If you are considering entering the Department of Defense market—or you are already in it but hoping CMMC might quietly go away—this episode is for you.

In this foundational discussion, I break down:

• What CMMC actually is (and what it is not)
• How CMMC relates to DFARS 252.204-7012 and NIST SP 800-171
• When CMMC applies—and when it does not
• Why there is no universal CMMC deadline
• What “condition precedent to award” really means
• How scoping decisions materially impact cost and audit burden

In this episode, I also examine the phased implementation timeline, the contracting officer’s discretion in including CMMC requirements, and the structural realities of the C3PAO ecosystem that influence assessment cost and availability.

Bottom line:
CMMC is a DoD acquisition requirement designed to verify implementation of NIST SP 800-171. It becomes binding when it appears in your solicitation or contract—and it follows the flow of DoD information within your environment, not necessarily your entire enterprise.

If you work with DoD information—or are considering entering that market—strategic scoping and early planning are not optional.

Connect with me on LinkedIn, and if this episode clarified something for you, share it with your work bestie.

And remember—don’t say “cooey.” It’s ooey.

Are you a defense contractor being told that everything is CUI—or that your contract contains CUI—without anything actually being marked? Or unsure whether you handle CUI at all, and therefore whether CMMC Level 1 or Level 2 applies to you?

That confusion is exactly why Ooey Cooey exists.

This re-introduction episode explains what this podcast is about, why it’s coming back now, and who it’s for. Ooey Cooey focuses on the full lifecycle of Controlled Unclassified Information (CUI)—from identification and designation to marking, safeguarding, sharing, retention, and destruction—and how those requirements actually show up in contracts and operations.

Since the last episode aired in 2021, a lot has changed: CMMC 2.0, new DFARS clauses, recurring cybersecurity attestations, compliance scoring, and third-party assessments have created a more complex and higher-risk environment for contractors. This episode explains what’s changed, why enforcement looks different today, and why clarity matters more than ever.

You’ll also hear how the podcast has evolved. Episodes will be short (15–20 minutes), focused on one concept at a time, and designed to answer four core questions:
• What is the rule?
• Who is responsible?
• Where do contractors get it wrong?
• What should you do instead?

This is not a technical podcast, not vendor-driven, not fear-based compliance—and not legal advice. It’s about clarity, context, and making informed, defensible decisions.

Earlier episodes from 2021 are still available and remain relevant for foundational CUI concepts based on the NARA CUI regulations. New episodes will build on that foundation and focus on how CUI requirements are being operationalized today.

If you’re confused about how, when, and where CUI safeguarding requirements impact your company, this show is for you. If you’re looking for a checklist without context, it probably isn’t.

Connect on LinkedIn: leslieweinsteinmba
Resources for government contractors: www.the-cyberadvisor.com

Until next time—and remember: don’t call it Cooey. That would be Ooey.

32 CFR says that authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions:

(1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments.

(2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;

(3) Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and

(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53.