As a Cybersecurity Maturity Model Certification Registered Practitioner Organization (CMMC-RPO), TrustedSec fields many requests from organizations looking for help getting ready for the upcoming CMMC compliance requirements. Something that isn’t often talked about is how many organizations that handle government contracts or subcontracts, and are worried about the CMMC requirements, will not need to be compliant.

Who Does CMMC Apply To?

CMMC applies to two (2) specific types of information that already exist:

1. Federal Contract Information (FCI)
2. Controlled Unclassified Information (CUI)

CMMC will likely not apply to your organization if it is not storing, processing, and/or transmitting FCI or CUI today. The definitions of and methods for findings FCI and CUI are covered later in this post.

Additionally, CMMC only applies to organizations that are contractors or subcontractors of the US Department of Defense (DOD). CMMC will likely not apply to organizations that are not doing any work for the DOD supply chain today. 

One exception to this are service providers. A service provider is an organization that may have access to, or affect the security of, FCI or CUI of another organization that is subject to CMMC compliance. They may find themselves in scope for CMMC compliance as well because of interactions with their customers. Examples include cloud service providers with customers that use the cloud platform to handle FCI or CUI, and managed service providers that have access to customer networks or systems that contain FCI or CUI.

What If We Want to Anyway?

Some organizations that are not defense contractors, or are defense contractors but are not currently handling CUI, may want to be prepared to bid on future DOD contracts with CMMC requirements. DOD will begin issuing RFQs and RFPs with CMMC clauses as part of the CMMC rollout once the regulation is finalized. Any organization may bid on these requests, but a contract cannot be awarded unless the bidder is CMMC compliant.

Because the CMMC requirements only apply to FCI and CUI, there is a sort of chicken-and-egg problem for contractors looking to break into this space. An organization cannot be given CUI until it has demonstrated it can protect CUI, but how can an organization demonstrate it is protecting CUI if it does not yet have any CUI to protect? In this scenario, TrustedSec recommends thinking through what types of CUI can reasonably be expected in future contracts and how the organization’s business processes will need to handle said CUI. A CMMC-ready environment can be built around these expectations so that it can be quickly adjusted and assessed once the final requirements are revealed during the RFP/RFQ bidding process.

What Are FCI and CUI?

Most of the inquiries TrustedSec receives are from organizations that are in the DOD supply chain who worry that they will lose government contracts once CMMC is rolled out. Many of these organizations can’t articulate what FCI and CUI they are currently handling or expect to handle under future contracts. Understanding FCI and CUI is essential for a defense contractor to know if they will have CMMC compliance obligations.

FCI and CUI are not new designations that were created as part of CMMC, they have both existed and been subject to security requirements since 2016. Any organization that will be subject to CMMC when it is rolled out should already be aware that they are handling FCI and CUI, and should be complying with the existing requirements for each of these information types.

FCI Defined

FCI is defined in FAR 4.1901 as “… information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.”

US Government contracts that involve handling FCI will include the specific (and lengthy) contract clause, FAR 52.204-21. This clause does three (3) things:

1. Defines FCI and the other terms used in the clause.
2. Lists 15 basic security safeguards the contractor must implement to protect the systems that handle FCI.
3. Requires the entire clause to be included in any subcontracts. 

The 15 basic safeguards are relatively simple security requirements that every organization should have implemented as part of basic security best practices.

CUI Defined

CUI is defined in 32 CFR 2002.4(h) as “…information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency…”

As with FCI, contracts that involve handling CUI will include a specific contract clause. Some agencies have issued their own clauses and work is underway on a broad clause that will apply across all federal contracts but, as CMMC only applies to DOD contracts, we will focus exclusively on the DOD version of the clause. This clause is known as DFARS 252.204-7012 and does four (4) things:

1. Defines the various terms used in the clause.
2. Requires contractors to implement the security requirements in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).
3. Requires cloud providers to implement the cloud security controls in DFARS 252.204-7010.
4. Requires reporting of cyber incidents and establishes requirements for forensic analysis.
5. Requires the entire clause be included in any subcontracts.

Most organizations handling CUI will be subject to the requirements of NIST SP 800-171 under DFARS 252.204-7012. NIST SP 800-171 is a much more extensive set of requirements than the 15 basic safeguards for FCI and is based on specific controls adapted from NIST SP 800-53. NIST SP 800-171 is supported by assessment guidelines in NIST SP 800-171a.

Organizations that are subject to the NIST SP 800-171 requirements under DFARS 252.204-7012 will usually be subject to a few more associated contract clauses:

• DFARS 252.204-7019 requires contractors perform NIST SP 800-171 self-assessments.
• DFARS 252.204-7020 allows the DOD to perform their own NIST SP 800-171 security assessments on contractors.
• DFARS 252.204-7024 requires contractors report their NIST SP 800-171 self-assessment results to the DOD via the Supplier Performance Risk System (SPRS).

Once CMMC is finalized a new DFARS 252.204-7021 clause that requires CMMC compliance will be created to replace DFARS 252.204-7012 clauses in future contracts.

Nonsense Contract Clauses

It is worth noting that there are many “fake” NIST SP 800-171 and CMMC contract clauses. These tend to show up for two (2) reasons:

1. Overzealous contracting or legal personnel at defense contractors heard about these compliance requirements and include vague clauses like “you must be CMMC compliant” in every subcontract instead of taking the time to determine whether the compliance requirement is relevant or not.
2. Organizations that have nothing to do with the defense industry hear that the US government has published a set of security requirements and, without taking the time to understand that the requirements are only relevant to certain types of organizations handling specific types of information, include clauses like “you must protect our data in accordance with NIST SP 800-171” instead of determining appropriate security requirements for the types of information they are sharing. State and local governments are notorious for taking this approach.

Only the FAR 52.204-21 (for FCI and the 13 basic safeguards) and DFARS 252.204-7012 (for DOD CUI and NIST SP 800-171) clauses impart real federal compliance obligations that are relevant to future CMMC compliance. Similarly, legitimate CMMC compliance requirements will be included in defense contracts via a new DFARS 252.204-7021 clause with specific language that must be passed down to subcontractors without change.

All supposed NIST SP 800-171 and CMMC clauses that do not contain the full text from DFARS should be treated as suspicious. An organization can usually determine just how poorly thought out these nonsense contract clauses are by asking what CUI is intended to be covered under the contract. The organization issuing the contract will often not be able to specify what CUI is covered and may not even know what CUI is. This is an obvious warning that there is no real federal compliance obligation imparted by the contract.

Here's an example of the level of absurdity that can be found in the contracting process. At the time this post was published (late February 2024), CMMC and its associated DFARS clause are still in their public comment phase and no contracts with real CMMC clauses have been issued by the DOD. The published CMMC draft makes it clear that the CMMC clauses will only be included in new contracts as part of a phased rollout after the rule is finalized. CMMC clauses will not magically appear in existing contracts, and there is no mechanism for CMMC requirements to retroactively apply to contractors operating under contracts signed prior to the CMMC rollout date. Despite this, TrustedSec has seen numerous contracts from major defense contractors (who have enough lawyers to know better) over the past year that contain generic CMMC compliance clauses.

TrustedSec advises against signing contracts with nonsense clauses and instead working with the other party to have the clauses removed from the contract if there is no FCI or CUI, or have the clauses updated to the appropriate legitimate FAR and DFARS clauses if FCI or CUI will be handled.

Where is the FCI and CUI?

If your organization already has a robust compliance program for handling FCI and CUI in accordance with the 15 basic safeguards and the NIST SP 800-171 security requirements, then you will likely have a good handle on the presence and location of this information within your environment. Other organizations that are just realizing that they have been blissfully unaware of the handling requirements for the information they may already possess or are still unsure if they are handling FCI or CUI may need help determining where this information is.

The first step is to review existing contracts for the FAR 52.204-21, DFARS 252.204-7012 and/or (if you’re reading this after the CMMC rollout has begun) DFARS 252.204-7021 clauses. If none of the current contracts have these clauses, then it is unlikely the organization will be subject to CMMC compliance, at least without taking on new contracts. RFQs, RFPs, and contracts with DFARS 252.204-7012 or 252.204-7021 clauses should describe the CUI that will be handled under the contract. When in doubt, ask the organization that issued the contract or subcontract what CUI is covered under the contract. 

An organization that believes CUI is in their environment but is unsure of where it is can also search the environment for CUI. There are specific labeling requirements for CUI that can make it easy to search for this information. The DOD publishes a CUI Marking training aid that provides a good overview of what the organization can search for. Documents containing CUI should already have these markings when they are received from third-parties, and organizations that are creating CUI must include these markings on all new documents that contain CUI.

Moving Up to CMMC

If you’ve found contracts with legitimate FAR 52.204-21 and/or DFARS 252.204-7012 clauses and have FCI and/or CUI in your environment, then you will need to implement CMMC when the rule becomes finalized to be awarded future defense contracts. 

The CMMC requirements are divided into three (3) levels, each of which is based on another set of security requirements that already exists:

• CMMC Level 1 covers FCI and consists of the 15 basic safeguards from FAR 52.204-21.
• CMMC Level 2 covers CUI and consists of the security requirements in NIST SP 800-171
• CMMC Level 3 covers specific types of CUI (indicated in contracts) and consists of the security requirements in NIST SP 800-172.

Organizations that will fall in scope for CMMC but have not implemented the 15 safeguards from FAR 52.204-21 or the NIST SP 800-171 requirements should immediately begin implementing those programs both as a steppingstone to CMMC and because they have been required for years, likely putting an organization that has not implemented them in breach of their current contracts.

Because of the CMMC overlap with the 15 basic safeguards and NIST SP 800-171, organizations that are already handling FCI and CUI in accordance with these requirements should have little difficulty transitioning to CMMC except for two (2) significant changes:

1. The scope of CMMC is broader than NIST SP 800-171.
2. The CMMC Level 3 requirements were not previously required in any contract.

The scope definition is undergoing a major change when moving from a NIST SP 800-171 program to CMMC. Under a DFARS 252.204-7012 clause, NIST SP 800-171 only applies to the systems that store, process, or transmit CUI. Under CMMC Level 2, the NIST SP 800-171 requirements will also apply to systems than can connect to or affect the security of the systems that store, process, or transmit CUI. This change can result in many systems within an organization that were out of scope for NIST SP 800-171 being dragged into scope for CMMC, which results in increased costs and frustration as unrelated systems become subject to compliance obligations unnecessarily. Organizations should review their business processes and network architecture to limit the scope of CMMC and minimize the impact of a transition from NIST SP 800-171 to CMMC by isolating assets that handle CUI from other unrelated assets.

CMMC Level 3 requirements are expected to be limited to certain highly sensitive types of CUI. The Level 3 requirements are based on the existing NIST SP 800-172 requirements, but there are currently no FAR or DFARS clauses that require their implementation, so almost no organizations have implemented these controls. Organizations that expect to be subject to CMMC Level 3 requirements will need to be prepared to add these new controls to their existing NIST SP 800-171 program.

Organizations in the DOD supply chain that handle FCI and/or CUI need to be ready for the CMMC rollout. TrustedSec is available to help organizations prepare for CMMC, whether they have existing FAR 52.204-21 and NIST SP 800-171 programs or they are starting from scratch to meet future CMMC obligations, by assessing their current compliance status, making recommendations for addressing compliance gaps, and assisting with the remediation of compliance gaps. TrustedSec specializes in helping organizations understand the scope of their compliance obligations and working to reduce the cost and effort required to achieve CMMC compliance by analyzing and recommending adjustments to business processes and network architecture that will minimize the scope and impact of CMMC within the environment.