Taking Care of Controlled Unclassified Information

Water pressure gauges

Specialized parts used in military contexts may be subject to CMMC scrutiny. DFARS told us what data we were expected to protect. NIST SP 800-171 showed 110 areas of cybersecurity control. CMMC verifies those controls.

In a small business with a million and one things to do

At the end of last year, a machine shop that had been supplying small parts to a defense contractor was audited on its handling of CUI (Controlled Unclassified Information). CUI is not classified military intelligence; it’s working documents like technical drawings, specs, contract pricing and supplier information. The audit showed that the shop couldn’t fully account for how CUI was being handled. The situation had to be remedied immediately or the contract was in jeopardy. No one had been intentionally negligent, and this needn’t have been an emergency — if the machine shop had understood the importance of being able to show its work.

The requirement isn’t new

DFARS 252.204-7012 has required contractors — including subcontractors up the supply chain — to protect CUI since 2017. As of 2025, CMMC (Cybersecurity Maturity Model Certification) has begun the shift from self-attestation to third-party verification. Specific requirements are being phased in, but the principles and underlying framework are not new. The change is that as of last November, some military contracts now require external audits of compliance.

So the next step for many small-business contractors who have operated under Department of Defense (DoD) contracts for years – like in the opening example – is moving from self-attested compliance with the NIST framework to demonstrating that compliance to third parties.

The everyday invisible risk

Managers expect their staff to be efficient problem-solvers. This is crucial to how many small businesses have grown – running lean and being innovative. Sometimes this entrepreneurial backbone runs at odds with what’s called “visibility,” the mapping of CUI data, including where it resides, its movement and its security controls.

In order to get things done quickly, employees reach for the tools they know: personal email, file-sharing tools, personal AI chat assistants, added browser extensions. Choosing any of these feels like getting things done. But are these methods also generating a compliance problem? Efficiency can bang head-on against contractual compliance. Part of the solution is making your whole team aware of what’s at stake.

COO Anna Darlagiannis-Livingstone, Bryley’s compliance lead, addresses this conflict regularly: I understand it’s expensive for companies to have everyone on board. But an employee can make a mistake or forget – we put things in place to help keep employee activity on course for compliance. And we try to involve the whole-company community and make the learning interactive, so more staff understand and buy into what’s involved in being a DoD contractor.

Downstream pressure

As cyberthreats evolve, prime DoD contractors are having the practices of their suppliers questioned. CMMC is increasingly being invoked, bringing pressure on smaller upstream suppliers to show how CUI is being protected with walkthrough process audits and documentation requests.

The consequence

Sometimes the need for visibility will come at contract renewal1. How prepared is your organization with an accounting of where CUI resides, how it moves through your applications and other tools, and what security measures protect it? Not having ready visibility into these areas can put a contract’s status in question, consume staff time and create anxiety at exactly the wrong moment, as a delay in reporting can mean anticipated revenue doesn’t come through on schedule.

Even relationships built over years of trusted communication can get newly tested as pressure moves upstream to produce validation that is complete and consistent.

What compliance actually requires

The main idea in fulfilling CMMC is that your NIST-compliant practices get sufficiently documented. In practice, this means you need to have the path that CUI travels fully mapped. If that mapping reveals data-handling deficiencies, they can be corrected. The final step would be verifying that those corrections hold up to independent examination.

Anna said, Bryley always wants to put in place as many appropriate security controls, processes and procedures — even things like multifactor authentication — ahead of any third-party tests. We do initial testing, but we also send penetration tests to a third party to QC our work. We know what we put in place — but they go in with fresh eyes. And that mirrors the independent CMMC audits that may come later.

Start here

A Bryley review can clarify where your business is in the DoD compliance process, reduce surprises down the road and give you a clearer path forward on CMMC before it’s urgent. To speak to Bryley’s Roy Pacitto please complete the form, below. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.

1 https://www.acquisition.gov/dfars/subpart-204.75-cybersecurity-maturity-model-certification

Connect with a Bryley IT expert about CMMC