If you are considering entering the Department of Defense market—or you are already in it but hoping CMMC might quietly go away—this episode is for you.

In this foundational discussion, I break down:

• What CMMC actually is (and what it is not)
• How CMMC relates to DFARS 252.204-7012 and NIST SP 800-171
• When CMMC applies—and when it does not
• Why there is no universal CMMC deadline
• What “condition precedent to award” really means
• How scoping decisions materially impact cost and audit burden

In this episode, I also examine the phased implementation timeline, the contracting officer’s discretion in including CMMC requirements, and the structural realities of the C3PAO ecosystem that influence assessment cost and availability.

Bottom line:
CMMC is a DoD acquisition requirement designed to verify implementation of NIST SP 800-171. It becomes binding when it appears in your solicitation or contract—and it follows the flow of DoD information within your environment, not necessarily your entire enterprise.

If you work with DoD information—or are considering entering that market—strategic scoping and early planning are not optional.

Connect with me on LinkedIn, and if this episode clarified something for you, share it with your work bestie.

And remember—don’t say “cooey.” It’s ooey.

Are you a defense contractor being told that everything is CUI—or that your contract contains CUI—without anything actually being marked? Or unsure whether you handle CUI at all, and therefore whether CMMC Level 1 or Level 2 applies to you?

That confusion is exactly why Ooey Cooey exists.

This re-introduction episode explains what this podcast is about, why it’s coming back now, and who it’s for. Ooey Cooey focuses on the full lifecycle of Controlled Unclassified Information (CUI)—from identification and designation to marking, safeguarding, sharing, retention, and destruction—and how those requirements actually show up in contracts and operations.

Since the last episode aired in 2021, a lot has changed: CMMC 2.0, new DFARS clauses, recurring cybersecurity attestations, compliance scoring, and third-party assessments have created a more complex and higher-risk environment for contractors. This episode explains what’s changed, why enforcement looks different today, and why clarity matters more than ever.

You’ll also hear how the podcast has evolved. Episodes will be short (15–20 minutes), focused on one concept at a time, and designed to answer four core questions:
• What is the rule?
• Who is responsible?
• Where do contractors get it wrong?
• What should you do instead?

This is not a technical podcast, not vendor-driven, not fear-based compliance—and not legal advice. It’s about clarity, context, and making informed, defensible decisions.

Earlier episodes from 2021 are still available and remain relevant for foundational CUI concepts based on the NARA CUI regulations. New episodes will build on that foundation and focus on how CUI requirements are being operationalized today.

If you’re confused about how, when, and where CUI safeguarding requirements impact your company, this show is for you. If you’re looking for a checklist without context, it probably isn’t.

Connect on LinkedIn: leslieweinsteinmba
Resources for government contractors: www.the-cyberadvisor.com

Until next time—and remember: don’t call it Cooey. That would be Ooey.

32 CFR says that authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions:

(1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments.

(2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;

(3) Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and

(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53.

Have you ever wondered where NIST 800-171 came from or why it was written? In August 2020 I had the opportunity to interview a representative from the Information Security Oversight Office (ISOO) on my YouTube channel DIB Tech Talk (https://www.youtube.com/c/DIBTechTalk). This interview goes into the origins of NIST 800-171 with someone who was there when it happened. He walks us through some of the thinking behind the CUI program and why it's important.

At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document. If portion markings are selected, then all document subjects and titles, as well as individual sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for unclassified information within CUI documents or materials is required.

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.

But how? Tune in to find out.

Established by Executive Order 13556 in 2010, the Controlled Unclassified Information (CUI) program standardizes the way the entire Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. The Department of Defense (DOD) is an agency within the Executive branch of the U.S. government.

But what is CUI? Tune in to find out!