ECURON

GSA’s New CUI Requirements: What CMMC Contractors Need to Know

admin — Mon, 18 May 2026 18:21:48 +0000

GSA’s New CUI Requirements: What CMMC Contractors Need to Know

Published: May 18, 2026

On January 5, 2026, the U.S. General Services Administration (GSA) signed Revision 1 of an internal IT security procedural guide titled Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process — document number CIO-IT Security-21-112. The guide establishes a formal, evidence-based approval process for civilian contractors whose systems process, store, or transmit GSA Controlled Unclassified Information (CUI), built on a different NIST baseline than the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.

There was no press release. No Federal Register notice. No notice-and-comment rulemaking. No contractor awareness campaign. For weeks after it was signed, the document existed in the way most agency procedural guides exist — as a PDF on a website, findable if you knew to look for it.

Then law firms started noticing.

By early February, Davis Wright Tremaine, Blank Rome, Ward & Berry, Robinson+Cole, and others had published client alerts flagging the document as a meaningful shift in GSA CUI requirements, in how GSA evaluates contractor cybersecurity. Washington Technology ran an opinion piece making the same point bluntly: the document did not go through traditional rulemaking, was not accompanied by press releases or agency outreach, and as a result many contractors remained unaware it existed.

That is still true today. So let us try to fix it.

This article explains what changed, why it matters specifically for contractors who already hold or are pursuing CMMC Level 2 certification, and where the budget and timeline pressure hits.

This blog post covers:

What Is CIO-IT Security-21-112 Rev. 1?
Why This Is Not Just “CMMC, but at GSA”
What Are the Differences That Will Actually Consume Budget?
What Can You Reuse If You Are Already CMMC Level 2?
What CMMC Does Not Prepare You For
What Should You Do This Quarter?
Frequently Asked Questions

What Is CIO-IT Security-21-112 Rev. 1?

CIO-IT Security-21-112 Rev. 1 is a GSA procedural guide that establishes a five-phase approval process for nonfederal contractor systems that handle GSA CUI. It applies to systems that process, store, or transmit GSA CUI — provided the contractor is not operating or maintaining that system on behalf of a federal agency, which would route to FISMA and FedRAMP instead.

The five phases — Prepare, Document, Assess, Authorize, Monitor — are derived from the NIST Risk Management Framework (RMF) and adapted for contractor environments.

The technical baseline is:

NIST SP 800-171 Revision 3 for security requirements
NIST SP 800-172 Revision 3 for selected enhanced requirements
NIST SP 800-53 Revision 5 for selected privacy controls (where PII is in scope)

The outcome of a successful path through the five phases is a Memorandum for Record (MFR) signed by the GSA Chief Information Security Officer (CISO) — not an Authority to Operate in the traditional NIST SP 800-37 sense, but functionally an approval that the contractor’s system is acceptable for handling GSA CUI.

This is not a regulation. It is internal agency guidance. But its practical effect is the same: contractors must comply to remain eligible for GSA contracts involving CUI. Contracting officers can apply it immediately to new solicitations, and GSA has not provided a transition period.

Why This Is Not Just “CMMC, but at GSA”

If you read the document expecting a civilian version of CMMC, you will misread it. The differences run deeper than the agency name on the cover page.

Different NIST baseline. CMMC Level 2 assesses against NIST SP 800-171 Revision 2 — 110 requirements organized across 14 families. The DoD made an explicit choice to hold CMMC at Revision 2 even after Revision 3 was published, because Revision 3 dropped during CMMC’s ramp-up and DoD did not want to move the goalposts mid-program. GSA made the opposite choice. CIO-IT Security-21-112 Rev. 1 is built on Revision 3, which restructured, consolidated, and in some cases removed Revision 2 requirements. The result: a System Security Plan (SSP) written for CMMC cannot simply be relabeled for GSA. The requirement identifiers are different. Some requirements have been merged. Many new Organizationally Defined Parameters (ODPs) need explicit assignment in the GSA System Security and Privacy Plan (SSPP) that did not exist in the CMMC version.

Different outcome model. CMMC produces a point score — 88 out of 110 minimum for Conditional, 110 for Final — entered into the Supplier Performance Risk System (SPRS), with a Certificate of CMMC Status valid for three years. GSA produces a binary judgment from the CISO based on a documentation package and an independent assessor’s report. There is no score. There is no certificate. There is the MFR, tied to the specific system offering, not portable to other GSA work.

Different timeline posture. CMMC has a phased rollout running through 2028. GSA’s guide contains no transition period. Contracting officers can apply it immediately.

No reciprocity. The GSA document does not mention CMMC. It does not mention reciprocity. It does not mention the DoD assessment ecosystem. The independent assessor must be a FedRAMP-accredited Third-Party Assessment Organization (3PAO) or an assessment organization specifically approved by GSA’s Office of the Chief Information Security Officer (OCISO) — and as of this writing, GSA has not published the criteria for that second path or a list of accepted assessors outside the FedRAMP ecosystem.

What Are the Differences That Will Actually Consume Budget?

The NIST SP 800-171 version mismatch of is the conceptually largest difference. The differences below are the ones that will eat hours.

One-Hour Incident Reporting

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 — the clause CMMC contractors operate under — gives a contractor 72 hours from discovery to report a cyber incident via DIBNet. GSA’s guide requires reporting to the GSA Incident Response team, the Information System Security Officer (ISSO), the Information System Security Manager (ISSM), and the Contracting Officer’s Representative (COR) within one hour of identification by the contractor’s Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or IT department.

The guide is explicit: do not delay reporting to collect additional details.

A DoD-tuned incident response playbook built around 72-hour triage will not satisfy GSA without rework. Plan a tabletop exercise. Plan an on-call rotation that can credibly produce a notification inside one hour.

Nine Showstoppers, No POA&M

Appendix C of the GSA guide lists nine specific NIST SP 800-171 Rev. 3 requirements that must be fully implemented before approval:

Access enforcement
Remote access
Multi-factor authentication
Vulnerability monitoring
Boundary protection
Transmission and storage confidentiality
Cryptographic protection
Flaw remediation
Unsupported system components

CMMC has a broader list of requirements weighted at 5 points that cannot be addressed through a Plan of Action and Milestones (POA&M), but two of GSA’s showstoppers — vulnerability monitoring and unsupported system components — are treated less strictly in CMMC scoring. CMMC-certified contractors with weak posture in those two areas need to know that ahead of the GSA assessment, not during it.

Continuous Monitoring on GSA’s Calendar

GSA imposes a specific deliverable cadence tied to the federal fiscal year:

Quarterly: Vulnerability scan reports and POA&M updates due the last workday of November, February, May, and August
Annually: SSPP refresh, Privacy Threshold Assessment (PTA) / Privacy Impact Assessment (PIA) refresh, and recommended penetration testing due the last workday of July
Every three years: Full independent reassessment

CMMC requires an annual senior-executive affirmation and reassessment every three years — but it does not specify quarterly deliverable formats on calendar deadlines. The administrative overhead of running GSA’s continuous monitoring cadence in parallel with CMMC’s affirmation cycle is non-trivial and should be staffed accordingly.

Documentation Rework

The GSA SSPP template, Architecture Review Checklist, Integrated Inventory / Leveraged & External Services Workbook, Privacy Threshold Assessment, Privacy Impact Assessment (conditional), and Supply Chain Risk Management Plan are GSA-specific deliverables. Most CMMC-aligned content can be repurposed, but the rewrite is real.

GSA’s Appendix E sets explicit style expectations — active voice, full who/what/when/where/how narrative, no copy-pasted boilerplate, no “such as” without specifics, no document citations without title, version, date, and section. CMMC SSPs that lean on policy citations will need real implementation prose.

A New Privacy Stack

CMMC has no privacy analog. GSA requires a Privacy Threshold Assessment in every case, plus a Privacy Impact Assessment if Personally Identifiable Information (PII) is in scope. Both have GSA-specific templates and route through the GSA Chief Privacy Officer.

What Can You Reuse If You Are Already CMMC Level 2?

The picture is not entirely additive. A CMMC-certified contractor has a meaningful head start.

Implementation narratives at the technical level. Most of what you wrote for CMMC describes the same requirement universe, even if the numbering changed between Revision 2 and Revision 3.

Architecture diagrams. These will need enrichment to meet GSA’s eight-item checklist — predominant border, ingress/egress detail, FedRAMP-authorization status of leveraged services, prohibited-vendor declaration, authentication-points-with-MFA labeling, and a ports/protocols table with eight specific columns — but the foundational diagrams exist.

Scan reports. If recent and authenticated, these carry forward.

Inventory data. Reformatting into GSA’s workbook structure is required, but the underlying asset data should already be documented.

Your Certified Third-Party Assessor Organization (C3PAO) relationship. If your C3PAO is also FedRAMP-accredited, they may be able to perform the GSA-aligned assessment as well. Many are. Confirm in writing.

A FedRAMP-authorized cloud underlay. GSA explicitly treats FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) more favorably. Non-FedRAMP-authorized cloud services route through a case-by-case GSA risk evaluation.

What CMMC Does Not Prepare You For

Even with a strong CMMC foundation, several GSA requirements will be new:

A two-stage SSPP submission cycle. GSA requires CISO concurrence twice — once on architecture and showstoppers, once on the complete SSPP — before the independent assessment can begin.
A signed Security Assessment Plan from GSA before any testing starts. Assessments performed without GSA’s signed plan are at risk of being rejected.
The privacy deliverables and the Supply Chain Risk Management Plan. These have no CMMC equivalent.
The quarterly continuous monitoring deliverable rhythm. CMMC’s annual affirmation does not prepare you for GSA’s calendar-driven reporting cadence.
The one-hour incident reporting clock. Moving from 72 hours to one hour is not a procedural adjustment. It is an operational redesign.

What Should You Do This Quarter?

If you hold a GSA contract or are pursuing one that may involve CUI, these steps apply now.

Confirm applicability. Ask your contracting officer whether they intend to apply CIO-IT Security-21-112 Rev. 1. Do not assume. The guide is procedural, not regulatory, so application is discretionary at the contract level.
Read Appendix C. Nine showstopper items. Know whether you can pass all nine today.
Update your incident response playbook. Build a one-hour reporting branch for GSA engagements. Run a tabletop exercise within 30 days.
Inventory your CMMC artifacts against GSA’s deliverable list. Decide what gets rewritten, what gets reformatted, and what gets built new.
Talk to your C3PAO. Determine whether they will perform a GSA-aligned assessment as well, and what evidence reuse is available.

The story of this document is not that GSA introduced something contractors could not have predicted. The technical baseline is NIST SP 800-171, which contractors have been working with for years. The story is that it landed without notice — and the contractors who are best positioned to comply are the ones who find out earliest and budget accordingly.

If you missed the announcement, you were not paying poor attention. There was not one.

Frequently Asked Questions

What is CIO-IT Security-21-112?

CIO-IT Security-21-112 Rev. 1 is a GSA procedural guide signed January 5, 2026, that establishes a five-phase approval process for contractor systems handling GSA CUI. It requires contractors to demonstrate compliance with NIST SP 800-171 Revision 3, selected NIST SP 800-172 requirements, and where applicable, NIST SP 800-53 privacy controls. The outcome is a Memorandum for Record from the GSA CISO approving the system.

Does CIO-IT Security-21-112 apply to all GSA contractors?

No. It applies only to nonfederal contractor systems that process, store, or transmit GSA CUI — and only when specifically incorporated into a solicitation or contract. Contracting officers can apply it at their discretion. If your GSA contract does not involve CUI, this guide does not apply.

Does CMMC certification satisfy GSA’s CUI requirements?

No. GSA’s guide does not mention CMMC, reciprocity, or the DoD assessment ecosystem. CMMC Level 2 is built on NIST SP 800-171 Revision 2. GSA’s framework is built on Revision 3. A CMMC certification does not substitute for the GSA approval process, though much of your underlying work can be reused.

What is the biggest difference between CMMC and GSA’s CUI framework?

Several differences matter, but the most operationally disruptive are the one-hour incident reporting requirement (versus CMMC’s 72-hour window under DFARS 252.204-7012), the nine showstopper requirements that cannot be addressed through a POA&M, and the quarterly continuous monitoring deliverable cadence.

Who can perform the independent assessment for GSA?

A FedRAMP-accredited 3PAO or an assessment organization specifically approved by GSA OCISO. As of this writing, GSA has not published approval criteria or a list of accepted assessors outside the FedRAMP ecosystem. If your C3PAO is also FedRAMP-accredited, they may qualify. Confirm directly.

Is there a transition period for GSA’s CUI requirements?

No. Unlike CMMC, which has a phased rollout through 2028, GSA’s guide contains no transition period. Contracting officers can incorporate it into new solicitations immediately.

Does GSA’s framework affect DoD contractors?

Not directly. CIO-IT Security-21-112 applies to GSA contracts specifically. However, contractors who hold both GSA and DoD contracts involving CUI will need to maintain compliance with both frameworks simultaneously — against different NIST baselines, with different assessment processes, and on different reporting schedules.

What should I do first if this applies to my organization?

Confirm with your contracting officer whether CIO-IT Security-21-112 Rev. 1 will be incorporated into your contract. Then read Appendix C to determine whether you can meet all nine showstopper requirements today. These two steps will tell you the scale of effort required.

Where Ecuron Can Help

Understanding how these two frameworks interact — and where the gaps are between CMMC readiness and GSA approval — requires more than a checklist. It requires understanding how information flows through your environment, which systems are in scope for each framework, and where your documentation and evidence need to be extended rather than duplicated.

Scoping is the foundation. You cannot evaluate your readiness against GSA’s requirements until you understand where CUI lives in your environment and which systems are in scope for each framework. If you also hold DoD contracts, the scoping boundaries may differ — and getting that wrong creates compliance gaps in both directions.

If you hold or pursue contracts with both DoD and GSA, contact us at cmmc@ecuron.com to discuss how your current CMMC posture maps to GSA’s requirements and where the real gaps are likely to be.

Ecuron is a Registered Provider Organization (RPO) authorized by the Cyber AB to provide CMMC consulting services. Our recommendations are based entirely on what your organization needs — we do not sell or resell any tools or services. Learn more about our 5-step methodology for CMMC certification preparation.

NIST SP 800-172 Revision 3 Is Final: What It Means for CMMC Level 2 and Level 3

admin — Sat, 16 May 2026 19:44:37 +0000

NIST SP 800-172 Revision 3 Is Final: What It Means for CMMC Level 2 and Level 3

Published: May 15, 2026

NIST SP 800-172 Revision 3 is the updated set of enhanced security requirements for protecting Controlled Unclassified Information (CUI) associated with critical programs and high-value assets. Published on May 13, 2026, it replaces the original SP 800-172 from February 2021 and significantly expands the scope and scale of requirements that may eventually form the basis for a revised CMMC Level 3.

This matters for every defense contractor tracking the Cybersecurity Maturity Model Certification (CMMC) program — not just those pursuing Level 3. Today’s publication completes the set of revised NIST baselines that the Department of Defense (DoD) would need to update CMMC through rulemaking. That has implications for Level 2 contractors as well.

This article explains what changed, what it means for CMMC, and what defense contractors should be doing now.

What Is NIST SP 800-172?

NIST SP 800-172 provides enhanced security requirements designed to supplement NIST SP 800-171. While SP 800-171 establishes the baseline for protecting CUI in nonfederal systems, SP 800-172 adds requirements specifically intended to defend against Advanced Persistent Threats (APTs) — sophisticated, nation-state-level cyber threats targeting CUI associated with critical programs or high-value assets.

Under the current CMMC framework, codified in 32 CFR Part 170, the DoD selected 24 of the original 39 SP 800-172 requirements as the basis for CMMC Level 3 certification. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and apply to fewer than 1% of defense contractors in the Defense Industrial Base (DIB).

NIST also published SP 800-172A Revision 3 alongside the main publication. SP 800-172A provides the assessment procedures used to evaluate whether organizations have effectively implemented the enhanced requirements. Both publications are available on the NIST Computer Security Resource Center:

What Changed in Revision 3?

The scope of this revision is significant.

The original SP 800-172 (February 2021) contained 39 enhanced security requirements focused on protecting the confidentiality of CUI. Revision 3 expands the framework to cover confidentiality, integrity, and availability — a fundamental shift in scope. Early analysis from the community suggests the requirement count has grown to approximately 115, with roughly 80 of those being new.

If those numbers hold, this is closer to a redesign than a revision.

The revision also introduces a substantial number of new Organizationally Defined Parameters (ODPs), which allow organizations and agencies to tailor certain requirements to their specific environments. The assessment procedures in SP 800-172A Revision 3 have been expanded accordingly.

Three structural themes define this revision:

Penetration-resistant architecture

Requirements designed to make systems inherently more difficult to compromise, rather than relying solely on detection and response.

Damage-limiting operations

Practices that constrain what an adversary can achieve even after gaining initial access — limiting lateral movement, reducing blast radius, and isolating critical assets.

Cyber resiliency

Requirements focused on the ability to continue operating and recover during sustained attacks, reflecting the reality that sufficiently motivated adversaries will eventually breach perimeter defenses.

Does This Change Current CMMC Requirements?

No. Nothing changes operationally right now.

CMMC Level 2 is still assessed against NIST SP 800-171 Revision 2. CMMC Level 3 is still assessed against the 24 requirements DoD selected from the original SP 800-172 (February 2021), as specified in 32 CFR Part 170. NIST publishing revised standards does not automatically update the CMMC program. The DoD would need to go through formal rulemaking to adopt either revised baseline.

This distinction matters. Contractors preparing for CMMC Level 2 or Level 3 today should continue working against the current assessment baselines. The revised NIST publications represent where the framework is heading, not where it is today.

Why This Publication Matters for CMMC Rulemaking

Here is what makes today’s publication significant from a rulemaking perspective: both updated baselines are now final.

NIST SP 800-171 Revision 3 was finalized in May 2024. NIST SP 800-172 Revision 3 is finalized as of May 13, 2026. That means DoD now has the option to update CMMC Level 2 and Level 3 requirements simultaneously through a single rulemaking process, rather than two separate efforts.

This may be one of the reasons DoD has not yet initiated rulemaking for SP 800-171 Revision 3 at Level 2. Updating one level while the other still referenced an older framework generation would have created an awkward mismatch — Level 2 on Revision 3 while Level 3 still pointed to Revision 2 publications. With both Revision 3 publications now complete, a unified update becomes possible.

DoD has published ODPs for NIST SP 800-171 Revision 3 already – the last missing piece is the list of ODPs for NIST SP 800-172 Revision 2. Howewever, this should not prevent start of rulemaking.

As of today, no timeline for rulemaking has been announced. But the building blocks are now in place.

Why the Level 3 Impact Deserves Attention

The potential scale of change at Level 3 is substantial.

Currently, CMMC Level 3 requires 24 enhanced security requirements selected from the original 39 in SP 800-172 — approximately two-thirds. If DoD applies a similar selection ratio to the revised publication, that would mean roughly 77 enhanced requirements on top of the Level 2 baseline.

That is a significant jump from the current 24. It would substantially expand the scope, cost, and complexity of Level 3 certification.

The original SP 800-172 focused exclusively on confidentiality. Revision 3 adds integrity and availability, which means Level 3 contractors could eventually face requirements covering a much broader range of security objectives. The inclusion of cyber resiliency requirements — designing systems to operate through sustained attacks — represents a particularly demanding addition.

These changes will not take effect until DoD completes rulemaking. But Level 3 applies to contractors supporting the most sensitive DoD programs, and preparation timelines for this level of certification are already measured in years. Understanding the direction now is practical planning, not speculation.

What Does This Mean for Level 2 Contractors?

If you are pursuing or maintaining CMMC Level 2 certification, your immediate requirements have not changed. Continue preparing against NIST SP 800-171 Revision 2, which remains the current CMMC Level 2 assessment basis.

That said, today’s publication is relevant for Level 2 contractors for two reasons.

First, the completion of both Revision 3 baselines makes a unified CMMC rulemaking update more likely. When that rulemaking occurs, Level 2 will move to SP 800-171 Revision 3, which introduces ODPs and restructured requirements. Familiarizing yourself with Revision 3 now — particularly its ODPs — helps you anticipate the transition rather than react to it.

Second, some Level 2 contractors will eventually need Level 3 certification as their programs grow or contract requirements change. Understanding the trajectory of Level 3 requirements helps with long-term planning and resource allocation.

What Should Defense Contractors Do Now?

A practical approach depends on where you are in the certification process.

Contractors preparing for Level 2 certification should stay focused on the current baseline — NIST SP 800-171 Revision 2. Your Certified Third-Party Assessor Organization (C3PAO) assessment will evaluate you against those requirements, and that has not changed. Where it makes sense, familiarize yourself with the ODPs in Revision 3, as they signal where requirements are heading.

Contractors holding Level 2 certification should monitor the rulemaking process. When DoD announces a timeline for adopting Revision 3, you will need to plan a transition. Understanding the differences between Revision 2 and Revision 3 now reduces the effort required later.

Contractors anticipating Level 3 requirements should read SP 800-172 Revision 3 now, even though compliance is not yet required. The expansion from 39 to approximately 115 requirements is not something to address reactively. Scoping decisions, infrastructure investments, and staffing plans all benefit from early visibility into where the framework is heading.

For all contractors, remember that scoping comes before gap assessment. You cannot evaluate your readiness against a set of requirements until you understand where CUI lives in your environment, how it flows, and which systems are in scope. This is true under the current baselines and will be equally true under the revised ones.

Frequently Asked Questions

Does NIST SP 800-172 Revision 3 change my current CMMC requirements?

No. Current CMMC requirements are defined in 32 CFR Part 170 and reference the original NIST publications (SP 800-171 Revision 2 for Level 2 and selected requirements from SP 800-172 February 2021 for Level 3). NIST publishing new revisions does not change CMMC until DoD completes formal rulemaking to adopt them.

When will CMMC be updated to reference the Revision 3 publications?

No timeline has been announced. With both SP 800-171 Revision 3 and SP 800-172 Revision 3 now finalized, DoD has the option to update both CMMC levels through a single rulemaking process. The timing remains at DoD’s discretion.

How many requirements are in SP 800-172 Revision 3?

Early community analysis suggests approximately 115 enhanced security requirements, up from 39 in the original publication. Roughly 80 of those are reported as new. These figures are based on initial reviews of the published document and should be verified against the official NIST publication or the CPRT dataset.

What is the difference between SP 800-172 and SP 800-172A?

SP 800-172 defines the enhanced security requirements — what organizations need to implement. SP 800-172A provides the assessment procedures — how those implementations are evaluated. Both were published simultaneously on May 13, 2026.

Will CMMC Level 3 require all 115 requirements?

That is not yet determined. Under the current framework, DoD selected 24 of the original 39 requirements for Level 3 — approximately two-thirds. If a similar ratio applies to Revision 3, approximately 77 requirements could be selected. The actual number will depend on future rulemaking.

Does this affect CMMC Level 1?

No. CMMC Level 1 is based on the 17 practices in FAR 52.204-21, which protects Federal Contract Information (FCI). NIST SP 800-172 applies to CUI protection and is relevant only to Level 2 and Level 3.

Should I start implementing SP 800-172 Revision 3 requirements now?

Not unless your contracts or agency specifically require it outside of CMMC. For CMMC purposes, continue working against the current baselines. However, reading the revised publication and understanding its direction is useful for long-term planning — particularly if you anticipate Level 3 requirements.

Looking Ahead

We will publish updates as the rulemaking picture develops. If you have questions about how — or whether — these changes may affect your organization, contact us to discuss your specific situation.

If you are working toward Level 2 certification or anticipate Level 3 requirements in future contracts, understanding how these baseline changes may affect your timeline and scope is worth a conversation. Contact us at cmmc@ecuron.com to schedule a 30-minute consultation.

Ecuron is a Registered Provider Organization (RPO) since 2021 authorized by the Cyber AB to provide CMMC consulting services. We do not sell or resell any tools or services — our recommendations are based entirely on what your organization needs. Learn more about our 5-step methodology for CMMC certification preparation.

CMMC vs. NIST SP 800-171: What Is the Difference

admin — Tue, 07 Apr 2026 18:02:19 +0000

If your company handles Controlled Unclassified Information (CUI), you have probably seen CMMC and NIST SP 800-171 mentioned in the same conversation. That is one reason so many contractors assume they mean the same thing. They do not.

The short version is simple:

NIST SP 800-171 tells you what security requirements to implement.
CMMC is the DoD program that evaluates whether you have implemented those requirements well enough to achieve the required assessment result for contract award. For Level 2, that means an assessment against NIST SP 800-171 Rev. 2 using the CMMC assessment process and criteria.

That distinction matters. Many companies lose time and money because they focus on documentation without validating implementation, or they assume partial alignment with NIST SP 800-171 automatically means they are ready for a CMMC Level 2 assessment. The official assessment materials make clear that CMMC assessments look at evidence through examine, interview, and test, and results are captured at the assessment objective level, not just at the level of policy statements. If you are not sure what this means keep reading.

What Is NIST SP 800-171?

NIST SP 800-171 is a cybersecurity standard designed to help organizations protect Controlled Unclassified Information in nonfederal systems and organizations. In practical terms, it is the security baseline contractors are expected to implement when they handle CUI in their environments.

For CMMC Level 2 environments involving CUI, the relevant baseline is still NIST SP 800-171 Revision 2, not Revision 3. That point is important because many contractors see the “withdrawn” notice on Revision 2 and assume Revision 3 is now the CMMC expectation. NIST did withdraw Revision 2 and publish Revision 3, but DoD’s current CMMC guidance states that assessments are still being conducted against Revision 2 until the class deviation is withdrawn or superseded.

So while the market may already be talking about Revision 3, contractors preparing for CMMC Level 2 today still need to be grounded in Revision 2. That is where a lot of avoidable confusion starts.

What Is CMMC?

CMMC, or the Cybersecurity Maturity Model Certification, is the DoD program used to verify that contractors and subcontractors have implemented the required cybersecurity safeguards for the information involved in the contract. For Level 2, that means assessing implementation of the 110 requirements in NIST SP 800-171 Rev. 2. Depending on the solicitation, currently Level 2 may require either a self-assessment or a Certified 3^rd Party Assessor Organization (C3PAO) assessment, and both paths also require annual affirmations.

In other words, CMMC is not just about whether a policy exists. It is about whether the control is actually working in the environment, whether the organization can demonstrate that clearly, and whether the scope is properly defined. The Level 2 assessment guide is explicit that evidence must be in final form and that a single NOT MET assessment objective can cause failure of the entire requirement.

The Biggest Difference

The easiest way to explain the difference is this:

NIST SP 800-171 tells you what to implement.
NIST SP 800-171A tells assessors how to evaluate whether it is really implemented.
CMMC tells you what assessment path and status the DoD requires for the contract.

That is why companies that treat compliance as a paper exercise often run into trouble. A written policy may be necessary, but it is not enough on its own. Assessors will want to see that controls are operating in practice and that the organization can produce clear, supportable evidence.

Another point many defense contractors miss is that CMMC assessments are not really judged at the “we have 110 requirements on paper” level. They are judged at the level of the assessment objectives tied to those requirements. That is one reason organizations often overestimate readiness when they focus only on requirement statements and not on how those requirements will actually be assessed.

Why Contractors Get Confused

There are a few common reasons for the confusion:

The terms are often used together in the same sales and compliance discussions
Many organizations begin with NIST SP 800-171 and later realize they need to prepare for a more formal assessment path
Internal teams may focus heavily on documentation and underestimate the importance of evidence and operational consistency
Some teams mix current CMMC Level 2 expectations with newer NIST revisions, even though current CMMC Level 2 assessments are still tied to NIST SP 800-171 Revision 2

This confusion can create real delays. A company may spend months updating policies while leaving major scoping, access control, or evidence gaps unresolved. That is often where the real readiness problems are.

What This Means for Defense Contractors

If you are a defense contractor, subcontractor, or supplier handling CUI, the practical question is not just whether you understand the terminology. The real question is whether your environment, documentation, and evidence would stand up to review. For Level 2, that means being able to demonstrate that the NIST SP 800-171 Rev. 2 requirements are implemented and supported by evidence across the defined assessment scope.

That includes questions like:

Where does CUI live in your environment?
Which systems, assets, and users are in scope?
Are your controls implemented consistently?
Can you show evidence that those controls are functioning?
Have you evaluated readiness at the level of the assessment objectives, not just the requirement titles?
Have you identified weak points before a formal assessment?

These are the issues that often separate organizations that are making steady progress from those that keep reworking the same problems.

Common Mistakes to Avoid

Treating compliance as a documentation project

Policies matter, but they are only one part of readiness. If implementation is inconsistent, documentation alone will not solve the problem. CMMC assessments rely on examining documentation, interviewing personnel, and testing how controls operate in practice.

Defining scope too late

If you do not know what is in scope, remediation becomes inefficient and expensive. CMMC assessment scope is a formal concept, and scoping mistakes can distort everything that comes after.

Waiting too long to collect evidence

Evidence is often harder to assemble than teams expect. It should be gathered as controls are implemented, not only at the end. The assessment guide also makes clear that evidence must be final, not draft.

Assuming partial alignment means assessment readiness

A company may be on the right path and still not be ready for evaluation. Readiness requires clarity, consistency, and proof.

Overlooking the role of NIST SP 800-171A

Many contractors focus on the 110 requirements and do not assess themselves at the level of the related assessment objectives. That gap often leads to inflated self-assessment scores and a false sense of readiness. We often see scores drop by more than 100 points when a 3^rd party assessment is performed. NIST SP 800-171A exists specifically to provide the assessment procedures and methodology used to assess the security requirements.

How to Prepare More Effectively

A more practical approach usually includes:

Defining the CUI environment clearly
Reviewing current controls against NIST SP 800-171 Revision 2
Evaluating implementation at the level of the NIST SP 800-171A assessment objectives
Identifying missing, weak, or inconsistent evidence
Prioritizing remediation based on risk and effort
Getting an independent view before moving too far ahead

This helps reduce wasted effort and gives leadership a more realistic picture of current readiness.

FAQ – CMMC vs. NIST SP 800-171

Is NIST SP 800-171 the same as CMMC?

No. NIST SP 800-171 is the security requirements baseline. CMMC is the DoD program used to assess whether those requirements have been implemented and whether the organization has the required status for award.

Does CMMC Level 2 use NIST SP 800-171 Revision 3?

No. Current CMMC Level 2 assessments are still conducted against NIST SP 800-171 Revision 2. DoD has said that remains the assessment basis until the class deviation is withdrawn or superseded.

What is NIST SP 800-171A?

NIST SP 800-171A provides the assessment procedures and methodology used to evaluate whether the security requirements in NIST SP 800-171 have been implemented effectively.

Why do companies struggle with this transition?

Because many teams focus first on policies and technical changes without fully addressing scope, evidence, ownership, repeatability, and the level of detail reflected in the assessment objectives.

What should we do first?

Start by identifying where CUI exists, what systems and assets are in scope, and where your biggest gaps are likely to be. And do not forget about Federal Contract Information (FCI). If a contract involves only FCI and not CUI, the relevant CMMC requirement may be Level 1 rather than Level 2.

Conclusion

Understanding the difference between CMMC and NIST SP 800-171 is not just a terminology issue. It affects how you plan, prioritize, and prepare.

For CMMC Level 2, NIST SP 800-171 Revision 2 gives you the security requirements and NIST SP 800-171A gives you the assessment detail many organizations overlook. CMMC does not change the underlying Level 2 control baseline, but it does add formal assessment, affirmation, and status requirements. At Level 3, CMMC also adds selected NIST SP 800-172 requirements.

For many contractors, the smartest next step is an independent gap assessment that shows where they stand now, what needs attention first, and how to move forward with less guesswork.

If you are unsure whether your current NIST SP 800-171 efforts will hold up under a CMMC assessment, Ecuron can help you identify gaps, clarify scope, and build a more practical path toward readiness.

Government Shutdown and CMMC: What Defense Contractors Need to Know

admin — Fri, 10 Oct 2025 20:44:44 +0000

10/10/2025

As the federal government shutdown reaches Day 10 with no resolution in sight, defense contractors are asking a critical question: Does this shutdown impact the November 10, 2025 CMMC implementation deadline?

The short answer: No. CMMC requirements remain on track.

Here’s what defense contractors need to understand about how the current government shutdown affects – or more accurately, doesn’t affect – your CMMC compliance obligations.

The November 10, 2025 Deadline Stands Firm

Despite the government shutdown that began October 1, 2025, the Cybersecurity Maturity Model Certification (CMMC) program will launch as scheduled on November 10, 2025. On that date, the Department of Defense will begin incorporating CMMC requirements into new defense solicitations and contracts.

The final rule has been published, and the implementation timeline is proceeding regardless of the current appropriations lapse.

Why CMMC Implementation Continues During the Shutdown

Several factors ensure that CMMC moves forward even while other government operations are curtailed:

1. The Regulatory Framework Is Already Established

The CMMC final rule was published in the Federal Register and became effective on December 16, 2024. The regulatory authority for contracting officers to include CMMC requirements in solicitations (DFARS clause 252.204-7021) is already in place. No additional legislative action is required.

2. DoD Contracting Activities Continue

The Department of Defense has funding to continue essential operations during the shutdown, including contracting activities. According to DoD shutdown guidance issued in September 2025, existing contracts are not terminated or paused unless new funding is needed, and contracting officers continue to perform their duties for essential defense operations.

3. C3PAOs Operate Independently

CMMC Third-Party Assessment Organizations (C3PAOs) are private sector entities authorized by the Cyber Accreditation Body (Cyber AB). They do not rely on government appropriations to conduct assessments. Your ability to schedule and complete CMMC assessments is unaffected by the shutdown.

4. The Cyber AB Functions as a Non-Profit

The Cyber AB, which accredits C3PAOs and manages the CMMC ecosystem, operates as an independent non-profit organization. Its operations continue normally during government shutdowns.

What May Be Temporarily Affected

While CMMC implementation proceeds, some peripheral activities may experience delays as the shutdown extends into its second week:

Government Oversight Functions: Some DoD cybersecurity oversight and policy development activities may be reduced or delayed.
New Solicitation Volume: The overall number of new contract solicitations may temporarily decrease as some DoD offices operate with reduced staff. However, essential defense contracting continues.
DIBCAC Operations: The Defense Industrial Base Cybersecurity Assessment Center may have limited availability for questions or guidance during the shutdown.
Training and Outreach: Government-sponsored CMMC training events and webinars may be postponed. The Defense Acquisition University (DAU) has suspended all classes and events that started on or after October 1.
Military Pay at Risk: Active-duty military personnel (approximately 1.3 million service members) will miss their first paycheck on October 15, 2025 if the shutdown continues. This does not directly impact CMMC implementation timelines, but creates significant pressure for congressional action.
Federal Worker Layoffs: The White House Office of Management and Budget announced on October 10 that “substantial” layoffs of federal workers have begun. This represents an escalation beyond typical shutdown furloughs and may affect some agency operations.
Agency Response Times: Federal agencies are operating with limited staff, leading to delays in regulatory approvals and guidance responses.
Congressional Recess: The Senate adjourned on October 9 and will not return until October 14, meaning no votes on funding legislation are possible until next week at the earliest. The shutdown is now expected to extend into Week 3.

However, none of these temporary impacts change your compliance obligations or the November 10 implementation date.

What Defense Contractors Should Do Right Now

The government shutdown should not slow your CMMC preparation. In fact, it reinforces the urgency of getting ready now.

For Companies Handling Federal Contract Information (FCI) – CMMC Level 1:

Complete your self-assessment against the 17 CMMC Level 1 practices
Document your security controls in your System Security Plan (SSP)
Prepare to submit your annual self-assessment through the Supplier Performance Risk System (SPRS)
Ensure you can obtain your CMMC Unique Identifier (UID) when required for contract bids

For Companies Handling Controlled Unclassified Information (CUI) – CMMC Level 2:

Finalize your NIST SP 800-171 implementation across all 110 security requirements (and 320 assessment objectives!)
Conduct internal readiness assessments to identify any remaining gaps
Engage with a C3PAO to schedule your third-party assessment (lead times depend on the C3PAO but are now often 3-6 months or longer)
Develop your Plan of Action & Milestones (POA&M) for any requirements you cannot yet meet
Review your subcontractor relationships to ensure flowdown compliance

For All Defense Contractors:

Monitor new solicitations closely starting November 10 for CMMC requirements
Don’t wait for the shutdown to end to begin your compliance work
Understand that False Claims Act implications remain in effect regardless of the shutdown—misrepresenting your cybersecurity posture carries serious legal and financial consequences
Use this period productively to advance your CMMC preparation while solicitation volume may be temporarily reduced
Plan for post-shutdown surge: When the shutdown ends, expect increased solicitation activity, compressed timelines, and greater demand for C3PAO assessments

The Four-Phase CMMC Rollout Timeline

Understanding the phased implementation helps you prioritize your preparation:

Phase 1 (November 10, 2025 – November 9, 2026): Selective application of CMMC requirements in new solicitations. DoD will begin incorporating CMMC clauses, but not all contracts will require certification immediately.

Phase 2 (November 10, 2026 – November 9, 2027): Increased application across more contract types and dollar thresholds.

Phase 3 (November 10, 2027 – November 9, 2028): Broader enforcement with more contracts requiring CMMC certification.

Phase 4 (November 10, 2028 and beyond): Full implementation across all applicable DoD contracts, except those exclusively for commercial off-the-shelf (COTS) products.

For more details see our post CMMC: Phased Rollout Timeline .

Even though implementation is phased, you cannot predict which solicitations will require CMMC. or if a self-affirmation or C3PAO assessment is required. Waiting until your specific contract requires certification puts you at serious competitive disadvantage.

Why This Shutdown Is Different for Cybersecurity

In past government shutdowns, many regulatory initiatives were delayed or suspended. CMMC is different for several important reasons:

Regulatory Authority Already Granted: Unlike programs requiring new legislation or funding, CMMC operates under existing regulatory authority that remains valid during shutdowns.
Private Sector Assessment Model: The use of independent C3PAOs means the assessment infrastructure doesn’t depend on government employees or appropriations.
National Security Imperative: Cybersecurity threats to the defense industrial base continue regardless of appropriations status. The DoD views CMMC as essential to protecting sensitive defense information.

What Happens After the Shutdown Ends

When appropriations are restored and government operations return to normal, expect:

Increased solicitation activity as delayed contracts move forward
More CMMC requirements appearing in solicitations as contracting officers catch up on backlogged work
Compressed timelines for proposal submissions as agencies work to obligate funds before the fiscal year ends
Greater scrutiny of cybersecurity compliance as the DoD emphasizes supply chain security
Potential surge in C3PAO demand as contractors rush to complete assessments
Restoration of military pay and federal worker salaries, with back pay typically provided for all affected employees

Contractors who used the shutdown period to advance their CMMC preparation will be positioned to respond quickly when opportunities arise.

TLDR

The current government shutdown does not impact:

The November 10, 2025 CMMC effective date
Your compliance obligations under DFARS 252.204-7012
The phased rollout timeline
C3PAO assessment operations
Your ability to prepare for CMMC certification

The shutdown may temporarily affect:

Government response times for questions or guidance
The volume of new solicitations
DoD-sponsored training and outreach events
Agency staffing and administrative functions (with substantial layoffs now underway)
Military pay (first missed paycheck on October 15)

For defense contractors, the message is clear: Continue your CMMC preparation without delay. The November 10 deadline is firm, the requirements are established, and the assessment infrastructure is operational.

The government shutdown is a temporary disruption to appropriations. CMMC is a permanent change to how the Department of Defense protects sensitive information across its supply chain.

As the shutdown reaches Day 10 with Congress adjourned until October 14 and no clear path to resolution, the contractors who maintain momentum on their compliance efforts will be best positioned for success when government operations normalize.

Need Help Preparing for CMMC?

Whether the government is open or in shutdown, cybersecurity threats don’t take a break—and neither should your compliance preparation.

Ecuron specializes in helping defense contractors navigate CMMC requirements, from gap assessments to full implementation and maintenance support. As a CMMC Registered Practitioner Organization (RPO), we understand both the technical requirements and the practical realities of achieving certification.

Contact us today to discuss your CMMC readiness:

Phone: +1-713-646-5044
Email: cmmc@ecuron.com

Don’t let the government shutdown become an excuse for delay. Your competitors are preparing—make sure you are too.

CMMC: Phased Rollout Timeline

admin — Sat, 13 Sep 2025 23:17:02 +0000

CMMC: Phased Rollout Timeline

After years of delays, CMMC is finally launching. Six years, ten months, and 26 days after CMMC was first announced, the final rule putting CMMC into DoD contracts was published September 10, 2025.

Starting November 10, 2025, the Department of Defense begins requiring cybersecurity certifications for contractors—and your company’s ability to win future contracts depends on understanding these new rules. Here we summarize the Phased Rollout of CMMC.

Upfront some definitions:

OSC: Organization Seeking Certification (that would be you)
COTS: Commercial Off-The Shelf
FCI: Federal Contract Information
CUI: Controlled Unclassified Information
SPRS: Supplier Performance Risk System
C3PAO: Certified Third Party Assessment Organization

Understanding CMMC UIDs (Unique Identifiers)

Every CMMC assessment gets a Unique Identifier (UID) from SPRS. Think of it as a “serial number” for your compliance status that’s tied to the specific systems you assessed. Key points:

Each UID represents one assessment scope (the systems/enclave you evaluated)
If you have multiple separate systems handling FCI/CUI, you may have multiple UIDs
You provide these UIDs in your proposals so contracting officers can verify your status
UIDs stay with those specific systems – if you change your system setup, you may need new UIDs

Why this is important: Contracting officers use your UIDs to look up your exact compliance status in SPRS for the systems you’ll actually use on their contract. More on that below.

What “CMMC phased rollout” means

The CMMC phased rollout timeline is based on 4-phases: the initial rollout in 3 phases over three years, with full implementation (Phase 4) beginning in year four:

Years 1–3 (Nov 10, 2025 → Nov 9, 2028): CMMC appears selectively. Program offices add it where they decide it’s appropriate (COTS-only awards are excluded – CMMC does not apply to them).
Year 4 onward (Nov 10, 2028+): CMMC is generally required whenever the contract requires using contractor systems to process, store, or transmit FCI or CUI (again, excluding COTS-only).

What this means for you: Not every new solicitation after Nov 10, 2025 will carry CMMC, but many will – by policy choice – through the three-year phase-in. After Nov 10, 2028, expect CMMC requirements whenever your systems will handle FCI/CUI. Remember: Even if DoD doesn’t require CMMC in a specific contract right away, prime contractors can – and increasingly will – require it from their subs.

What contracting officers will check

You will have to meet any CMMC requirements before contract award. Once CMMC appears in a solicitation, here’s what contracting officers will verify and what you need to maintain:

Before contract award:

SPRS verification: Contracting Officers must verify a current NIST SP 800-171r2 DoD Assessment score (where required) and a current CMMC status at the level required, for each CMMC UID tied to the systems you’ll use. “Current” means your CMMC status hasn’t expired and covers the systems you’ll actually use on the contract.

CMMC UIDs in proposals: You’ll list the UID(s) for each system that will process, store, or transmit FCI/CUI under the resulting award.

During contract performance:

Annual affirmation: You must post an annual affirmation of continuous compliance in SPRS for each CMMC UID. This affirmation must be signed by a company executive.

Status updates: Update SPRS when your status changes.

New systems: If you add systems that handle FCI/CUI during contract performance, provide new UIDs to the contracting officer.

At option exercise/extensions: Contracting Officers verify you still have current CMMC status before exercising options or extending performance periods.

Where this comes from: DFARS 252.204-7021 is the clause, and DFARS 252.204-7025 is the solicitation provision used when 7021 appears.

Conditional status & POA&M (Level 2/3 only)

DoD permits a Conditional CMMC status (i.e., with valid POA&Ms) for Levels 2 and 3 only, and for up to 180 days from the conditional date – award may occur with conditional status (subject to program needs).

Important: Even for conditional status, your self-assessment must achieve a minimum score of 88 points out of 110 possible points in NIST SP 800-171. Only certain limited control requirements are allowed to be on your POAM which needs to be closed out within 180 days.

Level 1 has no conditional path.

Flowdown & subcontractors

Subcontractors must comply with CMMC at the required level the same way primes do, including self-assessment posting, certification, and annual affirmation in SPRS. Only the prime submits UIDs to the contracting officer (subcontractors enter results in SPRS and can share screenshots with the prime).

COTS exception (throughout)

Awards solely for the acquisition of COTS items are excluded from the CMMC clause and provision prescriptions in both the selective (Years 1–3) and the broad (Year 4+) phases.

For Level 1 (FCI only) OSCs

What is required:

Assessment type:

Self-assessment (Level 1) posted to SPRS when the clause is present; keep your CMMC status current for the life of the contract and affirm annually in SPRS.

Scoping:

In scope are all assets that process, store, or transmit FCI; assets that do not handle FCI are out of scope. While no formal SSP is required, it is still smart to keep a lightweight SSP/system description and a few basic policies so you can clearly explain your scope and boundaries.

Specialized assets:

(IoT/IIoT, OT, GFE, restricted systems, test equipment) are not assessed at Level 1.

For Level 2 (FCI & CUI) OSCs

What is required:

Assessment type:

At the minimum a self-assessment attesting full implementation of the NIST SP 800-171r2 requirements – so 110 points – is required. If the contract includes CUI from the DoD Organizational Index group (see NARA CUI categories) will also require a C3PAO assessment at Level 2. For Level 3 an additional assessment by DIBCAC is required.
Your program office determines the CMMC level of your contract.

Scoping:

Level 2 scope includes CUI assets, Security Protection Assets, Contractor Risk-Managed Assets (CRMA), and Specialized Assets, with specific documentation/assessment expectations. Using enclaves to constrain scope is allowed; inherited controls are fine where valid, but all requirements must be met within the scope.

Conditional Status & POA&M:

You can be awarded with a Conditional Status if
(a) your score is at least 88/110, and
(b) only a small, limited set of requirements are eligible to be on your POA&M.

Final status must be reached within 180 days by closing out all POA&M items.

When will you actually see DFARS 252.204-7021/7025?

During the initial phase-in (through Nov 9, 2028), the -7021/-7025 clauses appear in a solicitation when the program office chooses to include CMMC for that buy.

Starting Nov 10, 2028 the -7021/-7025 clauses will appear automatically whenever your systems will handle FCI/CUI on that contract.

Also note that the clause can be added to solicitations issued just before the effective date so long as award occurs on/after Nov 10, 2025; Contracting Officers may bilaterally add it to existing contracts with consideration.

Why you’ll hear about “UIDs,” “SPRS,” and “affirmations” so much

DoD expects CMMC to be scoped to the specific systems you’ll use. Each assessment scope (enclave/system set) gets a CMMC UID from SPRS/eMASS, and those UIDs ride with your offer so Contracting Officers can verify your status. Then you affirm annually that you remain compliant and that there are no significant changes to the system.

The Short Version:

Phase 1 begins Nov 10, 2025 – CMMC appears selectively for three years; from Nov 10, 2028 forward, it’s required when you’ll handle FCI/CUI
Level 1: Self-assessment + annual affirmation; scope includes only FCI-handling assets
Level 2: CUI from the DoD Organizational Index categories need a C3PAO assessment. CUI from not DoD categories will require a self-assessment. Conditional status (POA&M) possible for 180 days – but see the details above!
Always: Provide CMMC UIDs, keep SPRS current, affirm annually, and ensure subcontractors comply

Time to act is now

With CMMC requirements starting in just weeks, the window for preparation is closing fast. CMMC Level 2 implementation typically takes 12-18 months, and C3PAO availability is becoming a bottleneck as more companies rush to get certified.

If you need help navigating CMMC compliance, Ecuron specializes in getting defense contractors from their current status to full CMMC compliance efficiently. As a CMMC Registered Practitioner Organization (CMMC-RPO), we’ve guided companies in more than 12 states through the process.

Ready to get started? Schedule a complimentary 30-minute consultation to discuss your CMMC requirements and timeline. Email us at cmmc@ecuron.com, call +1-713-646-5044, or use the contact form below.

Don’t wait until CMMC appears in your next RFP – start preparing now.

Title 48 CFR Close to Finish Line

admin — Fri, 29 Aug 2025 23:40:24 +0000

CMMC Final Rule Clears Regulatory Review:
What are the Implications?

August 29th 2025

We are close, very close. The wait is almost over. After years of anticipation, the 48 CFR final rule has officially cleared regulatory review on August 25th, marking a pivotal moment for defense contractors across the nation.

What Happens Next?

The review by OIRA was finalized well under the 90 day limit. Not much is left before the rule takes effect:

Within the next week: The rule will be published in the Federal Register, officially marking the beginning of the end of the preparation phase.

1-60 days after publication: The effective date kicks in, launching Phase 1 of the CMMC phased rollout. As mentioned in our previous blog post, the 48 CFR is no major rule and thereby no 60 day delay is required.

From the effective date forward: Every new DoD solicitation and contract will include CMMC requirements. No exceptions.

Not Just Self-Assessments

Here’s what many contractors are getting wrong: this isn’t just about self-assessments.

Contrary to popular belief circulating in industry forums, new contracts can easily require CMMC Level 2 certification right from the start when the contract includes CUI of the Defense Category — not just the self-assessment that many contractors have been banking on as a “soft landing.”

If you’ve been putting off your CMMC preparation thinking you’ll have more time to ease into compliance, it’s time to recalibrate your timeline.

No Surprises in the Final Rule

Don’t expect dramatic changes from what we’ve already seen. This final rule simply implements the policy that’s been codified at 32 CFR 170 since December 2024.

What it does accomplish:

Updates instructions to contracting officers
Revises the text of DFARS 252.204-7021
Implements the overall CMMC program policy we’ve been preparing for

Think of it as the operational manual for a policy framework that’s already been established.

What This Means for Your Business

The preparation window is closing. Once that effective date hits, every new opportunity in the defense sector will come with CMMC strings attached.

For contractors who haven’t started their CMMC journey:

Gap assessments become urgent, not optional
Implementation timelines need to be compressed
Certification planning should begin immediately

For those already in progress:

Stay the course—your early preparation is about to pay dividends
Ensure your implementation timeline aligns with your contract renewal dates
Consider accelerating certification if you’re pursuing new opportunities

The CMMC program is no longer a future consideration—it’s an immediate business reality. Defense contractors who treat this as just another compliance checkbox are setting themselves up for lost opportunities and competitive disadvantage.

The time for preparation is now.

If you need help navigating your CMMC compliance journey: Our team at Ecuron specializes in helping defense contractors implementing the requirements of NIST SP 800-171 and prepare you for a CMMC certification efficiently and effectively. Contact us at cmmc@ecuron.com for a no string attached 30 minute consultation to discuss your specific situation and requirements.

Final Sprint to CMMC: 48 CFR Rule Hits OIRA Review

admin — Tue, 12 Aug 2025 23:43:58 +0000

48 CFR Rule Hits OIRA Review as DoD Signals “No Question” About Implementation

August 12th, 2025
The moment Defense Industrial Base (DIB) contractors have been waiting for—and perhaps dreading—is finally here. The Cybersecurity Maturity Model Certification (CMMC) is about to become reality. There is no more time for “wait and see.”

The Big Milestone: 48 CFR Rule in Final Review

On July 22, 2025, DoD took the one of last steps required to put CMMC requirements into future contracts: formally submitting the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA). This rule is the missing piece that empowers contracting officers to insert DFARS 252.204-7021—the CMMC clause—into every new DoD solicitation and contract.

Once OIRA review is complete (typically within 90 days) and based on the current classification of the 48 CFR rule as not a major rule, nor economically significant it could be published in the Federal Register and become effective immediately—no 60 day waiting period. That means CMMC requirements could start appearing in contracts as early as October 2025. With delays it could take until February 2026 – but considering the recent activity that doesn’t seems likely.

Historic First: Secretary of Defense Publicly Endorses CMMC

For the first time ever, a statement from the Secretary of Defense in a Memorandum for Senior Pentagon Leadership from July 18^th 2025 mentioned and endorsed CMMC:

“[…] the Department will fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated […]. Specifically, the DoD CIO will leverage efforts such as the Cybersecurity Maturity Model Certification, […].”

This marks a significant shift from internal policy discussions to official endorsement, underscoring the program’s legitimacy and long-term presence in the defense industrial base.

What This Means for Defense Contractors Right Now

Mandatory Compliance is Coming

DFARS 252.204-7021 will require CMMC certification (or self-attestation during the initial roll-out phase and depending on contract type) before contract award
The rule could become effective upon publication—no long grace period
Both, self-assessment requirements and certified audits by C3PAOs, will begin appearing in solicitations

The Specifics of the Level 2 Requirements

Self-attestation requires implementation of at least 80% of the 110 NIST SP 800-171 Rev 2 controls – which translates to 88 controls
Any remaining deficiencies must be closed within 180 days
Third-party certification via C3PAOs will be the standard expectation for CUI contracts after the initial roll-out phase of 6-12 months.

Critical Misunderstanding: Waivers Are Contract-Specific, Not Company-Wide

A key detail contractors often get wrong: waivers or exceptions to CMMC will NOT be granted at the company level.

The DoD has made it clear that waivers will be issued only at the contract level, only for a very small percentage (2%), and only when a specific mission-need justifies it. This means:

You cannot expect a blanket exception for your company
Even if one program office grants a waiver, another solicitation may still require full CMMC compliance
Contractors should assume compliance is mandatory across the board unless explicitly told otherwise by the contracting officer for a specific contract

Your Action Plan: No More Delays

The October 2025 timeline gives contractors a clear but short runway. Here’s what you need to do now:

Start or accelerate your CMMC Level 2 readiness plan today.

Even if you have performed a self assessment for NIST SP 800-171 and submitted your score to SPRS: get a 3rd party assessment that will give you an accurate status of your implementation! Expect your score to drop by ~100 points.
Ensure your scope is correct.

One of the biggest issues we see: proper scoping of the CUI environment. If you need help reach out.
Finalize your NIST SP 800-171 implementation.

Don’t assume you’ll get a waiver, because 98% won’t. If you are stuck get help!
Prepare for third-party assessments

If you are handling Controlled Unclassified Information (CUI) your are looking at CMMC Level 2 requirements. If you think you meet all 110 controls (and 320 assessment objectives !) engage with a 3rd party to confirm.
Engage stakeholders across your business

Executive support is probably the most important factor for a successful certification. This transition to CMMC will affect procurement, compliance, HR, and operations. This is not just an IT problem – it impacts business workflows and processes as well.

Key CMMC Timeline at a Glance

October 2024: CMMC Program established via 32 CFR Part 170
July 22, 2025: 48 CFR Rule submitted to OIRA
as early as October, 2025: CMMC clause expected in new DoD solicitations

The final rule signals the definitive end of delays. CMMC will soon be embedded in new DoD contracts, and compliance is about to become the price of admission to the Defense Industrial Base.

The question is no longer “if” but “when”—and that when is likely just weeks away.

To discuss your organization’s specific cybersecurity & compliance needs or simply to learn more about DFARS, NIST SP 800-171, and CMMC requirements contact us for a 30-minute consultation. Let’s make sure you don’t miss out on new contract awards.

Enhancing Security with Cyber Threat Intelligence Services

admin — Tue, 12 Sep 2023 20:52:09 +0000

In today’s digital age, where cybersecurity threats are becoming increasingly sophisticated and prevalent, the need for effective cyber threat intelligence services has never been greater. Organizations of all sizes and industries face the constant risk of data breaches, hacking attempts, and other malicious activities that can have devastating consequences.

Cyber threat intelligence empowers organizations to stay one step ahead of cyber-criminals by understanding their tactics, motivations, and targets. With this knowledge in hand, businesses can develop robust cybersecurity strategies that effectively protect their sensitive data and critical assets.

In this post, we will explore the various aspects of cyber threat intelligence services: from its definition, its role in mitigating risks associated with cyber threats, to the benefits it offers to organizations across different sectors.

Why Your Business Needs Professional Cyber Threat Intelligence Services

Often abbreviated as CTI, Cyber Threat Intelligence is the process of collecting, analyzing, and interpreting data to identify potential cyber threats and vulnerabilities. It involves monitoring various sources such as dark web forums, hacker communities, and security research reports to identify emerging patterns and trends in cyber-criminal activities. By leveraging advanced technologies and expert analysis, threat intelligence services provide organizations with valuable insights into potential vulnerabilities within their infrastructure and networks. This allows them to proactively detect and mitigate threats before they can cause significant damage.

One of the key advantages of professional cyber threat intelligence services is their ability to provide real-time insights into emerging threats and trends. This enables businesses to stay one step ahead of cyber-criminals and take proactive security measures to mitigate risks effectively. By continuously monitoring your digital infrastructure, these services ensure that any suspicious activities or indicators of compromise are promptly detected and addressed.

Furthermore, engaging with professional cybersecurity providers allows businesses to benefit from their extensive knowledge and expertise in cyber risk management. They can conduct thorough assessments of your existing security protocols, identify potential weaknesses, and recommend tailored solutions that align with your specific needs.

Investing in professional cyber threat intelligence services is an investment in the long-term success and resilience of your business. By proactively managing cyber risks, you not only protect sensitive data but also safeguard your reputation, customer trust, and overall business continuity.

With the ever-evolving nature of cyber threats, relying solely on traditional passive security measures is no longer sufficient. Your business needs professional cyber threat intelligence services to stay ahead of adversaries by detecting threats early on while implementing proactive security measures for a robust defense against potential breaches.

1. Identifying and Mitigating Potential Risks

Identifying and mitigating potential risks is of utmost importance to ensure the security and stability of an organization. This involves conducting comprehensive vulnerability assessments, performing risk analysis, and engaging in proactive threat hunting.

Vulnerability assessments play a critical role in identifying weaknesses within an organization’s systems, networks, and applications. By conducting regular assessments, businesses can gain insights into potential vulnerabilities that could be exploited by malicious actors. This allows them to prioritize their efforts towards addressing these vulnerabilities before they can be exploited.

Risk analysis goes hand in hand with vulnerability assessments by evaluating the potential impact and likelihood of various risks materializing. By analyzing the severity of identified vulnerabilities and assessing their potential consequences, organizations can make informed decisions on how to allocate resources for mitigation efforts.

But it doesn’t stop there. Proactive threat hunting involves actively searching for signs of malicious activity within an organization’s network or systems. This approach allows businesses to detect threats that may have gone unnoticed by traditional security measures such as firewalls or antivirus software.

2. Staying Ahead of Emerging Threats and Attack Vectors

Staying ahead of emerging threats and attack vectors is crucial for businesses to protect their sensitive data and maintain the trust of their customers. With the rapid advancements in technology, cyber-criminals are constantly evolving their tactics to exploit vulnerabilities and gain unauthorized access.

To effectively combat these threats, organizations must conduct thorough cyber threat landscape analysis. This involves monitoring and analyzing the latest trends, techniques, and vulnerabilities that cyber-criminals may exploit. By understanding the current state of the threat landscape, businesses can proactively implement security measures to mitigate risks.

One of the most challenging aspects of emerging threats is zero-day vulnerabilities. These are previously unknown vulnerabilities in software or systems that hackers can exploit before developers have a chance to patch them. To address this issue, organizations need to have robust vulnerability management programs in place. This includes continuous monitoring for new vulnerabilities, timely patching or mitigation strategies, and proactive threat intelligence gathering.

Furthermore, staying ahead of emerging threats requires keeping up with new attack techniques. Cyber-criminals are constantly innovating and finding new ways to infiltrate systems or deceive users. By actively researching and understanding these tactics, organizations can develop effective defense strategies such as implementing advanced firewalls, intrusion detection systems, multi-factor authentication protocols, and employee training programs.

To stay ahead of emerging threats and attack vectors, organizations must continuously analyze the cyber threat landscape, address zero-day vulnerabilities promptly with robust vulnerability management programs, and stay informed about new attack techniques through research and proactive defense strategies. By doing so, businesses can enhance their cybersecurity posture and safeguard their critical assets from potential breaches or unauthorized access attempts.

3. Enhancing Incident Response Capabilities

Incident response planning is crucial for organizations to effectively address and mitigate potential threats. However, simply having a plan in place is not enough. Organizations must also focus on enhancing their incident response capabilities to ensure swift and efficient action when a security incident occurs.

One key aspect of enhancing incident response capabilities is the development and implementation of effective incident containment and remediation strategies. These strategies involve identifying and isolating the affected systems or networks, as well as implementing appropriate measures to stop the spread of the incident and minimize its impact.

By investing in advanced technologies such as real-time monitoring tools, organizations can detect incidents early on and take immediate action to contain them. Additionally, leveraging automation can streamline the remediation process by rapidly deploying patches or updates to affected systems, reducing downtime and minimizing disruption to critical operations.

Organizations should prioritize continuous training and education for their incident response teams. By regularly conducting drills and simulations, team members can practice their skills in a controlled environment, ensuring they are prepared to handle incidents effectively when they arise.

Enhancing incident response capabilities is not only about reacting promptly to security incidents; it is also about learning from each experience. Organizations should conduct thorough post-incident analyses to identify areas for improvement in their planning, containment strategies, or overall security posture.

By focusing on enhancing their incident response capabilities through effective planning, robust containment strategies, leveraging advanced technologies, continuous training of personnel, and conducting post-incident analysis for continuous improvement; organizations can better protect themselves against cyber threats and minimize potential damages caused by security incidents.

4. Strengthening Security Posture Through Actionable Insights

Real-time threat intelligence feeds with alerts and recommendations provide organizations with up-to-date information on emerging threats, vulnerabilities, and attack patterns. By continuously monitoring various sources such as dark web forums, hacker communities, and malware repositories, these feeds deliver actionable insights that enable proactive defense measures.

However, simply having access to threat intelligence is not enough. It is essential to have the ability to contextualize this information within the organization’s specific environment. This is where contextualized alerts and recommendations come into play. By analyzing the incoming threat intelligence in relation to an organization’s unique infrastructure, systems, and user behavior patterns, these tools can provide tailored insights that are directly relevant to the organization’s security posture.

The value of actionable insights gained from real-time threat intelligence feeds cannot be underestimated. By receiving timely alerts about potential threats or vulnerabilities specific to their environment, organizations can take immediate action to mitigate risks before they escalate into full-blown security incidents. Furthermore, contextualized recommendations empower security teams with the knowledge needed to prioritize remediation efforts effectively.

The Benefits of Outsourcing Cyber Threat Intelligence Services

One of the key advantages of outsourcing cyber threat intelligence services is cost-effectiveness. Building an in-house team with the necessary skills and knowledge can be expensive and time-consuming. Outsourcing allows businesses to access a dedicated team of experts without the overhead costs associated with hiring and training personnel.

Outsourcing and using cyber threat intelligence as a service can provide numerous benefits for businesses of all sizes: it provides access to a wider range of expertise and resources that may not be available internally. By leveraging the expertise and resources of external providers specializing in cyber threat intelligence, companies can enhance their security posture and mitigate risks effectively.

By partnering with a trusted cyber threat intelligence service provider, organizations can strengthen their defense against evolving cyber threats while focusing on core business objectives.

To learn more about Ecuron’s Cyber Threat Intelligence Service see as stand alone service or as part of our vCISO offering please see our Threat Intelligence Service page or contact us.

last changes: September 18th 2023

Wiring Harness News Features CMMC Update

admin — Mon, 01 Aug 2022 22:33:49 +0000

August 1st 2022

The July/August issue of the Wiring Harness News features an update about the recent developments regarding CMMC. Our CMMC lead Nicholas McBride explains the changes that happened since he first introduced the DoD’s new cybersecurity framework CMMC to the readership more than a year ago. You can read the article starting page 36 in the current issue:
https://newsstand.wiringharnessnews.com/mag/0366868001655894515

For a more comprehensive dive into the existing DFARS requirements and the upcoming CMMC see our report “Cybersecurity for the DoD Supply Chain and Its Contractors“.

CMMC Timeline Update by DoD

admin — Fri, 13 May 2022 20:20:10 +0000

May 13th 2022

After years of delays, the CMMC rulemaking process and subsequent rollout seems to be on track. In fact, the latest update by CMMC director Stacy Bostjanick this week suggests that it might be progressing faster than initially announced. Instead of July of 2023 the new expectation is that CMMC requirements will take effect in May of next year.

“May 2023 is the critical point. That’s when we think we will be able to start putting the requirement in contracts. … You are probably going to see RFIs, RFPs coming out in the summer of 2023.”

“Bostjanick said the Pentagon is encouraging companies to do “an early adoption of CMMC” through getting an assessment completed by an approved certified third party assessment organization before the rulemakings go into effect.”

For the full article see:
https://insidecybersecurity.com/share/13502

Depending on the current status, we estimate 6-12 months to prepare for a CMMC Level 2 certification assessment. The bottleneck will be the availability of C3PAOs as everybody will want to get certified at the same time. In other words – it’s time to get ready sooner than later to ensure eligibility for those new contracts.

ECURON

GSA’s New CUI Requirements: What CMMC Contractors Need to Know

GSA’s New CUI Requirements: What CMMC Contractors Need to Know

What Is CIO-IT Security-21-112 Rev. 1?

Why This Is Not Just “CMMC, but at GSA”

What Are the Differences That Will Actually Consume Budget?

One-Hour Incident Reporting

Nine Showstoppers, No POA&M

Continuous Monitoring on GSA’s Calendar

Documentation Rework

A New Privacy Stack

What Can You Reuse If You Are Already CMMC Level 2?

What CMMC Does Not Prepare You For

What Should You Do This Quarter?

Frequently Asked Questions

What is CIO-IT Security-21-112?

Does CIO-IT Security-21-112 apply to all GSA contractors?

Does CMMC certification satisfy GSA’s CUI requirements?

What is the biggest difference between CMMC and GSA’s CUI framework?

Who can perform the independent assessment for GSA?

Is there a transition period for GSA’s CUI requirements?

Does GSA’s framework affect DoD contractors?

What should I do first if this applies to my organization?

Where Ecuron Can Help

NIST SP 800-172 Revision 3 Is Final: What It Means for CMMC Level 2 and Level 3

NIST SP 800-172 Revision 3 Is Final: What It Means for CMMC Level 2 and Level 3

In This Article

What Is NIST SP 800-172?

What Changed in Revision 3?

Penetration-resistant architecture

Damage-limiting operations

Cyber resiliency

Does This Change Current CMMC Requirements?

Why This Publication Matters for CMMC Rulemaking

Why the Level 3 Impact Deserves Attention

What Does This Mean for Level 2 Contractors?

What Should Defense Contractors Do Now?

Frequently Asked Questions

Does NIST SP 800-172 Revision 3 change my current CMMC requirements?

When will CMMC be updated to reference the Revision 3 publications?

How many requirements are in SP 800-172 Revision 3?

What is the difference between SP 800-172 and SP 800-172A?

Will CMMC Level 3 require all 115 requirements?

Does this affect CMMC Level 1?

Should I start implementing SP 800-172 Revision 3 requirements now?

Looking Ahead

CMMC vs. NIST SP 800-171: What Is the Difference

What Is NIST SP 800-171?

What Is CMMC?

The Biggest Difference

Why Contractors Get Confused

What This Means for Defense Contractors

Common Mistakes to Avoid

Treating compliance as a documentation project

Defining scope too late

Waiting too long to collect evidence

Assuming partial alignment means assessment readiness

Overlooking the role of NIST SP 800-171A

How to Prepare More Effectively

FAQ – CMMC vs. NIST SP 800-171

Is NIST SP 800-171 the same as CMMC?

Does CMMC Level 2 use NIST SP 800-171 Revision 3?

What is NIST SP 800-171A?

Why do companies struggle with this transition?

What should we do first?

Conclusion

Government Shutdown and CMMC: What Defense Contractors Need to Know

The November 10, 2025 Deadline Stands Firm

Why CMMC Implementation Continues During the Shutdown

1. The Regulatory Framework Is Already Established

2. DoD Contracting Activities Continue

3. C3PAOs Operate Independently

4. The Cyber AB Functions as a Non-Profit

What May Be Temporarily Affected

What Defense Contractors Should Do Right Now

For Companies Handling Federal Contract Information (FCI) – CMMC Level 1:

For Companies Handling Controlled Unclassified Information (CUI) – CMMC Level 2:

For All Defense Contractors:

The Four-Phase CMMC Rollout Timeline

Why This Shutdown Is Different for Cybersecurity

CMMC Final Rule Clears Regulatory Review:
What are the Implications?