The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CUI Compliance for Civilian Contractors: Which Rule Actually Applies in 2026?

By The Defense Compliance Report Editorial Team · ·

For federal prime contractors and subcontractors supporting civilian executive agencies — GSA, DHS, NASA, HHS, DOE, VA, DOJ, and others — not only the Department of Defense.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with NARA, NIST, GSA, DHS, NASA, the Cyber AB, the Department of Defense (Department of War), or any U.S. government agency. This is educational research, not legal, contractual, cybersecurity, or compliance advice.

CUI compliance for civilian contractors is contract-specific — there is no single governmentwide civilian CUI certificate, and you are not automatically subject to CMMC just because you handle Controlled Unclassified Information (CUI). What governs you depends on the agency, the exact clause in your contract or subcontract, the CUI category, and whether your system is a federal system operated on the government’s behalf or an ordinary nonfederal contractor system. Today, FAR 52.204-21 is the floor for Federal Contract Information (FCI); GSA, DHS, and NASA each run their own active CUI requirements; and a governmentwide FAR CUI rule proposed on June 23, 2026 is not yet final. Start with the contract — find the clause, name the CUI, classify the system — before you buy an enclave, migrate a cloud, hire an assessor, or sign a six-figure engagement.

Quick answer: the six questions we hear most

Your questionThe bottom line
Is CMMC automatically required for civilian work?No. CMMC applies only through an actual DoD solicitation, contract or order, or valid subcontract flow-down. And as of July 16, 2026, even in DoD, the broad third-party assessment rollout (Phase II) is on hold (see below).
What sets a civilian contractor’s requirement?The agency, the contract or subcontract clause, the CUI category, the incorporated documents, and whether the system is federal or nonfederal.
Is FAR 52.204-21 enough?No. It’s the 15-safeguard floor for FCI. It does not, on its own, satisfy a CUI requirement.
NIST 800-171 Rev. 2 or Rev. 3?The contract and agency control. GSA and the proposed FAR rule point to Rev. 3; CMMC is still on Rev. 2. Don’t infer the version from the word “CUI.”
Is the June 2026 FAR CUI rule final?No. FAR Case 2026-001 is a proposed rule; the public-comment period runs through July 23, 2026.
What should I do first?Find the clause and attachments, identify the CUI category and authority, and confirm whether your system is federal or nonfederal.

Here’s the part a lot of the material ranking for this topic gets wrong, and the reason we built this page: “civilian contractor” is buried under Department of Defense content that doesn’t fit you. So we read the clauses ourselves — the FAR, the agency supplements, the GSA guide, the June 2026 Federal Register notice — separated what ’s law from what’s merely proposed, and put it on one map. By the end you’ll know which combination of authorities applies to you, which NIST version you actually owe, and the exact questions to send your contracting officer before you spend a dollar.

The one honest catch, up front

There is no civilian “CUI certified” badge you can buy, and a strong CMMC or FedRAMP posture may not, by itself, satisfy an agency’s contract-specific requirements. That sounds like bad news. It isn’t. It’s the thing that protects you from the far more expensive mistake — buying a defense-only assessment, a government cloud, or an enterprise remediation program before anyone confirmed the actual clause. Fragmentation is frustrating, but it’s also leverage: once you know your branch, most of the panic-buying options fall away. We’ll get you there.

The right kind of help isn’t the same for every civilian contractor. The category you need — a Managed Security Service Provider (MSSP), a GRC platform (governance, risk, and compliance software), a CUI enclave, an independent assessor, or a federal-contracts attorney — depends on your agency, your CUI category, whether your system is federal or nonfederal, your cloud environment, and your contract timeline. The contract clause sets your obligation, not a checklist. Because a general answer can’t resolve those for you, use the routing form to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Which authority governs you? (The map)

CUI compliance for civilian contractors means following the security and handling obligations that a specific contract, subcontract, agency policy, or information-sharing agreement incorporates — not a universal certificate. Because those obligations vary by agency, CUI category, and system type, a contractor must first identify the governing authority before selecting controls, clouds, or providers. There is no one civilian standard, which is why “just give me the checklist” is the wrong first question.

CUI is a governmentwide program, not a DoD invention. It traces to Executive Order 13556 (2010), which created the CUI Program and named the National Archives and Records Administration (NARA) — through its Information Security Oversight Office (ISOO) — as the executive agent. The implementing rule, 32 CFR Part 2002, tells every executive-branch agency how to designate, mark, safeguard, and share CUI. NARA maintains the CUI Registry, the master list of CUI categories and the laws behind them.

Here’s the mechanism that matters. Under 32 CFR 2002.14, agencies use NIST SP 800-171 to set confidentiality requirements for CUI on nonfederalsystems — unless the specific CUI category has its own safeguarding law, or an agreement sets a higher bar. But a NIST publication doesn’t bind you merely by existing. An obligation reaches you through a contract, subcontract, agreement, law, or regulation. So the standard is the technical baseline; the instrument that pulls it in is what makes it enforceable on you. No instrument in hand, but CUI on your systems? That’s a conversation for your contracting officer — not a reason to relax.

These rows are not mutually exclusive. A single contract can implicate the governmentwide CUI framework, FAR 52.204-21 for FCI, and one or more agency-specific clauses or attachments at the same time. Identify every row that applies to you — not just one.

Civilian Contractor CUI Compliance Authority Matrix — verified July 16, 2026

Authority / regimeCurrent statusWhat triggers itFederal vs. nonfederal pathControlling baselineIs CMMC the answer?First question to ask in writing
32 CFR Part 2002 / NARA CUI Program 1Active governmentwide frameworkA contract or agreement involving CUIFederal systems → FIPS/NIST 800-53; nonfederal → agency-set 800-171800-53 (federal) or 800-171 (nonfederal), subject to category/agreement exceptionsNo“Which CUI category, safeguarding authority, and system type govern this work?”
FAR 52.204-21 2ActiveFCI may reside in or transit through a contractor/subcontractor system (COTS-only acquisitions excluded)Contractor system handling FCI15 basic safeguardsNo — it’s the FCI floor, not the CUI answer“Is there a separate CUI clause, security attachment, or agency policy on top of this?”
GSA (CIO-IT Security-21-112 Rev. 1) 3Active where GSA approves it and it’s in the solicitation (signed Jan 5, 2026)GSA coordinates and the CISO approves use of the process for a qualifying nonfederal CUI systemNonfederal contractor systems (FIPS 199 Moderate for confidentiality) handling GSA CUINIST 800-171 Rev. 3 + selected 800-172 Rev. 3 (Draft) + selected 800-53 Rev. 5 privacy; independent assessmentNo“Has GSA approved this process for us, and which guide revision and attachments are incorporated?”
DHS (HSAR 3052.204-72) 4Active when includedA DHS contract/subcontract includes the clause and covered CUI workClause- and DHS-policy-driven; Alternate I adds an ATO gate for on-behalf-of systemsDHS policies in effect at award (not automatically 800-171)No“Is Alternate I included, and which DHS policies and reporting channels apply?”
NASA (NFS 1852.204-76) 5Active when prescribedNASA IT/information work meeting the clause prescriptionDefined through the clause, the Applicable Documents List (ADL), and system designationContract-specific ADL; NPR 2810.1; 800-171 only where the ADL or an incorporated instrument names itNo“Which ADL version, management-plan deliverables, and system designation apply?”
DoD / CMMC (DFARS + 32 CFR Part 170) 6Phase I in effect; Phase II implementation suspended July 13, 2026An actual defense solicitation, contract or order, or valid flow-downDoD / DIB pathNIST 800-171 Rev. 2; Level 2 status Final or Conditional (Conditional limited by the POA&M rules in 32 CFR 170.21)Yes — only on this branch“Which current DFARS/CMMC status is expressly required by the solicitation or flow-down?”
Proposed FAR Case 2026-001 (FAR 52.240-6/-7, SF XXX) 7Proposed — not final; comment period runs through July 23, 2026Would apply if finalized and a clause/SF is included in a CUI contractProposed explicit federal and nonfederal pathsProposed Rev. 3, FedRAMP Moderate-equivalent cloud, 72-hour reporting, flow-downNo (separate from DoD CMMC)“Is this proposal planning, or is a final clause actually in my contract yet?”

Sources for each row: 1 32 CFR 2002.14 (eCFR); NARA CUI. 2 FAR 52.204-21 (Acquisition.gov). 3 GSA CIO-IT Security-21-112 Rev. 1 (PDF). 4 HSAR 3052.204-72 (Acquisition.gov). 5 NFS 1852.204-76 (Acquisition.gov). 6 32 CFR Part 170 (eCFR). 7 FAR Case 2026-001, 91 FR 37550 (Federal Register).

Two things jump off that table. First, CMMC is notthe default civilian-agency branch — six of the seven rows answer “no.” Second, the NIST version genuinely splits by branch, and that split is where contractors lose the most money. We’ll unpack both.

This is the page’s first decision point. If you can already find every row that applies and you know your clauses, skip ahead to the agency section that fits you. If you can’t — if your contract says “CUI” and not much else — the tool below is the fastest way to pin down your branch.

▶ Map your CUI obligation in about two minutes

Enter your agency, contract stage, and the clause numbers or attachment names you see — nothing sensitive. The routing form returns the authority branch you likely fall under, whether it’s active or merely proposed, the documents you still need, and a written-question list to send your contracting officer.

Map my CUI obligation →

Educational only. Do not enter CUI, drawings, contract numbers, or system details.

How do I know if my civilian contract even involves CUI?

Information is CUI when law, regulation, or governmentwide policy requires or permits safeguarding or dissemination controls, the government (or an organization acting for it) possesses or creates it, and it isn’t classified. The agency should identify or mark CUI and communicate requirements through the contract; if markings are missing or conflict with the contract, the contractor should return the question to the contracting activity rather than decide unilaterally. Getting this call wrong in either direction is costly — over-build and you waste money; under-protect and you risk a false representation.

Start with the distinction that decides everything:

  • Federal Contract Information (FCI)is non-public information provided by or generated for the government under a contract to deliver a product or service. It’s covered by FAR 52.204-21 and its 15 basic safeguards. See also: FCI vs. CUI — what the difference means for your contract.
  • CUI is a separate, more tightly controlled category: information the government has designated for safeguarding under a specific authority, and it should be marked. It’s tied to a safeguarding or dissemination authority and normally carries requirements beyond the FCI floor.

A CUI marking is a handling trigger — but if a marking conflicts with your contract or a valid CUI authority, seek written clarification rather than independently designating or decontrolling the information. And don’t read the absence of a marking as proof that information is only FCI. Unmarked information can be mismarked, legacy-marked, or subject to unresolved authority questions. If information is unmarked or its marking conflicts with the contract, protect it under the existing contract and ask the originator or the government contracting activity to confirm its status and handling.

Within CUI, there’s a further fork that changes your control set:

TypeWhat establishes itWhy it matters
CUI BasicAn authority requires or permits safeguarding but doesn’t prescribe every controlFor qualifying nonfederal systems, the agency normally uses the NIST SP 800-171 path unless a category-specific authority or agreement sets different or additional requirements
CUI SpecifiedThe underlying law prescribes specific handling controlsThat authority can add or change requirements — sometimes well above baseline

Before you build anything, inspect the actual documents: the solicitation and its sections, the prime contract, your subcontract and its flow-down matrix, any security attachment or statement of work, agency supplement clauses, the Applicable Documents List (on NASA work), the CUI category list, contract modifications, and that one-line “please be CUI compliant” email from your prime that started this whole search.

And when the information is unmarked or vaguely labeled, resist the urge to turn every sensitive file into CUI. NARA is explicit:

“Contractors should not follow CUI program requirements or markings until directed to do so in a contract or agreement.” — NARA CUI FAQs

Those six questions — sent in writing, before spending — are the fastest way to resolve this:

  1. What CUI category and safeguarding authority apply to this contract?
  2. Which clause, attachment, guide, and revision establish our requirements?
  3. Are we operating a federal system on the agency’s behalf, or a nonfederal contractor system?
  4. Which NIST publication and revision apply?
  5. What cloud, incident-reporting, evidence, and flow-down conditions apply?
  6. Who can issue binding clarification if the documents conflict?

A dated written clarification from the contracting activity can be one of the most valuable records in your contract-authority file — and it costs nothing to request.

▶ Turn those questions into a working file

The routing form can help you map the clause, CUI category, system designation, standard, cloud terms, incident clock, evidence, and flow-down before you request implementation quotes. Record document names and clause numbers, not sensitive contents.

Map my CUI requirement →

Is your system “federal” or “nonfederal” — and why it changes everything

A contractor-operated system can be a “federal information system” when it is used or operated on an agency’s behalf to provide information-processing services associated with an agency function; it’s “nonfederal” when it only receives federal information incidental to delivering some other product or service. The distinction changes the entire control path — federal systems generally follow FIPS 199/200 and NIST SP 800-53, while nonfederal systems follow contractually invoked NIST SP 800-171. Ownership or multi-tenancy alone doesn’t decide it; the function and the contractual designation do. People get this backward all the time, and it’s expensive.

This fork is written into 32 CFR 2002.14. Two paths:

Federal / operated-on-behalf-of path

If your contract has you running a system that stands in for an agency capability (a portal, a case-management system, a processing service):

  • FIPS 199 categorization and FIPS 200
  • NIST SP 800-53 controls, agency-tailored
  • Often an Authorization to Operate (ATO) and agency continuous-monitoring expectations

Nonfederal path

Your ordinary corporate systems that happen to touch federal CUI:

  • Contractually invoked NIST SP 800-171 (at the revision the instrument names)
  • Any CUI Specified controls and organization-defined parameters
  • A System Security Plan (SSP) where the invoked standard, clause, or agency process requires one
  • An assessment, validation, or authorization process where the governing instrument requires one

Where it gets tricky is mixed environments — a corporate network plus a government portal, a managed service you run for the agency, a SaaS platform with both government and commercial tenants, or a CUI enclave carved out of a larger enterprise. When you’re not sure, get one written answer that settles it:

“For purposes of this requirement, does the agency consider our environment a federal information system operated on the agency’s behalf, or a nonfederal contractor system?”

Ask it before design, not after. Rebuilding to the wrong path is the most expensive rework in this whole domain.

Does CMMC apply to civilian contractors?

CMMC — the Cybersecurity Maturity Model Certification — does not automatically apply to civilian-agency contractors merely because they handle CUI. It’s a Department of Defense program under 32 CFR Part 170, and it becomes relevant only through an applicable CMMC requirement in a DoD solicitation, contract or order, or valid subcontract flow-down. As of July 16, 2026, DoD has suspended implementation of CMMC Phase II — the phase that would have expanded Level 2 third-party assessments — while Phase I self-assessment requirements remain in place. If your work is civilian-only, “we handle CUI, so we need CMMC” is a false syllogism, and one plenty of vendors are happy to let you believe.

Two developments make this cleaner than it was even a month ago.

First, the July 13, 2026 suspension.On that date, the Department of Defense — which now also uses “Department of War” as an authorized secondary title — announced the immediate suspension of CMMC Phase II implementation, which had been scheduled to begin phasing into contracts on November 10, 2026 (Department of War / Office of Industrial Base Growth). CIO Kirsten Davies stood up a 60-day CMMC Reform Task Force, with industry responses to a Request for Information due August 14, 2026 (Federal News Network). A follow-up memo directed that active solicitations and contracts already carrying CMMC Level 2 C3PAO or Level 3 assessment requirements be amended to remove them (Crowell & Moring).

To be precise about scope: Phase II was an implementation phase, not a synonym for the entire third-party assessment ecosystem. What did not change — Phase I self-assessment requirements remain in effect, and DFARS clause 252.204-7012 and the underlying NIST 800-171 obligations are untouched. In plain terms, for DoD contracts right now, Level 1 and Level 2 rely on self-assessment plus select government-led assessment; the broad C3PAO mandate is paused pending the review. Phase I began November 10, 2025; November 10, 2026 is no longer an operative transition date. New to CMMC and landed here by mistake? Our CMMC Final Rule guide is your branch, not this page.

One nuance worth stating plainly, because it trips people up. The DoD side actually uses two related but distinct records in the Supplier Performance Risk System (SPRS): NIST SP 800-171 DoD Assessment summary scores under DFARS 252.204-7019/-7020, and CMMC status, a CMMC Unique Identifier, and affirmation records under the applicable CMMC requirements and 32 CFR Part 170. They are not interchangeable.

Second, the version split. Even on the DoD branch, CMMC Level 2 maps to NIST SP 800-171 Revision 2 — the older version — while civilian implementations increasingly point to Revision 3. That’s not a rounding error, and it’s the next section.

Here’s how the two branches compare, so a dual-hat contractor can see both at once:

QuestionDoD / CMMC branchCurrent civilian branch
Default standardNIST 800-171 Rev. 2 (per 32 CFR Part 170)Agency- and contract-set; GSA and the proposed FAR rule use Rev. 3
Level structureLevel 1: 15 requirements, annual self-assessment, no POA&Ms, Final only. Level 2: 110 requirements; Final requires all 110 MET; Conditional needs ≥88/110 with only POA&M-eligible items open (32 CFR 170.21), closed within 180 daysSet by the agency and contract
Verification (now)Phase I self-assessment + select government-led; broad Phase II C3PAO mandate suspendedContract- and agency-specific (GSA requires independent assessment)
Who assessesA C3PAO (Certified Third-Party Assessment Organization) — only where a CMMC assessment requirement appliesNot a universal civilian certifier; GSA uses independent assessors, not C3PAOs

A word to the company running both civilian and DoD contracts: you may legitimately owe Rev. 2 evidence on your DoD environment and Rev. 3 evidence on a civilian contract at the same time. Keep a contract-by-contract standards register and a documented Rev. 2-to-Rev. 3 crosswalk. Don’t use one contract’s assessment result as proof for a different authority.

This is your second decision point — a fork, not a funnel:

  • My work is civilian-agency only. Use the routing form and build your civilian question list. We won’t route you to a C3PAO you don’t need.
  • My contract includes DoD or DFARS requirements. Use The Defense Compliance Report’s Find My CMMC Path tool to map your level, scope, assessment type, environment, and timeline to the right CMMC provider category.

NIST SP 800-171 Rev. 2 vs. Rev. 3: which one applies to you?

NIST SP 800-171 Revision 3 was finalized in May 2024 and is NIST’s current publication; NIST has withdrawn Revision 2. Yet CMMC Level 2 still maps to Revision 2, because 32 CFR Part 170 identifies Rev. 2 for the Level 2 model and the DFARS was written not to pull contractors onto Rev. 3 mid-rollout. So the revision you owe depends on the governing contract and agency — not on the fact that the data is CUI. This is the single most-confused point in the civilian CUI landscape, and it’s worth slowing down for.

The core fact is in the rule: the CMMC Program Rule at 32 CFR Part 170 ties CMMC Level 2 to NIST SP 800-171 Rev. 2 unless DoD amends the rule. That held even after NIST published Rev. 3 in 2024 and marked Rev. 2 as withdrawn. As Davis Wright Tremaine’s government-contracts team explained the mechanics, “the DFARS clause was specifically modified to not require contractors to follow Revision 3, as Revision 3 was introduced midstream of the CMMC ramp-up” (Davis Wright Tremaine). Whether Rev. 3 applies to a contractor is a separate question from whether NIST has published it — that turns on the governing contract, agreement, agency implementation, and any category-specific authority.

Meanwhile, the civilian side jumped. GSA’s January 2026 guide requires Rev. 3. The proposed governmentwide FAR CUI rule points to Rev. 3. That’s why a GSA contractor and a DoD contractor can hold the same CUI and owe different control sets.

What actually differs in Rev. 3 — its requirements are organized into 17 families (Rev. 2 used 14), per NIST SP 800-171 Rev. 3: Access Control; Awareness and Training; Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Personnel Security; Risk Assessment; System and Services Acquisition; System and Communications Protection; System and Information Integrity; and Supply Chain Risk Management.

Rev. 3 also introduces organization-defined parameters (ODPs)— values that get assigned by the party the applicable requirement designates. Don’t invent them without confirming who’s authorized to set them: under the current GSA process, for example, the contractor assigns required parameters in its System Security and Privacy Plan; other implementations may reserve them to the agency. And the assessment procedures moved to a companion, NIST SP 800-171A Rev. 3.

The practical rule is boring but bankable: implement the revision your specific instrument names, and keep a standards register per contract. Our editorial take:because Rev. 3 changes the organization, terminology, requirements, and assessment procedures, don’t assume a Rev. 2 System Security Plan satisfies a Rev. 3 contract without a documented crosswalk and updated evidence.

What are GSA’s CUI requirements in 2026?

On January 5, 2026, GSA’s Office of the Chief Information Security Officer issued Revision 1 of CIO-IT Security-21-112, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process.” Where GSA approves its use and the related requirements are included in the solicitation, it requires a qualifying nonfederal system handling GSA CUI to implement NIST SP 800-171 Revision 3, selected NIST SP 800-172 Revision 3 (Draft) requirements, and selected NIST SP 800-53 Revision 5 privacy controls — through a five-phase process ending in GSA authorization, with independent assessment rather than self-attestation. We read the guide directly, and the details below come from it.

The guide runs a five-phase lifecycle: Prepare, Document, Assess, Authorize, Monitor. A few things worth knowing before you spend on GSA CUI work, straight from the guide (GSA, PDF):

  • It’s not blanket.Using the process must be coordinated with GSA’s OCISO and requires GSA CISO approval; upon approval, the related IT security and privacy requirements are included in contract solicitation documents. It applies to nonfederal systems that reach a FIPS 199 Moderate confidentiality level because CUI is in scope — and only to the components that process, store, or transmit CUI.
  • Nine “showstopper” requirements. Appendix C lists specific security and privacy requirements — nine requirement IDs spanning Access Control, Identification and Authentication, Risk Assessment, System and Communications Protection, System and Information Integrity, and System and Services Acquisition — and any showstopper that isn’t fully implemented precludes approval. Concrete examples baked into the guide: multi-factor authentication across personnel and privileged access, FIPS-validated encryption, no end-of-life software or sub-TLS-1.2 encryption, and vulnerability remediation on fixed clocks (internet-facing critical in 15 days; critical/high in 30; moderate in 90; low in 180).
  • Documentation and assessment.You produce a System Security and Privacy Plan (SSPP) with a boundary diagram, inventory, data flows, a supply-chain risk plan, and a Privacy Threshold Assessment (and a Privacy Impact Assessment if PII is in scope). Assessment is performed by an independent assessor selected under the guide’s Phase 3 — a C3PAO status alone does not qualify an organization for this role.
  • The outcome is a GSA authorization, not a self-attestation. The era of informal self-attestation for GSA CUI is over.

GSA issued the guide without notice-and-comment rulemaking, and it applies immediately where incorporated — there’s no phase-in period, and contracting officers add it at their discretion (Miller & Chevalier).

One clarification we’ll make plainly, because it’s the exact thing vendors blur: a CMMC status by itself does not establish compliance with, or approval under, GSA’s process. The guide is built on a different NIST revision and its own assessment model. Existing CMMC work may supply reusable evidence — but GSA requires its own scope, package, approved assessor, review, and approval record, and a C3PAO credential is not itself a GSA assessor qualification.

Before you request a GSA compliance quote, answer: has GSA approved the process for you; which guide revision and attachments are incorporated; federal or nonfederal system; CUI category; the assessment and approval steps; required evidence; cloud requirement; and flow-down.

What are DHS’s CUI requirements for contractors?

When DHS incorporates HSAR clause 3052.204-72, “Safeguarding of Controlled Unclassified Information,” the contractor must follow the clause and the DHS policies in effect at award. The clause requires cybersecurity incidents affecting CUI to be reported within eight hours of discovery — and within one hour if the incident involves Personally Identifiable Information (PII) — to the DHS Component Security Operations Center. Notably, DHS keys its requirement to its own policies rather than automatically to NIST SP 800-171, which makes it structurally different from both DoD and GSA.

We pulled this from the clause text on Acquisition.gov and the eCFR. What it obligates when it’s in your contract:

  • Two-tier incident reporting: eight hours for a known or suspected incident affecting CUI; one hour if PII or Sensitive PII is involved. Both are far tighter than the 72-hour rule DoD contractors know from DFARS 252.204-7012. For a PII/SPII report, any required data elements not available in the initial report must be provided within 24 hours — that 24-hour window applies to the missing PII/SPII data elements, not as a blanket supplemental-report deadline for every incident.
  • Post-incident duties: evidence preservation (the clause contemplates a 180-day period), government cooperation, and a media-sanitization certification referencing NIST SP 800-88.
  • A protection for contractors:the clause states that an incident “shall not, by itself, be interpreted as evidence that the Contractor… failed to provide adequate information security safeguards.” Reporting is not an admission.
  • All-tier flow-down: you insert the clause in subcontracts wherever subcontractor employees will access CUI, or a subcontractor system will process, store, or transmit it.
  • Alternate I and an ATO gate:when Alternate I is included, a federal information system — including a contractor system operated on DHS’s behalf — may not collect, process, store, or transmit CUI until DHS grants the required Authorization to Operate. An ATO is a real deliverable, and it is not the same thing as CMMC certification.

For DHS work, the trap is assuming the “common” 72-hour timeline applies. It doesn’t. Confirm whether Alternate I is included, which DHS policy attachments govern, and the exact SOC reporting channel — before an incident forces you to learn it in real time.

What about NASA and other civilian agencies?

NASA uses NFS clause 1852.204-76, “Security Requirements for Unclassified Information Technology Resources.” It applies broadly to NASA Electronic Information, driven by the contract’s Applicable Documents List (ADL): when it applies, the contractor must deliver an IT Security Management Plan within 30 days after award, maintain an IT Security Plan (a FISMA requirement), and follow NPR 2810.1. Whether and how it reaches CUI depends on the ADL and any incorporated CUI requirements. As with the other agencies, whether your system is federal or nonfederal determines the broader control path.

From the clause on Acquisition.gov and the eCFR:

  • It applies to NASA contractors and subs that have physical or electronic access to NASA IT, or that use systems to generate, store, process, or exchange data with or for NASA. The base clause governs NASA Electronic Information broadly — it is not specifically a CUI clause; how it touches CUI depends on the ADL and incorporated requirements.
  • The ADL — an attachment to your contract — is where the actual requirements, policies, and referenced standards (including NPR 2810.1) live. A generic online NIST checklist is not a substitute for your ADL.
  • Two 30-day clocks, don’t confuse them: the contractor must deliver an IT Security Management Plan to the contracting officer within 30 days after award; separately, at contract completion, the contracting officer provides disposition instructions within 30 calendar days of the contractor’s request.
  • NASA has used a class deviation (Deviation 21-01) to revise this clause to implement the CUI Program; confirm the current deviation and ADL that apply to your specific contract.

Every other civilian agency?We’re not going to fabricate an all-agency table with details we haven’t verified. Other agencies may use acquisition supplements, clauses, policies, guides, or contract attachments — verify the agency and the operative contract rather than assuming every agency uses the same mechanism. The repeatable sequence: search the agency’s acquisition regulation supplement; read your contract and its attachments; find the agency’s CUI implementing policy; identify any category-specific authority in the CUI Registry; and request written clarification. We add verified agencies to the matrix over time — because a real map beats a padded one.

What would the proposed governmentwide FAR CUI rule change?

Time-sensitive

The public-comment period for FAR Case 2026-001 runs through July 23, 2026. If this rule will touch your contracts, your window to weigh in is short.

FAR Case 2026-001 is a proposed rule as of July 16, 2026 — not an enforceable clause. Published June 23, 2026 as part of the “Revolutionary FAR Overhaul,” it would create a common Standard Form (SF XXX) identifying the CUI in each contract, a solicitation provision (FAR 52.240-6) and contract clause (FAR 52.240-7), and would apply NIST SP 800-171 Revision 3, a FedRAMP Moderate-equivalent cloud requirement, and a 72-hour incident-reporting duty with subcontractor flow-down. If finalized, it would add a governmentwide mechanism on top of — not erase — today’s category-specific authorities and agency-identified requirements.

This is the development driving a lot of the recent search traffic, so let’s be precise about status. The proposed rule was published at 91 FR 37550 (Federal Register), docketed as FAR Case 2026-001 (RIN 9000-AO86), with comments due July 23, 2026 (regulations.gov docket FAR-2026-0001). Worth noting: the FAR 52.240 series is not currently populated with active clauses, so proposed 52.240-6 and 52.240-7 are not operative today. See also: FAR CUI Rule 2026: Proposed Changes & What Applies Now.

What the proposal would do — every item below is proposed, not current law:

IssueToday’s civilian landscapeProposed FAR architecture
Governmentwide mechanismFragmented, agency by agencySF XXX + FAR 52.240-6 / 52.240-7
Nonfederal baselineContract/agency-specificNIST 800-171 Rev. 3
Enhanced controlsAuthority-specificSelected NIST 800-172 for identified critical programs / high-value assets
CloudAgency-specificFedRAMP Moderate-equivalent floor for identified CUI
Incident reportingAgency-specific timers72 hours from discovery (to CISA for non-DoD contracts)
Flow-downContract-specificClause-based flow-down to subs receiving CUI

The single most expensive mistake you can make right now is treating the June 2026 text as a current contractual obligation and buying against it. What you can prudently do: inventory your CUI, map your contract authorities, classify your systems, build a Rev. 3 crosswalk where relevant, and document your cloud responsibilities — none of which is wasted if the rule changes.

What evidence should a civilian contractor keep?

A civilian contractor’s evidence package is contract-specific, but a defensible core connects each requirement to the system scope, the implementation, an owner, and test evidence. An SSP or policy alone does not prove a control operates; your evidence should support examination, interviews, and technical testing wherever the governing assessment method requires them. The goal is traceability — from the clause, to the requirement, to the thing you can actually show an assessor.

Evidence categoryWhat it provesWhere it comes fromCommon failure
Contract-authority registerWhich clauses, categories, and standards actually bind youContracts, subcontracts, attachments, ADLsNever assembled; scattered across teams
CUI category & data-flow inventoryWhat CUI you hold and where it movesMarkings, CUI Registry, contractAssumes one marking defines the whole obligation
System boundary & component inventoryWhat’s in scopeArchitecture diagrams, asset inventoryScope creep; unmanaged shadow systems
System Security Plan (SSP/SSPP)Intended implementationThe invoked standard/agency templateTreated as proof rather than a plan
Requirement-to-evidence matrixEach requirement maps to real evidenceYour own control mappingMissing the link from requirement to artifact
Operating evidence (configs, logs, tickets)Controls run in practiceSystems, SIEM, change managementScreenshots with no date, context, or recurrence
Cloud shared-responsibility evidenceWho covers whatProvider docs + your configurationAssumes the provider’s authorization is your compliance
Incident, training, personnel recordsProgram actually functionsIR logs, training records, HRNo records until an assessor asks
Subcontract flow-down recordsObligations reached lower tiersExecuted subcontracts, monitoringVague “be compliant” instructions with no proof

A written clarification from your contracting officer is evidence too — save it with the date, the question, the answer, and the contract reference.

What must prime contractors flow down to civilian subcontractors?

Civilian CUI flow-down is clause-specific, so a prime should pass down the actual applicable obligations rather than a vague “be CUI compliant” instruction. The subcontract should identify the information and category, the governing clause, the system expectation, the incident route, the evidence and cloud terms, and the lower-tier flow-down. Precision protects both sides — it tells the sub exactly what to build and gives the prime a defensible record.

If you’re the prime, communicate: the CUI category and authority; the clause and any security attachment; whether the sub’s system is federal or nonfederal; the standard and revision; any organization-defined parameters; cloud conditions; the incident-reporting route and clock; required evidence; return/disposition; and lower-tier flow-down.

If you’re the sub, ask the prime to show the prime-contract basis, identify exactly which information you’ll receive or create, distinguish FCI from CUI, flag whether any requirement is DoD-specific, clarify whether a named product is required or merely suggested, and put acceptance criteria in writing.

And one thing a prime should not do: assign a CMMC level to a civilian-only subcontract just because CUI is involved. A CMMC status requires an actual defense contractual basis. (If you do have a genuine DoD/CMMC flow-down, our CMMC flow-down guidance covers that separately — don’t apply the defense template unchanged to civilian work.)

Does civilian CUI require FedRAMP, GCC High, or a CUI enclave?

Cloud and enclave requirements depend on the governing contract, not on a universal rule — and a provider’s FedRAMP status does not make your company compliant by itself. “Civilian CUI” alone does not require GCC High. Any service that stores, processes, transmits, administers, monitors, backs up, or protects in-scope CUI can create responsibilities you must document in your system boundary and shared-responsibility model. The right question isn’t “which cloud is CUI-approved?” — it’s “what does my contract require, and what remains my responsibility after I deploy it?”

Three points that resolve most of the confusion:

  • FedRAMP authorizes a service; it doesn’t certify you. An authorized cloud service covers the provider’s responsibilities within its authorization boundary. Your configuration, identity and access management, endpoints, logging, backups, and incident duties are still yours. Under GSA’s process, if a system is built on a FedRAMP-authorized IaaS, the services in use must also be FedRAMP authorized, and non-authorized services are evaluated case by case. The proposed FAR rule would set a FedRAMP Moderate-equivalent floor for identified CUI — but that’s proposed.
  • A CUI enclave helps when scope is tight. A small, well-bounded CUI population with controlled access and limited workflows is exactly where an enclave earns its cost by shrinking your assessment scope.
  • An enclave fails the moment CUI leaks around it — endpoints that cache or download it, unmanaged integrations, users who re-enter the data elsewhere, or a contract that actually requires a federal, on-behalf-of system. If any of those are true, an enclave alone won’t save you.

Do you need GCC High? Only if a contract, an information category (such as export-controlled data), a Microsoft-service need, or an agency condition makes a particular government cloud appropriate. It is not the automatic answer to “we have civilian CUI.” From any cloud or managed provider, get the authorization or equivalency evidence, the exact service scope, the shared-responsibility split, and the incident terms — in writing.

Is a POA&M allowed, and what must the contract say?

A Plan of Action and Milestones (POA&M) is allowed only where the applicable contract, standard, assessment method, or authorization process permits it — and the existence of a NIST POA&M template does not itself grant that permission. A POA&M is a planning document, not proof of compliance, and different authorities treat open items very differently. Before you leave a requirement open, confirm you’re allowed to, and document why.

How the branches differ:

  • DoD / CMMC (Conditional Level 2): 32 CFR 170.21 allows a Conditional Level 2 status only when the self-assessment score is at least 88 of 110 and every unmet requirement is POA&M-eligible (certain requirements can never be on a POA&M). The POA&M must be closed within 180 days to reach Final. Level 1 permits no POA&Ms.
  • GSA:the guide’s showstopper requirements must be fully implemented to gain approval — those are not “plan to fix later” items — and remaining gaps are handled through the guide’s documented process, not an open-ended POA&M.
  • DHS, NASA, and other agencies: authorization and contract terms control whether and how deficiencies may remain open.

The safe posture: treat “can we POA&M this?” as a question for the governing instrument, document the answer, and never assume a template equals permission.

What happens if you get it wrong? The enforcement reality

Misrepresenting your cybersecurity compliance to the government can trigger liability under the False Claims Act (FCA). The Department of Justice’s Civil Cyber-Fraud Initiative uses the FCA to pursue contractors — and federal grant recipients — who falsely certify compliance with requirements like NIST SP 800-171, and its docket of cybersecurity settlements has grown steadily since the initiative launched in 2021. The examples so far are concentrated among DoD contractors, because DoD’s requirements are the most mature — but the FCA mechanism reaches civilian contractors too, and it grows as civilian CUI requirements become more consistently documented, assessed, and authorized.

This is the part the “buy our checklist” pages skip, and it’s why getting scope right matters more than getting it fast. A DoD example, not a civilian-agency case, but the mechanism is the same: in June 2026, defense contractor LOGZONE Inc. agreed to pay $507,144 to resolve FCA allegations that it reported a perfect NIST 800-171 self-assessment score of 110 while a later government assessment scored it at -170, near the bottom of the -203-to-110 range (U.S. Department of Justice). The settlement resolved allegations without a determination or admission of liability. The lesson isn’t “self-assessment is dangerous” — it’s that a submitted assessment score, certification, or payment-related compliance representation can become evidence in an FCA matter when the government alleges it was knowingly false.

Why this matters specifically for civilian contractors:

  • The Civil Cyber-Fraud Initiative is governmentwide, not a DoD program, and it explicitly reaches grant recipients — relevant to research universities and any organization drawing federal funds.
  • As GSA’s assessment-based model and the proposed FAR rule turn civilian requirements into hard, documented, authorized obligations, your certifications become exactly the kind of representation the FCA polices.
  • Agency remedies don’t stop at the FCA — a failed or lost authorization can cost you eligibility for the very contracts you’re chasing.

The takeaway is calm, not alarmist: confirm your obligation, implement honestly, and don’t certify what you can’t demonstrate. This is precisely why we push you toward the contract and the contracting officer before the checkout page.

What does CUI compliance cost, and how long does it take?

There is no defensible universal cost or timeline for civilian CUI compliance before the governing clause, system type, CUI scope, starting maturity, cloud architecture, and assessment or authorization path are known. Any single “CUI compliance costs $X” figure should be treated with suspicion. The most useful early move is to understand the cost drivers and normalize competing quotes against the same scope. We’d rather give you a framework you can trust than a figure that looks authoritative and isn’t.

For a sense of magnitude — and this is a real, sourced number, in the DoD context, not a civilian CUI figure — SBA’s July 2026 analysis estimated that total compliance costs can reach roughly $593,800 per CMMC certification for a small firm requiring third-party assessment, and about $388,600 for a firm eligible for self-assessment (SBA). Different program, different scope — but it tells you the order of magnitude these efforts reach, and why buying before you’ve confirmed scope is a genuine risk to the business.

The honest admission on cost: we don’t yet have a comparable, source-checked dataset that would support a universal civilian CUI price range, and we won’t convert unrelated CMMC quotes or vendor marketing into a number that looks precise but isn’t. What we can give you is the driver map that determines where you’ll land:

Cost driverLower complexityHigher complexity
CUI usersSmall, defined groupEnterprise-wide access
System boundaryIsolated workflow or enclaveMixed enterprise systems
Starting controlsMature and evidencedMajor technical and procedural gaps
CloudExisting suitable serviceMigration or custom architecture
System typeNonfederal contractor systemFederal / on-behalf-of system with an ATO
CUI SpecifiedFew additionsMaterial authority-specific controls
AssessmentInternal / contract validationIndependent assessment or agency authorization where the process requires it
Timeline pressurePlanned procurementAward or incident deadline

When you request quotes, make every bidder separate clause-and-applicability analysis, scoping, architecture, licensing, implementation, documentation, evidence collection, managed operation, and assessment or authorization — with assumptions and exclusions stated. Two “$X” quotes with wildly different scopes aren’t comparable, and normalizing them is often worth more than negotiating the headline price.

Which provider category should you hire first?

The right first provider matches the unresolved problem: a qualified federal-contracts attorney for clause or representation ambiguity; an agency-experienced cybersecurity or GRC advisor for scope and baseline; an MSSP or CUI-enclave implementer for operations; a GRC platform for evidence and traceability; and an independent assessor or authorization specialist only when the contract actually requires that function. A C3PAO is not the default civilian CUI provider. Hiring in the wrong order — buying implementation before anyone resolved the clause — is how companies build the wrong thing well.

Provider categoryHire first whenDon’t lead here whenWhat to ask before hiring
Federal-contracts attorneyClause conflict, applicability, or a representation is at stakeThe requirement is clear and the remaining work is technical“Which agencies and acquisition supplements have you interpreted?”
Civilian federal cybersecurity / GRC advisorYou need authority mapping, scoping, baseline selection, and an evidence planThe legal meaning is still unresolved“How do you separate the agency requirement from your recommendation?”
MSSP / managed complianceYou need recurring implementation, monitoring, and evidenceThe system boundary or governing standard is unknown“Which civilian-agency CUI clauses have you supported directly?”
CUI enclave / cloud architectA defined CUI workflow needs containment or migrationA specific cloud isn’t contractually or architecturally justified“What remains our responsibility after deployment?”
GRC platformRequirements are known but evidence ownership is failingYou actually need remediation or managed security“Does your platform store CUI, or only compliance evidence?”
Independent assessor / authorization specialistAn incorporated GSA or other agency process expressly requires an independent assessment, security approval, or ATOIt’s an ordinary nonfederal environment with no assessment obligation“Which agency authorization processes have you completed?”
C3PAOYou have an actual CMMC assessment requirementIt’s civilian-only CUI“What exact DoD clause or status creates the assessment need?”

A note on credentials: Registered Provider Organization (RPO) status is a Cyber AB / CMMC-ecosystem designation, not a general civilian-agency qualification — RPO status alone doesn’t establish civilian-agency clause, authorization, or implementation experience. Judge a civilian advisor on agency-specific track record, not a CMMC badge.

Watch for the red flags that mean a provider is selling their answer instead of yourrequirement: “every CUI contractor needs CMMC,” “FAR 52.204-21 makes you fully CUI compliant,” “FedRAMP makes your company compliant,” “we can certify civilian CUI compliance governmentwide,” “buy our cloud before we read your contract,” “SPRS is required for every civilian agency,” or — the one that should end the conversation — “upload your contract and drawings to our intake form.”

This is your third decision point

▶ See the provider category your contract actually calls for

Tell us your agency, contract stage, system type, and timeline. You’ll see the source-checked provider categories that fit your unresolved work — readiness, enclave, GRC, or independent assessment — and reasoning, before you decide whether to be matched to options.

Match my requirement to the right category →

Do not submit CUI, drawings, contract documents, or sensitive system details.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or status verification.

What should you do in the first 30 days after a CUI clause appears?

The first objective after a CUI clause surfaces is not to buy software — it’s to preserve any deadline, identify the governing authority, obtain written clarification, classify the system, and set up a controlled interim handling path. The staged plan below is The Defense Compliance Report’s editorial response framework, not a regulatory deadline. Any contract, incident, protest, proposal, authorization, or reporting deadline in your actual documents overrides it.

First 48 hours

Preserve the solicitation or contract deadline. Identify the contract owner and the security owner. Restrict unnecessary new distribution of the information. Determine whether an incident is already suspected. Locate every clause and attachment. Do not upload anything sensitive to a public tool.

Days 3–7

Identify the CUI categories. Send the system-classification and authority questions in writing. Sketch your initial data-flow map. Inventory external providers who touch the information. Note the agency-specific incident procedure so you’re not learning it during an incident.

Days 8–14

Build a requirement register. Select the standard and revision only after the authority is confirmed. Establish a preliminary system boundary. Flag immediate high-risk gaps. Decide whether you need a legal read on the clause.

Days 15–30

Complete an initial gap and evidence assessment. Choose an architecture direction. Assign control ownership. Sequence remediation. Request normalized quotes from the right provider categories.

Stop and escalate immediately if

You have an active or suspected incident, conflicting clauses, unclear CUI authority, classified information, export-controlled data with unresolved access restrictions, a foreign-person access question, a government demand to certify without a clear basis, ambiguity about whether your system is federal or nonfederal, or an imminent award or delivery deadline. Those are not DIY situations.

What we actually verified

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures. This guide extends that discipline to civilian-agency CUI. (How we work.)

Verified . Our editorial team reviewed, directly from the source in each case:

  • Executive Order 13556, 32 CFR Part 2002 (including § 2002.14), and NARA CUI guidance and FAQs
  • FAR 52.204-21 on Acquisition.gov
  • NIST SP 800-171 Rev. 3 and SP 800-171A Rev. 3, and the withdrawal of Rev. 2, on NIST CSRC
  • GSA CIO-IT Security-21-112 Rev. 1 (dated January 5, 2026), read directly from the GSA source
  • DHS HSAR 3052.204-72 clause text on Acquisition.gov and the eCFR
  • NASA NFS 1852.204-76 clause text on Acquisition.gov and the eCFR
  • FAR Case 2026-001 (91 FR 37550) as a proposed rule, on the Federal Register
  • The July 13, 2026 suspension of CMMC Phase II (Department of War; corroborated by Federal News Network and Crowell & Moring)
  • The DOJ LOGZONE False Claims Act settlement on justice.gov
  • SBA’s July 2026 CMMC cost estimates

We separated active clauses from proposed future requirements, and we don’t publish operational details we can’t confirm in an operative source. This guide addresses civilian-agency CUI. CMMC levels and The CMMC Path Framework apply only to the separate DoD/CMMC branch; this page does not assign a CMMC level to any civilian contract.

This is educational research, not legal, contractual, cybersecurity, or compliance advice. Confirm applicability, contract interpretation, and any disputed requirement with your contracting officer or prime and, where appropriate, a qualified federal-contracts attorney; confirm technical implementation with a specialist experienced in your agency’s requirements. The contract clause and CUI handling set your obligation — not a checklist. Found something to correct? See our corrections policy — we log material corrections and update the review date only when we substantively re-verify. (Editorial standards.)

Still not sure which authority governs you?

Need help deciding what type of civilian CUI provider you need? Tell us the agency, contract stage, system type, and timeline, and we’ll match you with source-checked provider categories — readiness, enclave, GRC, or independent assessment.

Identify my civilian CUI provider category →

Do not submit CUI, drawings, contract documents, or sensitive system details.

Working under an actual DoD or DFARS requirement instead? Use The Defense Compliance Report’s Find My CMMC Path tool to map your level, scope, assessment type, environment, and timeline to the appropriate CMMC provider category.

Disclosure: The Defense Compliance Report may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis or provider-category recommendations.

Primary sources & references

Frequently asked questions about CUI compliance for civilian contractors

Is CUI compliance the same as CMMC?
No. CUI is a governmentwide information-handling program under Executive Order 13556 and 32 CFR Part 2002, applicable across civilian and defense agencies. CMMC is a Department of Defense verification program that applies only through an applicable defense contract requirement.
Do all civilian contractors have to comply with NIST SP 800-171?
Not merely because they sell to the government. Under 32 CFR 2002.14, agencies use NIST SP 800-171 to set CUI requirements for qualifying nonfederal systems — but the obligation binds you only when a contract, agreement, or regulation makes it applicable, and the CUI category and system type can change the answer.
Is FAR 52.204-21 enough for CUI?
No. FAR 52.204-21 sets 15 basic safeguards for systems handling Federal Contract Information and does not displace separate CUI safeguarding requirements. It’s the floor, not the complete answer.
Is NIST SP 800-171 Rev. 3 required now?
It depends on the contract and agency. Rev. 3 is NIST’s current version and Rev. 2 is withdrawn, but publication alone doesn’t rewrite existing contracts. GSA’s January 2026 guide requires Rev. 3; CMMC still uses Rev. 2 under 32 CFR Part 170; and the governmentwide FAR CUI rule that points to Rev. 3 is still proposed.
Is there a CUI compliance certification for civilian contractors?
There is no single governmentwide civilian CUI certificate. A specific contract may require assessment, authorization, or particular evidence — GSA, for example, now requires independent assessment and GSA authorization before a system may process its CUI under the process.
Does CMMC apply to civilian contractors?
Not automatically. CMMC is triggered by an applicable requirement in a DoD solicitation, contract or order, or valid flow-down. As of July 16, 2026, DoD has suspended implementation of CMMC Phase II (the broad third-party assessment expansion) while a 60-day reform review runs; Phase I self-assessment requirements remain in place.
What if my contract says CUI but doesn’t name a clause or standard?
Ask the contracting officer or prime, in writing, to identify the CUI category, safeguarding authority, system classification, incorporated requirements, technical standard and revision, and acceptance process. NARA directs contractors to route information-status questions back to the contracting activity rather than self-designate.
Is unmarked information still CUI?
Don’t make that call unilaterally. Protect the information under your existing contract, avoid unnecessary disclosure, and ask the originator or the government contracting activity to confirm its status and required handling.
Does civilian CUI always require a FedRAMP Moderate cloud or GCC High?
No universal present-day rule says that for every civilian contract; the agency and contract control, and “civilian CUI” alone does not require GCC High. The proposed June 2026 FAR rule would set a FedRAMP Moderate-equivalent requirement for identified CUI — but it is not final.
Do subcontractors have the same requirements as the prime?
They receive the obligations that validly flow down and apply to their access and work. A prime should communicate the exact requirements — the clause, category, system expectations, incident process, and evidence — not a vague “be CUI compliant” instruction, and should not assign a CMMC level to civilian-only work.
Is a POA&M allowed?
Only where the applicable contract, standard, assessment method, or authorization process permits it. In DoD, a Conditional Level 2 status allows a POA&M only for eligible requirements with a score of at least 88/110, closed within 180 days; the existence of a NIST template doesn’t grant permission on civilian work.
Does a C3PAO assess civilian CUI compliance?
A C3PAO’s defined role is in the CMMC ecosystem. A civilian contract may require a different independent assessor or authorization process; C3PAO status alone does not qualify an organization for GSA’s assessment or create a universal civilian CUI certification.
What if my company has both GSA and DoD contracts?
Keep contract-specific requirement records and a documented Rev. 2-to-Rev. 3 crosswalk. Don’t use one contract’s assessment result as proof for a different authority.
What changes if the proposed FAR CUI rule becomes final?
A final rule could add a more uniform SF XXX and FAR 52.240-6/-7 mechanism across agencies. But the final text, effective date, implementation instructions, and actual incorporation into your contract will control — and none of that exists yet.
Can I upload my contract to the routing form?
No. The tool accepts only non-sensitive inputs — agency, contract stage, clause numbers, and attachment names — and does not accept file uploads. Confirm anything binding with your contracting officer.