Hero Background

CMMC Is Changing. Protecting CUI Is Still the Mission

One thing I’ve learned after working with organizations across the defense supply chain is that the companies that consistently succeed aren’t the ones chasing the latest requirement. They’re the ones that build strong security practices first and let compliance become the natural outcome of doing the right things well.

That’s why yesterday’s Department of War (DoW) guidance didn’t fundamentally change my perspective on what organizations handling Controlled Unclassified Information (CUI) should be focused on.

Like many of you, I’ve spent the last day reading the guidance, talking with customers, and discussing what it means with colleagues across the industry. The questions have been remarkably consistent. Should we change our plans? Should we pause our efforts? Does this change what we should be investing in?

They’re fair questions.

But I don’t think they’re the most important ones.

Instead of asking, “What changed?” I believe organizations should start by asking, “What hasn’t changed?”

The answer is straightforward.

The recent DoW guidance changes aspects of the assessment and verification process. It does not change the responsibility to protect Controlled Unclassified Information. Organizations that handle CUI are still expected to implement the security requirements defined in NIST SP 800-171, and the contractual obligation to safeguard that information remains in place.

If your organization has been building its cybersecurity program around protecting CUI rather than simply preparing for an assessment, this guidance shouldn’t fundamentally change your direction.

Protecting CUI is still the mission.

The Mission Hasn't Changed

Whenever regulations evolve, it’s natural to focus on what’s different. We analyze timelines, assessment methods, and implementation details because those are the most visible changes. While those discussions are important, they can also distract us from the bigger picture.

The purpose of cybersecurity within the Defense Industrial Base has never been to pass an assessment. It’s to protect information that our customers, partners, and ultimately our warfighters depend on every day.

Think about the information your organization handles. Engineering drawings, technical specifications, manufacturing processes, software artifacts, testing data, supplier documentation, and program information all represent years of innovation, investment, and collaboration. More importantly, they represent trust. Your customers trust you to protect that information, and that responsibility doesn’t disappear because the verification process evolves.

Prime contractors still expect confidence throughout their supply chains. Government agencies still expect contractors handling CUI to implement the security requirements defined in NIST SP 800-171. Customers still want partners they can trust with sensitive information because protecting that information is essential to protecting their own business.

Those expectations existed before yesterday’s guidance, and they’ll continue long after today’s headlines fade.

In many ways, I think the recent guidance reminds us of something we’ve known all along. CMMC has always been a mechanism for verifying cybersecurity practices. It was never the reason those practices mattered in the first place.

The mission has always been protecting CUI.

Don't Mistake a Pause for a Pass

One concern I have is how some organizations may interpret the recent guidance.

Whenever there’s uncertainty, it’s tempting to slow down, postpone investments, or wait for additional direction before making the next move. On the surface, that may seem like the safest course of action. I don’t believe it is.

If your organization has spent the past several years strengthening its cybersecurity program around protecting CUI, the work you’ve done hasn’t suddenly lost value. The controls you’ve implemented, the documentation you’ve developed, and the operational discipline you’ve established continue to reduce risk and strengthen your business. None of that changes because the assessment process has changed.

In fact, I think this moment presents an opportunity.

Instead of asking whether you should continue preparing for CMMC, ask whether your organization is truly positioned to protect CUI every day. Those are related questions, but they’re not the same question. The organizations that emerge strongest from this period of transition will be the ones that use the additional time to improve their security posture rather than simply waiting for the next announcement.

One of the things I often tell customers is that cybersecurity isn’t something you turn on when an auditor arrives. It’s reflected in the decisions your organization makes every day, even when no one is watching. The policies you follow, the technology you deploy, and the culture you build all contribute to protecting sensitive information long before anyone asks to verify your controls.

That principle hasn’t changed.

Compliance Is an Outcome, Not the Goal

Over the past several years, it’s understandable that much of the industry’s attention has centered on preparing for CMMC. Regulations naturally drive action, and many organizations have invested significant time and resources understanding what certification would require.

There’s real value in that work. Preparing for compliance has helped many organizations strengthen their cybersecurity posture, improve documentation, and gain a much better understanding of where CUI exists within their environment.

At the same time, it’s important to remember why these requirements exist in the first place.

Compliance and verification both serve an important purpose, but neither is the ultimate objective. The real objective is protecting Controlled Unclassified Information in a way that’s repeatable, sustainable, and built into the daily operations of your business.

Throughout my career, I’ve found that the organizations navigating regulatory change most successfully aren’t the ones chasing every new requirement. They’re the ones investing in strong cybersecurity fundamentals because protecting sensitive information is simply part of how they operate.

When security becomes part of your culture instead of a project tied to a deadline, compliance becomes much more manageable. Documentation is easier to maintain, evidence is easier to demonstrate, and future verification, regardless of what form it takes, becomes significantly less disruptive.

Most importantly, organizations that build cybersecurity programs around protecting CUI don’t have to rethink their strategy every time guidance evolves. They stay focused on what matters most, and that’s exactly where I believe organizations should be focused today.

Three Questions Every Defense Contractor Should Be Asking

Rather than asking, “When will my assessment happen?” I believe organizations should be asking three different questions. The answers to these questions are far more important than any assessment timeline because they get to the heart of what protecting CUI is really about.

First- do you know where your CUI lives?

Before you can protect sensitive information, you have to understand where it exists. That sounds straightforward, but in practice it’s often one of the biggest challenges organizations face. Over time, CUI has a way of spreading beyond its original location into email, collaboration platforms, engineering systems, shared drives, supplier communications, and other places where teams work together.

Understanding that footprint is the first step toward reducing risk. It also creates opportunities to reduce the amount of CUI your organization manages, simplifying both day-to-day operations and future compliance efforts.

Second- are you protecting it consistently?

Implementing NIST SP 800-171 isn’t about completing a checklist. It’s about establishing security practices that become part of your organization’s daily operations. The strongest cybersecurity programs don’t depend on individual effort or someone’s memory to do the right thing. They rely on well-defined processes, repeatable controls, and a culture where protecting sensitive information is simply part of how business gets done.

If you’ve been focused on strengthening those fundamentals, you’ve been building value that extends far beyond any single assessment.

Finally- could you demonstrate what you've implemented?

Whether future verification comes through self-attestation, a third-party assessment, or another process, organizations should be able to demonstrate how they’re protecting CUI. That means maintaining documentation, preserving evidence, and periodically validating that security controls are operating as intended.

Companies that treat documentation as part of good operational discipline, rather than something created only for an auditor, tend to have a much clearer understanding of their environment and are far better prepared when questions arise.

What You Should Do Next

Whenever guidance changes, there’s a natural tendency to pause until the picture becomes clearer. While that instinct is understandable, I don’t believe it’s the right response.

Instead, I’d encourage organizations to use this time to strengthen the work they’ve already begun. Review where CUI is stored, processed, and shared. Evaluate how effectively your NIST SP 800-171 controls are operating. Continue improving documentation and collecting the evidence that demonstrates your cybersecurity posture. If there are opportunities to reduce unnecessary CUI exposure or simplify the environments where sensitive information resides, now is the time to pursue them.

If you’ve been focused on building a mature cybersecurity program instead of simply preparing for an assessment, you don’t need to change direction. Stay the course. The work you’ve already done continues to reduce risk, improve operational discipline, and strengthen your ability to protect the information your customers have entrusted to you.

One thought has stayed with me since the guidance was released:

The pause doesn't create time to wait. It creates time to get it right.

Organizations that use this opportunity to strengthen their cybersecurity foundation will be better prepared regardless of how future verification requirements evolve.

Why This Matters Beyond Compliance

One of the reasons I’ve always encouraged organizations to think beyond compliance is because the benefits of strong cybersecurity extend far beyond satisfying a contractual requirement.

A mature cybersecurity program protects intellectual property, reduces operational risk, strengthens customer confidence, and enables secure collaboration across increasingly complex supply chains. Those advantages improve day-to-day operations while also positioning organizations to compete for future opportunities with greater confidence.

Perhaps even more important is the trust that comes with demonstrating a mature security posture. Prime contractors want suppliers they can depend on. Government customers expect contractors to safeguard sensitive information. Business leaders want confidence that their organizations can continue operating securely in an increasingly challenging threat environment.

Those expectations haven’t changed.

If anything, the recent guidance reinforces why organizations should continue investing in sound cybersecurity practices. The work that’s been done to strengthen security controls, improve documentation, and reduce cyber risk continues to deliver value every day. It protects your business, your customers, and your reputation whether an assessment occurs next month or sometime further down the road.

That’s why I don’t see the recent guidance as a setback. I see it as an opportunity to refocus on the outcome we’ve been working toward all along: protecting Controlled Unclassified Information.

How Exostar Thinks About This

At Exostar, our perspective hasn’t changed because our objective has never been centered on helping organizations pass an assessment. From the beginning, we’ve believed the real goal is helping customers build a practical, sustainable approach to protecting CUI.

That starts with understanding where CUI exists, reducing unnecessary exposure, implementing the security requirements of NIST SP 800-171, and maintaining the documentation and evidence needed to demonstrate a strong cybersecurity posture. By reducing complexity and helping organizations focus their efforts where they have the greatest impact, we believe customers are better positioned for today’s contractual obligations while remaining prepared for tomorrow’s verification requirements.

Our own experience reinforces that philosophy. As a FedRAMP Authorized provider that has implemented NIST SP 800-171 security requirements and undergone rigorous independent assessments, we’ve experienced firsthand the discipline required to build and maintain a mature cybersecurity program. That experience shapes how we work with customers every day.

Rather than preparing organizations for a single milestone, our goal is to provide a faster, more predictable path to protecting CUI while reducing the complexity that often comes with managing cybersecurity in today’s defense supply chain.

Looking Ahead

The Defense Industrial Base has always operated in an environment of change. Technologies evolve, threats become more sophisticated, and regulations continue to adapt in response. Successful organizations recognize that reality and build cybersecurity programs designed to evolve with it rather than react to every new policy change.

That’s why I don’t believe the most important question is what changed yesterday. The more important question is whether your organization is better prepared today than it was yesterday. If the answer is yes, then you’re moving in the right direction, regardless of how the assessment and verification process continues to evolve.

Continue strengthening your cybersecurity program. Continue protecting the information your customers trust you with. Continue investing in the processes, technologies, and culture that make your organization more resilient. Those efforts will continue to pay dividends, whether the next step is self-attestation, third-party verification, or future guidance that hasn’t yet been written.

One thing I’ve learned over the years is that organizations rarely regret investing in stronger cybersecurity. They do, however, regret waiting until circumstances force them to act. That’s why I don’t view the recent guidance as a reason to slow down. I see it as an opportunity to strengthen the foundation you’ve already been building.

Yesterday’s guidance may have changed the path for some organizations, but it didn’t change the destination. The mission has always been, and will continue to be, protecting Controlled Unclassified Information (CUI). Stay focused on that mission, and you’ll be well prepared for whatever comes next, because strong cybersecurity isn’t defined by a single requirement. It’s built through the consistent decisions organizations make every day to protect the information entrusted to them.