, and the CMMC program has to evolve with the threats from adversaries so it has to continually change.

  2. Have access to trusted resources that monitor pending updates

  3. Continually grow best practices

  4. Actively seek efficiencies in CUI Management.

One of the best ways to mitigate risk is to partner with a company like ISOP that will help keep you informed of pending Federal statutory and regulatory CUI updates. ISOP provides expert, cost-effective, and timely Pre- Assessment Reviews on your implementation processes.