CMMC Compliance: Protect CUI and Win Defense Contracts

CUI is government-created or government-owned information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. Common categories in the DoD supply chain include: technical data, engineering drawings, specifications, export-controlled data (ITAR/EAR), law enforcement sensitive information, privacy-protected information, and defense acquisition information. CUI is marked with specific designations and handled under specific rules defined by the CUI Registry maintained by the National Archives. If you handle government contracts and are unsure whether your work involves CUI, the answer is almost certainly yes — and the consequences of handling it without appropriate controls are significant.

It depends on the contract requirement. CMMC Level 1 requires annual self-assessment with senior official affirmation submitted to SPRS. CMMC Level 2 is split: contracts designated as "critical" by the DoD require a C3PAO assessment; non-critical Level 2 contracts may permit triennial self-assessment. CMMC Level 3 requires a government-led assessment by the Defense Contract Management Agency (DCMA). The solicitation or contract will specify the required assessment type. Vigil Cyber prepares you for either pathway — self-assessment with documented evidence, or C3PAO assessment with full preparation support.

The Supplier Performance Risk System (SPRS) score is the numerical representation of your NIST SP 800-171 implementation status. It starts at 110 and decreases based on unimplemented practices. Different practices carry different point values based on their impact — high-value practices like multi-factor authentication, system monitoring, and access control each carry significant point weights. A perfect SPRS score of 110 means all 110 practices are fully implemented. The score is self-reported (except for C3PAO-assessed organizations) and is visible to DoD contracting officers. Vigil Cyber conducts a pre-submission assessment to validate your score and identify practices where your claimed implementation may not withstand scrutiny.

Timeline depends on your current security posture. Organizations with mature IT controls and existing NIST 800-171 documentation may achieve assessment readiness in 6 to 9 months. Organizations starting from a limited baseline — no formal policies, limited access controls, no audit logging — should plan for 12 to 18 months. The most time-consuming elements are typically: implementing multi-factor authentication across all systems, establishing an audit logging and review program, completing configuration management baselines, and building the documentation required for the System Security Plan. Vigil Cyber provides a realistic timeline after conducting the initial gap assessment — not before.

A C3PAO assessment results in one of three outcomes: Conditional Certification (meets most practices, POA&M accepted for remaining deficiencies within permitted tolerances), Not Certified (significant deficiencies that cannot be accepted on a POA&M), or Certified (all practices fully implemented). If conditional, the POA&M milestones must be met within the specified timeframe or certification is revoked. If not certified, the organization cannot be awarded or continue performance on CMMC-required contracts until deficiencies are remediated and a reassessment passes. Vigil Cyber's preparation approach prioritizes closing the high-impact gaps that are most likely to result in a Not Certified outcome — so you enter assessment with confidence.