Controlled Unclassified Information (CUI) Compliance

Our second pre-recorded Q&A session with Max Aulakh talking about all things Cybersecurity Maturity Model Certification (CMMC) is now available here.

In this video, we’re still answering one of the questions asked by Donald during our last live webinar. Max will cover the details on clauses to protect Controlled Unclassified Information (CUI).

Don’t hesitate to send us your questions about DFARS, CMMC, NIST, and more. We’re here to help and provide quality information on these DoD-sponsored regulations, so you can stay in business and maintain your competitive edge as a part of the Defense Industrial Base (DIB).

Watch the Video Here:

Read the Transcript Here:


I have a job where the CUI clauses exist, but I will not house any of them. Do I still need to comply?


It depends on what you mean here when you say “do I still need to comply?”. If that means that you need to comply with the contract then the answer is “yes, absolutely!”. It doesn’t matter if you have CUI or not; you have signed up as a contract clause to protect any information that you potentially may get. So the first short answer is “yes, you need to comply with the contract requirements, especially if your company has signed them.”

But what I believe Donald meant is whether he still needs to comply with the emerging Cybersecurity Maturity Model Certification (CMMC) certification. The answer is “yes”, but you might have some time on your hands before it comes in full effect. Since DoD is still in the stage of drafting the requirements for CMMC, we know what they might look like, and you will have to comply eventually.

So here is what I know and why I believe you will need to comply with CMMC which is called an entity level certification. Even though, it’s not applicable for each program and COTS products, at least not yet. But as an entry-level certification, it will become potentially mandatory for your business to comply with, if you do work for the Department of Defense (DoD) as a prime or subcontractor.

AS9100 is an example of an entity-level certification. It has to deal with quality, and if you’re in construction, engineering, or manufacturing, you’re familiar with that one. Another example might be ISO 9001. You have to comply with those certifications because they are entity-level ones. The expectation is that CMMC will become another entity-level certification, and therefore mandatory.

So we have 2 different types of compliance such as an industry-standard certification, the emerging CMMC is the perfect example of it, and compliance with the clauses. Today if you’re signing contracts with the specific DFARs clauses, you have to comply with them, and you have to ensure that everybody who’s housing CUI, for instance, your technology vendor, will have to comply with them as well. 

In the nearest future, you will have to comply with the actual CMMC when it comes to its full effect and becomes an industry-standard entity-level certification. It will be a required qualification for your business. You’ll be able to market it just like all other certifications including ISO 9000 family, AS9100, ISO 27000-series, FedRAMP, etc. There are many similar certifications with different intent and regulation levels. CMMC is aimed at becoming a very similar type of program that you will have to acquire to stay in the game and be able to bid on new and existing contracts as a DoD sub or a prime contractor.

So again, Donald, thank you so much for this question. Please feel free to send more of them to me or my team at Have a great day!