Department of Defense Archives - Government Contracts Navigator

GSA Issues New Framework for Protecting CUI in Contractor Systems

Last month the General Services Administration’s (“GSA”) Office of the Chief Information Security Officer (“OCISO”) issued CIO-IT Security-21-112 Rev. 1, a procedural guide governing how Controlled Unclassified Information (“CUI”) must be protected when it resides in nonfederal contractor systems. Although styled as internal process guidance rather than a regulation, the document establishes a detailed approval framework that will determine which contractors are eligible for GSA contracts that include CUI.

Background and Scope

The guide, which implements GSA’s approach to safeguarding CUI, uses National Institute of Standards and Technology (“NIST”) SP 800-171, Revision 3, selected enhanced requirements from NIST SP 800-172, and selected privacy controls from NIST SP 800-53, Revision 5. It applies where CUI is resident in a contractor system that is not operated on behalf of the federal government, and therefore is not subject to the Federal Information Security Modernization Act or the Federal Risk and Authorization Management Program (“FedRAMP”). Use of this process requires coordination with OCISO and approval by the GSA Chief Information Security Officer. GSA intends to eventually incorporate these requirements into applicable contracts and solicitations.

Preliminary Takeaways as DoD Seeks to Redesign the Defense Acquisition System for Wartime Speed

Oliver E. Jury ●

During a speech before key players in the defense industrial base on Friday, November 7, Secretary Hegseth announced plans for a sweeping transformation of the Defense Acquisition System, redesignating it as the Warfighting Acquisition System (“WAS”) and elevating speed-to-field as the organizing principle. The reforms would concentrate authority, expand competition and modularity, adopt commercial-first pathways, modernize contracting and training, and streamline oversight—all aimed at accelerating capability delivery and scaling industrial capacity for surge. While much will depend on how these announced changes are implemented, in this post we highlight key aspects of the changes and identify potential impacts to monitor. Secretary Hegseth’s full recorded remarks are available on C-SPAN’s website.

Redesignation and Organizing Principle

Acquisition is to be treated as a warfighting function, with every process required to justify its value to timely capability delivery. The WAS will reframe success around time-to-capability rather than exhaustive specification compliance.

Potential impact: Companies should expect solicitations and evaluations to prioritize schedule credibility and operational outcomes, reshaping win strategies toward demonstrable speed and adaptability.

This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule

Michael Joseph Montalbano ●

After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.

How Will CMMC Work?

Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).

All-Points Bulletin for Defense Contractors: If You’re 15% Behind Schedule or 15% Over Budget, You Need a Strategy

Dominique L. Casimir ●

On April 9, 2025, President Trump signed an Executive Order (“EO”) titled Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base. This EO seeks to overhaul many aspects of defense acquisition in order to enhance the military capabilities and streamline the Department of Defense’s (“DOD”) procurement processes. While every presidential administration seeks to streamline and facilitate defense procurement, this EO contains noteworthy approaches that defense contractors should be aware of. For instance, the EO suggests that the government has an appetite for “risk” when it comes to DOD procurements: “We will also modernize the duties and composition of the defense acquisition workforce, as well as incentivize and reward risk-taking and innovation from these personnel.”

Other Transactions: A Flexible and Efficient Acquisition Tool for the Department of Defense

Scott Arnold and Samarth Barot ●

On March 6, 2025, the Defense Secretary released a memorandum directing the Department of Defense (“DoD”) to adopt the Software Acquisition Pathway (“SWP”) to speed up the development, procurement, and delivery of software needed for weapons and business systems. Specifically, the memorandum directed DoD to use Commercial Solutions Openings and Other Transactions (“OTs”) as the default solicitation and award approaches for acquiring capabilities under the SWP. As a result, we are likely to see an expansion in DoD’s use of OTs. Thus, contractors should be aware of the rules and regulations regarding OTs.

Background

While OTs have been in the news a lot these days, they are not a new concept. OTs date back to 1958, when Congress granted the National Aeronautics and Space Administration (“NASA”) the authority to enter into transactions other than contracts, grants, or cooperative agreements in order to foster innovation and speed in the space race.

What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level

Michael Joseph Montalbano ●

The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

Department of Defense Issues Final CMMC Rule

Michael Joseph Montalbano ●

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano ●

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

Understanding the Basics of CMMC Level 3

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2. In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply. DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.” We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI. DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification. First, the contractor must obtain a CMMC Level 2 certification. This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements. Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Understanding the Basics of CMMC Level 2

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

Share this:

Redesignation and Organizing Principle

Share this:

Share this:

Share this:

Background

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: