Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) is a holistic approach that enables organizations to navigate the complex web of regulations, risks, and internal policies effectively.

DFARS 252.204 7012 Explained: What Primes and Subs Must Do Before Accepting CUI

by

Illustration showing DFARS 252.204 7012 concepts with simple icons: a U.S. shield, a drone and naval vessel, a lock over documents, a NIST SP 800 171 badge, and a 72 hour incident reporting stopwatch.

DFARS 252.204‑7012 Explained (2026 Update): What Primes and Subs Must Do Before Accepting CUI

Bottom line: before a contractor accepts Controlled Unclassified Information (CUI) from DoD or a prime, DFARS 252.204‑7012 imposes concrete security, reporting, and cloud-handling duties—on both primes and subs—that must be in place first, not “as you go.” Non‑compliance risks contractual violations, bid ineligibility as CMMC phases in, and even False Claims Act exposure.

What DFARS 252.204‑7012 Actually Requires

DFARS 252.204‑7012 requires contractors to:

(1) Provide adequate security for Covered Defense Information (CDI/CUI);

(2) Implement NIST SP 800‑171;

(3) Report cyber incidents within 72 hours;

(4) Submit malware to DC3 if discovered;

(5) Preserve images/logs/data for forensic review;

(6) Flow down the entire clause to applicable subcontractors; and

(7) Use FedRAMP Moderate‑equivalent cloud services when CUI touches the cloud.

CDI/CUI defined. DFARS cross‑references the CUI Registry and includes Controlled Technical Information (CTI) and other protected categories provided by DoD or generated in performance and not intended for public release.

Read more

Share

Data Flow Mapping for CMMC Level 2 and Your Entire Compliance Strategy

by

A digital illustration showing a secure CUI data flow concept for CMMC Level 2. A central padlock with a U.S. flag design is surrounded by directional arrows connecting icons representing cloud storage, government systems, industry, and firewalls. A person sits at a workstation viewing a data flow diagram.

Data Flow Mapping for CMMC Level 2: Why Mapping CUI Flow Determines Your Entire Compliance Strategy

If you can’t see where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) travel in your workflows, you can’t scope your obligations—period. This data flow mapping guide gives you a clear, repeatable way to map data flows, define system boundaries, and stop misclassification before it derails your contract.

Executive Summary

  • Controlling how CUI flows inside and outside your environment determines scope, architecture, tooling, and cost.
  • Design a focused CUI enclave so requirements only follow where CUI actually goes, reducing complexity and spend.
  • Document, enforce, and evidence approved flow paths to satisfy AC.L2-3.1.3 and pass a CMMC Level 2 assessment.

1. Introduction: Data Flow—the Most Underestimated Requirement

Organizations that pass CMMC Level 2 know exactly where CUI is allowed to go and can prove it never goes anywhere else. Information flow control is not just another checkbox—it shapes your boundary, controls, and cost.

2. What “Data Flow Control” Means in CMMC (AC.L2-3.1.3)

Control the flow of CUI in accordance with approved authorizations. Assessors expect to see:

  • Defined information flow control policies;
  • Defined enforcement mechanisms;
  • Designated sources and destinations for CUI;
  • Defined authorizations for CUI flow;
  • Consistent enforcement of those authorizations.

Read more

Share

CUI vs. FCI: What Every DoD Contractor Must Get Right Before Chasing CMMC

by

Minimalist illustration showing CUI vs FCI folders, a balanced scale labeled Level 1 and Level 2, and CMMC compliance icons referencing FAR 52.204 21 and DFARS 7012.

Why this article on CUI vs. FCI matters

If you’re a prime, a sub, or an overwhelmed SMB in the Defense Industrial Base (DIB), your CMMC journey starts with one decision: What data are we protecting – Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both? Get this wrong and everything downstream – scope, controls, budget, tools, even your chances at award – will be off. The good news: you can make this call with clear, objective criteria grounded in FAR 52.204‑21 (FCI) and 32 CFR Part 2002 (CUI), along with DoD and NIST guidance.

Quick CUI vs. FCI definitions (plain English)

  • FCI (Federal Contract Information)
    Information not intended for public release that the Government provides to you or that you generate under a Federal contract to deliver a product or service. If it’s on a public website or simple payment data, it’s not FCI. Think SOWs, deliverable drafts, CO emails, project plans. FCI invokes FAR 52.204‑21 and its 15 basic safeguards.
  • CUI (Controlled Unclassified Information)
    Unclassified information that Federal law/regulation/policy requires or permits safeguarding or limited dissemination. It is created or possessed by the Government, or by you for/on behalf of the Government. CUI is standardized under the government‑wide CUI Program and cataloged in the CUI Registry; DoD also maintains a DoD‑specific registry. In DoD contracts, CUI generally triggers DFARS 252.204‑7012 and NIST SP 800‑171 implementation.

Practical rule of thumb: If it’s just contract‑related but not public, it’s probably FCI. If a law/regulation/policy says it needs protection (e.g., export control, Controlled Technical Information (CTI), Personally Identifiable Information (PII) tied to a DoD purpose), it’s CUI – check the registry category and your contract.

Read more

Share

CMMC Certification in Texas: 2026 Compliance Guide for DoD Contractors

by

Minimalist illustration representing CMMC cybersecurity for Texas DoD contractors, featuring a CMMC shield with a lock over a Texas outline, simplified defense icons, and U.S. and Texas flags

CMMC Certification for Texas DoD Contractors: The 2026 Comprehensive Guide

Defense contractors in Texas face a rapidly changing compliance landscape as the Department of Defense (DoD) fully implements the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. With the final CMMC rule published on September 10, 2025, and enforcement already underway across new DoD solicitations, organizations that process Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must act quickly and decisively to ensure eligibility for future defense contracts.
[business.defense.gov]

This updated guide breaks down what CMMC is, what has changed, why Texas defense contractors must take action now, and how to prepare strategically.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s unified cybersecurity standard designed to ensure that all contractors within the Defense Industrial Base (DIB) implement adequate safeguards to protect sensitive information. The standard integrates requirements from:

  • FAR 52.204‑21 (for handling FCI)
  • NIST SP 800‑171 Rev. 2 (for protecting CUI)
  • NIST SP 800‑172 (for advanced protection required under Level 3)

CMMC was created in response to persistent compromises of defense information across contractor systems.

Read more

Share

COTS in the CMMC Ecosystem: Where Contractors Get Burned

by

A large central padlock with a digital shield symbol, surrounded by military aircraft, cloud folders, shipping boxes, and FAR/DFARS compliance icons illustrating how COTS items, when paired with services or data handling, can quickly trigger FAR 52.204 21, DFARS 252.204 7012, and the associated CMMC and cybersecurity requirements in the defense supply chain.”

COTS in the CMMC Ecosystem: What’s In, What’s Out, and Where Contractors Get Burned

Why this topic matters

“COTS is exempt” gets repeated so often that many teams rely on it as a blanket pass. It isn’t. In DoD contracting, COTS has a precise definition in FAR 2.101, and certain DFARS cybersecurity clauses don’t apply to contracts solely for COTS—but mislabeling work or overlooking how data actually flows can still drag you under CMMC and DFARS obligations. Understanding where COTS really fits prevents over‑scoping (wasted spend) and under‑scoping (eligibility and FCA risk).

1) What “COTS” means (and what it doesn’t)

COTS (Commercially Available Off‑The‑Shelf) is a very specific status under federal acquisition rules—a commercial item sold in substantial quantities in the commercial marketplace and offered to the Government without modification, among other detailed conditions in FAR 2.101. If something is tweaked, custom‑configured, government‑unique, or bundled with non‑commercial services, it may stop being COTS. Many “we thought it was COTS” arguments fall apart when you check the definition.

Why it matters for cyber:

  • FAR 52.204‑21 (the Safeguarding Rule) applies when FCI is processed, stored, or transmitted—and is flowed down when subs may have FCI (except for pure COTS scenarios).
  • DFARS 252.204‑7012 (CUI/CDI clause) does not apply to contracts solely for COTS items, but if any performance involves CUI, 7012 comes back into play—including 72‑hour incident reporting and FedRAMP Moderate‑equivalent clouds. Misclassify work as COTS when CUI is present, and you’re out of compliance.

Read more

Share

Self‑Attestation vs. Validation: Why CMMC 2.0 Exists

by

The contrast between self attestation (checklist, minimal assurance) and validation (formal inspection, cybersecurity hardening).

Self‑Attestation vs. Validation: Why CMMC 2.0 Exists — And What It Means for Today’s Defense Contractors

For years, the Defense Industrial Base (DIB) ran on trust. Contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) would self‑attest that they followed required cybersecurity practices. But as nation‑states and criminal groups shifted tactics, that honor‑system model showed cracks—particularly among smaller, sub‑tier suppliers where much of the sensitive technical work happens. The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) 2.0 to close the gap between “what we think we’re doing” and “what’s actually implemented.” CMMC formalizes validation—in some cases via third‑party assessors—so the DoD can verify protections before and during contract performance.

The program sits on two pillars:

  • Policy (32 CFR Part 170): establishes CMMC as the program of record (effective Dec. 16, 2024).
  • Contracting (DFARS amendments): phases CMMC requirements into solicitations and awards starting Nov. 10, 2025, with a multi‑year rollout.

Meanwhile, NIST SP 800‑171 Rev. 3 (May 2024) updated the underlying security requirements for protecting CUI, emphasizing clearer, more specific controls and the use of assessment procedures in 800‑171A.

In this article, I’m your plain‑language guide and advocate. My goal is to:

  • Demystify self‑attestation vs. validation, without jargon.
  • Encourage small and mid‑sized businesses: compliance is achievable—step by step.
  • Clarify how CMMC 2.0 actually works, who needs what, and when.
  • Guide you to a practical next step (a complimentary 15‑minute discovery call).

Read more

Share
Share
Share