Jamie Hamilton - CVG Strategy

Using AI in CUI Environments

April 29, 2026 by Jamie Hamilton

Using AI in CUI environments presents risks and threats that have yet to be fully addressed by CMMC cybersecurity protocols or security standards. In an effort to provide guidance the Information Security Oversight Office has released ISOO Notice 2026-01: Responsible Use of Classified National Security Information and Controlled Unclassified Information with Artificial Intelligence.

ISOO Notice 2026-01

This publication notes that AI technologies are developing at a rate that outpaces the development of governance structures and risk management strategies development. In light of the priority the federal government has placed on the protection of Controlled Unclassified Information (CUI), this presents a daunting threat. At present CMMC offers little guidance for managing risks associated with AI tools.

In response to these issues the guidance document states that current executive orders stipulate safeguarding and access control for classified information and CUI. It further states that internet enabled AI, when connected to uncontrolled or non accredited sources is prohibited from use by agency personnel on CUI systems. Unfortunately, no guidance is provided for detecting or enforcing these controls in federal agencies or the private sector.

Artificial Intelligence Risk Management Framework

NIST’s Artificial Intelligence Risk Management Framework (AI RMF 1.0) was released in 2023. This publication is intended for organizations of all sizes regardless of sector or use case. The framework seeks to minimize potential risks while maximizing the benefits of AI systems. While NIST AI RMF promotes risk management protocols, it acknowledges the lack of verifiable measurement methods for risk and trustworthiness.

NIST does state that it intends to work with industry and government to create metrics and methodologies for AI risk management. Currently the paper stresses organizational governance to create policies, processes, procedures, and practices.

This governance process is driven by mapping, measurement, and management cycles. Mapping involves the categorization of AI platforms and intended utilization. Measurement employs assessments for tracking AI trustworthiness. Governance is used to allocate risk resources to mitigate potential harmful effects.

Solutions for Organizations That Handle CUI

While drawing attention to the need for AI governance, the NIST AI RMF and ISOO Notice provide no substantive AI solutions. The growing number of AI applications need to be addressed directly through cybersecurity standards with specific controls. Currently CMMC requires that organizations only use AI platforms with secure boundaries and that risks be considered before implementation.

At present organizations should ensure that any AI tools used to process Controlled Unclassified Information (CUI) are FedRAMP Authorized or equivalent. Additionally, continuous monitoring and automated evidence mapping are recommended to enhance compliance efforts.

Long Term Goals for US Cybersecurity

Artificial Intelligence (AI) is one of many factors in a rapidly changing cybersecurity arena. Organizations should monitor Large Learning Models (LLM) developments in their risk and opportunity assessments and implement AI governance measures to address risks.

Businesses today are facing growing pressure to adapt to cybersecurity challenges. This is especially the case for small and mid size businesses who are struggling to achieve CMMC compliance. For these organizations, limited budgets, a lack of qualified personnel, and complexity of standards present overwhelming obstacles.

CVG Strategy Cybersecurity Consultants

CVG Strategy can provide guidance and help your organization understand and implement contractually required NIST standards and CMMC. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

Identify CUI Areas with CVG Strategy Signs

CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where access controlled or export controlled articles and technology are present.

Engineering Secure Cyber-Resilient Systems

April 24, 2026 by Jamie Hamilton

NIST SP 800-160 provides guidance on engineering trustworthy secure systems and developing cyber-resilient systems. This National Institute of Standards and Technology (NIST) publication focuses on integrating security into engineering processes throughout the product’s life cycle. It aims to foster a common mindset for delivering security across various system types and complexities.

Engineering Secure Systems

It is essential to define the security requirements of a product based on business and stakeholder concerns. Having defined those requirements, engineering driven solutions must be found for the selection of architectures, tools, implementation, and sustainment of the product throughout its life cycle. This requires a system engineering approach to integrate expertise across multiple engineering and specialty disciplines.

Systems security engineering considerations should include both systems and software engineering in designing secure products. Engineering of trustworthy secure products requires establishing the required trustworthiness of each contributor to risk through evidence-based assurance.

Systems Security Engineering Framework

The system security engineering framework defined in NIST SP 800-160 is a set of interacting processes. Each process has its own checks and balances to address security perspectives across all system life cycle stages. The key components of the framework are:

Problem: Here security objectives and requirements are defined. Success measures are defined and life cycle security concepts are defined. Additionally, evidence is produced for security aspects of the problem.
Solution: In this cycle, security aspects are defined and realized.
Trustworthiness: Here the assurance case is developed and demonstrated.

This process is cyclic, leading to more refined architectures and solutions. In the problem phase stakeholder concerns, operational capabilities and performance requirements are determined. In the solution phase security aspects include the development of system protection strategies. Evidence of effectiveness is obtained through analysis, testing, and demonstration. In the trustworthiness context, an assurance case is made through well-defined and structured set of arguments and a body of evidence.

The Life Cycle Security Model

The life cycle represents the evolution of a product form development, prototyping, testing, manufacture, operations, sustainment and retirement. Consideration for safety concerns should be addressed at each stage to identify security risks to operation, data, and user safety. Through this approach in the engineering process intended behaviors are identified, indicators of proper operation are identified, and potential non-specified conditions are identified. Then solutions are sought to minimize risks and mitigate undesired conditions.

Conclusions

NIST 800-160 is not a cybersecurity standard. Instead, it provides a systems engineering approach that integrates risk management processes. It is written at a high level to address the concerns of a large variety of product development types. It’s use of a life cycle approach allows for definition of manufacturing, support, and maintenance activities early in the specification phase. It also addresses multi-discipline contributions to product development to address secure architectures. These concepts and processes allow for systems security engineering trustworthiness throughout the supply chain.

CVG Strategy Cybersecurity Consultants

Identify CUI Areas with CVG Strategy Signs

Trump Signs Cybercrime Executive Order

March 12, 2026 by Jamie Hamilton

President Donald Trump has signed a cybercrime executive order directing federal agencies to enhance efforts against cyber-enabled fraud and transnational criminal organizations (TCOs). This action calls for interagency coordination for the review and improvement of operational, technical, and regulatory frameworks to combat cyber-enabled crime.

Agencies Involved with Cybercrime Executive Order

This executive order, signed on March 6, 2026, calls upon the National Coordination Center (NCC) to create an operational cell to facilitate involvement between governmental agencies and the private sector. The Attorney General has been tasked with prioritizing prosecutions of scam centers and cybercrimes. The Attorney General is also to submit recommendations for establishment of a Victims Restoration Program that will oversee the return of stolen funds to victims.

The Secretary of State has been ordered to work with foreign governments on enforcement actions against TCOs. It further empowers the Department of State to impose sanctions, limitations on foreign aid, visa restrictions, and expulsion of complicit officials to further the United States efforts against cyber threats.

The executive order further calls upon the Secretary of Homeland Security to develop and provide training, technical assistance, and resilience building for cybersecurity to state and local governments and agencies. It also directs Administration officials to conduct a review of potential tools and actions to be used against those responsible for scam centers.

Cyber Strategy for America

In conjunction with the cybercrime executive order, the Cyber Strategy for America outlines six policy pillars to guide the administration’s approach to cybersecurity:

Shape Adversary Behavior: Deploy offensive and defensive cyber operations.
Promote Common Sense Regulation: Streamline regulations to reduce compliance burdens.
Modernize Federal Networks: Enhance security across government systems.
Secure Critical Infrastructure: Protect essential services like energy and finance.
Sustain Technological Superiority: Invest in emerging technologies.
Build Cyber Talent: Develop a skilled workforce for cybersecurity.

The strategy emphasizes collaboration between government and the private sector to enhance cybersecurity capabilities. It aims to detect and confront threats before they penetrate U.S. systems, while also addressing the challenges posed by authoritarian surveillance technologies and cybercrime.

This comprehensive approach is designed to fortify the nation’s defenses against evolving cyber threats and ensure a robust response to adversaries in the digital landscape. It addresses emerging threats such as ransomware attacks and nation-state cyber operations. It addresses the need for proactive measures to protect essential sectors like energy, healthcare, and telecommunications.

Long Term Goals for US Cybersecurity

The Cybercrime Executive Order and the Cyber Strategy for America initiative endeavor to defend US interests in cyberspace. These efforts are targeted at protect US technologies, critical infrastructures, government agencies, US citizens now and in the future. Organizations should monitor these developments in their risk and opportunity assessments.

Businesses today are facing growing pressure to adapt to cybersecurity challenges for organizations in 2026. This will be especially the case for small and mid size businesses because of limited budgets, a lack of qualified personnel, and the complexity of standards. Any relief generated by the current administration would be greatly welcomed by all.

CVG Strategy Cybersecurity Consultants

Identify CUI Areas with CVG Strategy Signs

System for Award Management (SAM) Changes

December 12, 2025 by Jamie Hamilton

The System for Award Management (SAM) has undergone significant changes under the Revolutionary FAR Overhaul (RFO). This RFO initiative is an effort by the Office of Federal Procurement Policy (OFPP), the Federal Acquisition Regulation (FAR) Council, and the General Services Administration (GSA) to support sound procurement for government contracts. It is being initiated in an effort to unveil Ultimate Beneficial Owners (UBO) in organizations that are part of complex corporate structures that often are construct to hide entities involved in illicit and hostile activities.

What SAM Changes Mean for Businesses

The System for Award Management is a U.S. government e-procurement system that collects and manages data from suppliers, allowing them to register to do business with the federal government. SAM simplifies the process for vendors and federal agencies by providing a single platform for managing entity information.

Under the revised arrangement, which is expected to be implemented in January of 2026, all businesses will need to provide representations and certifications that are specific to the entity when registering for SAM. It is stressed that organizations pay special attention to SAM interactions as this transition period may require duplicative efforts with regards to registration updates. It is, however, anticipated that the revised process will be more efficient and easy to navigate.

Complex Corporate Structures Concealing Illicit Actions

Complex corporate structures can obscure ultimate ownership of listed entities by using multiple layers of ownership across different jurisdictions. This makes it difficult, if not impossible to trace who is really in control. Organizations often use shell companies, trusts, and nominee arrangements, to separate legal ownership from beneficial ownership. This can make it easier to launder funds, evade sanctions, and circumvent regulations.

The U.S. government is focusing on these issues from all sides. This includes government acquisitions, law enforcement against organizations involved in narcotics smuggling, and regulations preventing export of sensitive technologies to protect U.S. national security and foreign policy.

Bureau of Industry and Security Affiliates Rule

The Bureau of Industry and Security published its interim final Affiliates rule in September of this year. This rule would expand export restrictions to foreign entities that are owned by 50% or more by listed parties. This would include parties on the Entity and Military End User (MEU) lists. It would also place the onus of parsing obscured corporate ownerships on exporters, increasing the potential for involuntary violations of the Export Administration Regulations (EAR).

This so called 50% Rule has been temporarily delayed for one year, starting from November 10, 2025, as part of trade negotiations between the U.S. and China. This pause allows exporters and compliance teams time to adjust to the rule’s requirements before it is reinstated on November 10, 2026.

CVG Strategy Export Compliance Management Programs

Changes to the System for Award Management show the government’s intention to reveal dishonest corporate structures that hide harmful entities. These efforts are being shared by other federal agencies to prevent the illegal export of strategically significant technologies. As such, exporters should be on guard to ensure that parties to transactions are above board to prevent unintentional violations of export regulations.

Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.

CVG Strategy can help you understand revisions to the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.

Cyber Insurance and Business Cyber Risk Management

November 14, 2025 by Jamie Hamilton

Cyber insurance has become a larger part of the cybersecurity risk management process for businesses. This is due to the rising potential impacts of cyber threats to sensitive data. As a result, cyber liability insurance market is changing rapidly. These changes include reduced coverage limits, increased premium, and requirements for adequate security controls for cyber coverage.

Trends in the Cyber Insurance Industry

In the last few years the cyber insurance industry has seen a marked growth of small and medium sized enterprises are realizing that a cyber incident could destroy their businesses. As a memorandum released by the National Association of Insurance Commissioners (NAIC) points out however, cyber insurance is no substitute for a sound cybersecurity program.

The global cyber insurance market is projected to be worth over $20 billion by the close of 2025. The number of businesses taking out cyber insurance policies has risen to 62% of firms in 2025 compared to 49% in 2024. The market is expected to continue growing, with projections suggesting it could reach nearly $30 billion by 2030. Meanwhile, premiums have decreased by about 6% in 2025 compared to the previous year.

Requirements for Obtaining Cyber Insurance

Businesses must. at a minimum, employ specific security requirements. These requirements include the use of Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), scheduled backups, vulnerability management, and cybersecurity training.

Remediation efforts should be documented to reflect patches and configuration changes. Lastly, monitoring and reporting functions should be performed to identify new vulnerabilities and implement remediations in an effort to continually improve the organization’s security posture.

Vulnerability management involves identification of devices, software and computer systems within an organization. These assets should be scanned for vulnerabilities on a regular schedule. Risk assessments should be conducted when vulnerabilities are identified and accepted risk management frameworks should be used to rank them.

Remediation efforts should document patch management and configuration changes. Additionally, continuous monitoring and reporting should be conducted to identify new vulnerabilities and remediate them.

Insurers may also require incident response plans to address cyber incidents and data breaches. They may also look for documented security policies that adhere to specific industry standards and regulations. Failure to meet these requirements can result in application rejection or higher premiums.

Business Regulatory Requirements for Information Security

Businesses must comply with various cybersecurity regulations that depend on their industry and location. Key regulations include the Health Insurance Portability and Accountability Act (HIPAA) for healthcare, the Gramm-Leach-Bliley Act (GLBA) for financial services, and the Payment Card Industry Data Security Standard (PCI DSS) for companies handling credit card information.

In addition to regulatory requirements, government contractors must adhere to specific contractual requirements to protect sensitive information. These requirements are primarily driven by the Department of Defense (DoD) and include compliance with the Cybersecurity Maturity Model Certification (CMMC) and the National Institute of Standards and Technology (NIST) guidelines.

CVG Strategy Cybersecurity Consultants

Cyber insurance trends reveal that many small businesses are facing challenges meeting cyber security requirements because of limited budgets, a lack of qualified personnel, and the complexity of standards. CVGS can provide guidance and help your organization understand and implement contractually required NIST standards and CMMC.

We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

Identify CUI Areas with CVG Strategy Signs

CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.

MIL-STD-461 Documentation – Test Plan Requirements

October 29, 2025 by Jamie Hamilton

MIL-STD-461 documentation development is a requirement in preparing for testing. Test plans should include the content called out in DI-EMCS-80201 Electromagnetic Interference Test Procedures (EMITP). This content includes a table of all MIL-STD-461 procedures to be performed, description of the Equipment Under Test (EUT), and any approved exceptions or deviations. Other requirements include test site and test equipment requirements, EUT setup, and EUT operation.

MIL-STD-461 Overview

MIL-STD-461 Requirements for the control of Electromagnetic Interference (EMI) Characteristics of Subsystems and Equipment is a Department of Defense standard that outlines the testing requirements for Electromagnetic Compatibility (EMC) of equipment. While primarily applicable for equipment designed for military platforms, the standard is also utilized for testing electronic systems for space and civilian applications.

The standard is comprised of 19 different procedures, the requirements for which are based on type of equipment under test and specific platform and service for which the equipment is intended. Procedures are broken up into two major categories, emission tests and susceptibility tests.

Emissions limits for the EUT are set for both radiated and conducted emissions. Numerous susceptibility tests are available for conducted and radiated susceptibility in the magnetic, electrical, and electromagnetic fields. Specific testing methods are dedicated to antennae ports and power leads. Additionally, method CS118 replicates personnel borne electrostatic discharge.

Test Tailoring for Equipment Designed for Harsh Electromagnetic Environments

Tailoring of the test plan is essential to ensure proper testing under MIL-STD-461. For example, pass/fail criteria for specific modes of operation should be detailed so that test witnesses and laboratory personnel can identify anomalies during susceptibility testing. Additionally, performance checks should be defined to ensure that the EUT has not been damaged by susceptibility testing.

Test requirements and procedures for space applications can often exceed those defined in military test standards. This can often be the case for radiated emissions where the limits for certain frequency bands are extremely low. To achieve these measurements, MIL-STD-461 defined scans can be performed at reduced Resolution Bandwidths (RBW) as documented in AIAA S-121A . These options must be detailed in the test plan to communicate requirements with test facilities.

CVG Strategy Test Plan Templates

CVG Strategy offers Test Plan Templates for EMI/EMC and Electrical Compatibility Testing. These plans have been developed for MIL-STD-461, MIL-STD-1275, MIL-STD-1399, and MIL-STD-704.

EMI/EMC and Electrical Test Plan Packet

Test Plan Template (protected PDF). This document provides essential information concerning: Equipment Under Test (EUT) set up, execution of each procedure, pass/fail criteria, and tolerances per the relevant standard. All test plans are written per the requirements of DI-EMCS-80201C.
Test Plan Addendum (Word Document). This document is to be completed by the customer. It addresses equipment to be tested specific information including: EUT Description, EUT Set up, Modes of operation, and Performance Checks.
Test Lab Data Sheet (PDF form). This document is used to document procedures to be performed and essential test parameters. It also documents test facility report requirements per DI-EMCS-80201C.
Test Label (Word document) This label is to be used to identify the test performed in photographs.
Tests to Be Performed (PDF form). This form communicates to the test facility all test procedures to be performed during test sequence.
Procedure Specific Worksheets (PDF form). These worksheets are included where appropriate to assist the test witness in recording test events.

CVG Strategy

Our experts at CVG Strategy have extensive experience in EMI/EMC. Our test and evaluation experts can provide requirement analysis, write MIL-STD-461 documentation, perform test witnessing, and provide troubleshooting and analysis of EMI/EMC test failures.

We also have expertise in Environmental testing and evaluation of product design in a number of industries and products, both military and commercial. CVG Strategy specializes in Independent Developmental Testing and Evaluation including: Development of Life Cycle Environmental Profiles, Test Plans, Test Witnessing and Troubleshooting.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, ITAR and Export Compliance, Cyber Security and Quality Management Systems.

American AI Export Program Announced

October 29, 2025 by Jamie Hamilton

The U.S. Department of Commerce has announced the launching of the American AI Exports Program. This initiative is part of a larger effort by President Donald Trump to advance the United State’s leadership in advanced technologies. The program will include hardware, software, applications, models, and full stack AI export. Full Stack AI refers to a comprehensive approach of building applications that utilize artificial intelligence across all layers of development.

Department of Commerce Export Promotion for AI

The Department of Commerce has launched a Request for Information (RFI) site to invite public comments from the artificial intelligence and the science and technology sectors. Feedback and proposals received from the RFI will be evaluated by the Secretary of State, the Secretary of War, the Secretary of Energy, and the Director of the Office of Science and Technology Policy.

The interagency Economic Diplomacy Action Group will support qualified full stack AI package exports upon final approval. The Department of Commerce will continue to provide updates as implementation progresses. Commerce will also launch a new website to facilitate communication between potential foreign buyers and American AI technology providers. Additionally, Commerce will partner its leverage with the Department of State to support this advance of America’s global leadership internationally.

Export Import Bank Involvement

The Export Import Bank of the United States (EXIM) is making use of its financing tools to finance exports of transformational technology sectors. This effort will help companies developing AI to compete in global markets. The agency is encouraging U.S. AI companies to explore opportunities for financing their development of American AI Export.

Export Controls on Advanced Technologies

Organizations engaged in the export of advanced technologies including AI should be mindful that stringent export regulations are still in place for this sector. AI integrated circuits and associated articles, commodities, services and technical data are controlled under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).

Parties that engage in transactions without prior authorization from the Directorate of Defense Trade Controls or the Bureau of Industry and Security are subject to possible criminal and civil penalties if violations occur. These transactions include the export, reexport, or in-country transfers of regulated commodities. It is important, therefore, to conduct classifications, denied parties screening, and to ensure appropriate end-use in the case of dual use items.

The BIS has released Industry Guidance to Prevent Diversion of Advanced Computing Circuits. This document contains a revised set of red flags that organizations should use to screen potential transactions.

CVG Strategy Export Compliance Management Programs

Organizations involved with export must adhere to regulations regardless of export regulations effectiveness. Remaining informed and having an effective export compliance program is essential for avoiding criminal and civil penalties.

Counterfeit Part Prevention Trends and Developments

October 23, 2025 by Jamie Hamilton

Counterfeit part prevention remains a high priority for the aerospace, defense, and electronics sectors in 2025. Unauthorized parts when used in critical applications can lead to catastrophic failures. Counterfeit components can include remarked parts or cloned components that are illegally manufactured.

There is an escalating trend for counterfeit parts in most manufacturing sectors. Components at risk in the defense and aerospace industry include semiconductors, fasteners, electronic assemblies, and composite structures.

US Federal Governmental Actions

The US Government has instituted contractual requirements for defense contractors by way of DFARS 252.246-7007. This DFAR establishes requirements for contractors to implement and maintain risk-based policies and procedures for detection and avoidance. Contractors are required to flow down these requirements to all subcontractors, ensuring compliance at all levels of the supply chain. This regulation emphasizes the importance of sourcing electronic parts from trusted suppliers to minimize risks.

The CHIPS Act, enacted on August 9, 2022, was created to promote domestic semiconductor manufacturing and research. It also promotes semiconductor production and workforce development. This along with efforts from various U.S. agencies is striving to develop trusted supply chains for Original Equipment Manufacturers (OEMs) in the United States.

AS9100 Quality Management System

AS9100D is a Quality Management System (QMS) based on the structure and content of ISO 9001:2015 with the addition of requirements specific to the defense and aerospace industries. It includes provisions for customer and regulatory requirements. The standard is applicable to businesses of all sizes who need to consistently provide products and services to specified requirements. Additionally, it provides processes for systematic improvement of the management system and its ability to ensure customer satisfaction.

AS9100 requirements include counterfeit part prevention into manufacturing cycles. It requires that specific actions be undertaken. These actions include training, establishment of a parts monitoring program, use of authorized and approved sources, traceability requirements, verification methodologies, monitoring of counterfeit part reports, and reporting and quarantining of detected or suspected counterfeits.

AS5553 Standard for Supply Chain Security

AS5553 – Counterfeit Electronics Parts; Avoidance, Detection, Mitigation and Disposition was created in 2009. The newest revision, SAE AS5553D, was released in April 2022. It provides methods, requirements, and practices for parts management, supplier management, procurement, inspection, test/evaluation, and response strategies for designers and manufacturers of electromechanical parts (EEE).

These requirements are intended to be integrated throughout the supply chain. The standard calls for risk-based assessments to establish priorities for mitigation of counterfeit EEE parts. These assessments should consider vulnerabilities to crucial components, levels of desired performance, and necessary reliability of the product.

Private Sector Solutions

Industry and the aerospace sector in particular are developing solutions for counterfeit detection and supply chain integrity. In recent developments Boeing and Aeroxchange have replaced paperwork with files that are cryptographically secured. This system not only adds layers of security to the transfer of verifiable parts but reduces overall turnaround time.

Other companies are continuing the advancement of non-destructive analytical tests such as electrical spot checks, X-ray, and optical miscoscopy. Additional anti-counterfeit technologies that are in use include hologram and optical variable devices, security inks, RFID tags, blockchain authentication, and tamper evident labels and packaging.

Information Security in the Supply Chain

Adequate information security is essential in ensuring counterfeit part prevention of components, and assemblies in the supply chain. NIST SP 800-161 provides guidance on managing cybersecurity risks in the supply chain, including concerns about counterfeit parts that may contain malicious functionality or vulnerabilities due to poor manufacturing practices. Implementation of this standard is a contractual requirement for many government contractors, their subcontractors, and suppliers.

CVG Strategy Quality Management Experts

Our Exemplar Global Lead Auditor Consultants can help you with integrating multiple management systems. CVG Strategy has prepared, trained and implemented management systems for manufacturing companies in many business sectors.

Our quality strategy allows clients new to Quality Management Systems to rapidly implement a tailored system, because everything we do as consultants is processed based. Our Quality Experts have experience with ISO9001:2015, AS9100D, ISO 13485:2016, ISO 27001:2013 and Association of American Railroads (AAR) M-1003 and can readily deliver compliant procedures and work instructions.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Business Process Improvement, Export Compliance, Cyber Security and Product Test and Evaluation.

New York Telecom Threat Caught by Secret Service

September 26, 2025 by Jamie Hamilton

The U.S. Secret Service dismantled a network of devices in New York city that posed a significant telecom threat. This equipment could have potentially disabled cellphone towers facilitating anonymous communications for criminal activities. This operation was particularly urgent due to the ongoing United Nations General Assembly meeting with world leaders.

Equipment at Various Sites Across Tri-State Area

Equipment seized in the investigation included 300 SIM servers and 100,000 SIM cards across multiple sites. Initial findings indicate that nation state actors may have been involved. The equipment is thought to have been employed for various telecommunications threats aimed at high-ranking U.S. officials. Forensic investigations are now being conducted on the active cell phones.

A cellular network disruption generated from this site could have had serious ramifications as it was within 35 miles of the United Nations building. This assemblage of equipment had the capability to send up to 30 million text messages per minute. This could have disabled cell phone towers, facilitated encrypted communications between threat actors, and enabled denial of service attacks. US Secret Service Director Sean Curran stated that bad actors that threaten the United States will be investigated and tracked down.

Action Undertaken by Multiple Federal Law Enforcement Agencies

This federal law enforcement action was taken by the U.S. Secret Service’s Advanced Threat Interdiction Unit. Technical advice and assistance was provided by the Department of Justice, the Department of Homeland Security, the New York Police Department, and the Director of National Intelligence. Secret Service special agent in charge Matt McCool stated that conducting the forensics on the 100,000 cell phones will take considerable effort and time. McCool also stated that it would be unwise to assume that the New York telecom threat did not involve active networks in other cities in the United States.

CVG Strategy CMMC Consultants

After significant delays, the DFARS Implementing CMMC requirements for DoD contractors and subcontractors is here. Many small businesses face challenges meeting CMMC requirements because of limited budgets and lack of qualified personnel. CVGS can provide guidance and help your organization understand and implement CMMC.

Identify CUI Areas with CVG Strategy Signs

CMMC and Export Compliance Program Violations

September 22, 2025 by Jamie Hamilton

Cybersecurity Maturity Model Certification (CMMC) and export compliance programs should be coordinated efforts driven by upper management to avoid export regulation violations. A Federal News Network article discussed the fact that CMMC assessments are uncovering unknown export regulation violations. The article points out the dangers of maintaining compliance programs in separate silos.

Technology Control Plan

A Technology Control Plan (TCP) describes how to protect items and information that fall under export regulations. This includes export-controlled items, technical data, and Controlled Unclassified Information (CUI) at a facility. A TCP is a key part of an International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) export compliance program. It explains basic steps to secure and manage export-controlled technology from unauthorized access by implementing physical security measures and personnel screening.

The TCP, while important, does not detail the required controls for a comprehensive information security system. For this reason the DoD has made CMMC a contractual obligation for the Defense Industrial Base.

CMMC Requirements Now in Place

CMMC establishes a tiered framework of cybersecurity standards based on NIST SP 800-171 controls. The Department of Defense (DoD) created it to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC assessments are conducted by Certified Third-Party Assessment Organization (C3PAO) based on DoD contracting requirements. These requirements for CMMC programs fall under three levels:

Level 1: Requires an annual self-assessment and affirmation of compliance with 15 basic security requirements.
Level 2: Involves a more comprehensive assessment every three years, focusing on 110 security requirements from NIST SP 800-171.
Level 3: Similar to Level 2 but includes additional requirements to protect against advanced persistent threats.

Coordination of Efforts Essential

Export compliance programs determine through classification, which articles and technology are subject to export regulations. They also determine which parties are eligible to access those articles and technology through denied parties screening and licensing. These actions provide an organization’s cybersecurity team with boundaries to ensure that associated information is kept confidential, intact, and accessible to appropriate personnel.

The two teams must work in conjunction to identify risks. define ensure that mitigating efforts are adequately resourced, and monitor and evaluate actions taken. Export regulations are in a constant state of flux that alters which technical information falls under regulatory control. Additionally, threat matrixes are constantly shifting to exploit new vulnerabilities and circumvent cybersecurity protections.

The Role of Upper Management

Upper management must remain informed of both teams’ status and requirements. Policies should be created and shared to build a culture of compliance. Regular training should be given to support these efforts. Management must ensure that data is mapped in all departments to identify and protect Controlled Technical Information.

It must also ensure that cybersecurity requirements are communicated to all vendors and contractors. Ultimately, management’s greatest concern is to ensure that all parties work together to protect the organization from costly regulatory violations and cybersecurity incidents. Such incidents cannot only result in costly civil and criminal fines but can result in a loss of the organization’s reputation and revocation of export privileges.

CVG Strategy Export Compliance Management Programs

Organizations implementing and maintaining CMMC and Export Compliance programs in the United States face numerous challenges in these rapidly evolving business areas. Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization to prevent. They also ensure that training, auditing, and record keeping are maintained according to requirements. export control violations

CVG Strategy CMMC Consultants

Identify CUI Areas with CVG Strategy Signs

BIS Revokes VEU Waivers for China

October 20, 2025September 2, 2025 by Jamie Hamilton

In an attempt to level the playing field, the Bureau of Industry and Security (BIS) revokes Validated End-User (VEU) waivers that allowed foreign-owned semiconductor facilities in China to import U.S. technology without licenses. Companies such as Samsung and SK Hynix will now be required to obtain licenses for their operations. This move aims to level the playing field for U.S. companies and restrict technological advancements in China’s semiconductor industry.

Closing Loopholes

This action closes loopholes in export controls created during the Biden administration that allowed certain China based companies to export semiconductor manufacturing equipment and technologies without licensing. Under Secretary pf Commerce for Business and Security, Jefferey Kessler, stated that the current administration is committed to closing loopholes that put companies in the United States at a competitive disadvantage.

Validated End-User Program

The VEU program was established by the Department of Commerce Bureau of Industry and Security in June 2007. Its primary goal is to facilitate trade with civilian end users in eligible destinations, allowing certain dual-use items to be exported without a license. This program is voluntary, enabling entities in eligible countries to apply for VEU status. The program was expanded to allow items obtained under VEU authorization in India to be used for military purposes, not just civilian uses.

120 Day Registration Period

There will be a 120 day registration period for former VEU participants to apply for export licenses. There is a general policy for granting former participant to operate existing facilities in China, but there is no intention to allow expansion or upgrades for those facilities.

CVG Strategy Export Compliance Expertise

As the BIS revokes the VEU waivers program, other changes wait in the rafters. Continual changes in the regulatory backdrop demand increased changes in activities for organizations involved in export transactions. This increases the likelihood of a non-egregious violation occurring even in a company with a well-run export compliance program.

If you are part of a large corporation or a small company with a part-time compliance person, CVG Strategy has the compliance and training programs to help you meet International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) rules and requirements. As the BIS place controls on a growing number of technologies it becomes increasing difficult for smaller businesses to stay abreast of regulatory developments. Because of this, we provide Export Compliance Management Programs (ECMP) for businesses of all sizes.

CVG Strategy, LLC is recognized the world over as the premier provider of Export Compliance Consulting and Export Compliance Programs for businesses involved in export in the U.S. and Canada. We also provide the essential training that ensures that your team is up to date on governmental regulations, including the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), the Canadian Controlled Goods Program, and Office of Foreign Asset Controls (OFAC) and other regulatory agencies and more.

C-Suite Cybersecurity Responsibilities for Success

August 15, 2025 by Jamie Hamilton

C-suite cybersecurity responsibilities include promoting a security culture, aligning cyber and business strategies, and provision of resources. This requires involvement by all executives not the Chief Information Security Officer (CISO). The prevention of a cybersecurity incident should be a key element in business strategy because of loss of operations, financial loss, and damage to organizational reputation. Additionally, executives should address contractual obligations or regulatory requirements for the handling of customer data.

Executive Requirements for NIST SP 800-171

NIST SP 800-171 is a set of guidelines designed to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. It provides recommended security requirements to ensure the confidentiality of CUI, particularly for contractors and subcontractors working with the federal government.

The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the U.S. Department of Defense (DoD) to ensure that contractors in the Defense Industrial Base (DIB) adequately protect sensitive information. This includes Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC is built on the requirements of NIST 800-171, but it includes a third-party assessment process for certification.

CMMC requires that a senior executive certify compliance with the cybersecurity standards in the Supplier Performance Risk System (SPRS). Executives are accountable for ensuring that the organization meets and maintains cybersecurity requirements.

C-suite leaders should allocate budget resources for compliance initiatives. This includes costs associated with implementing security controls and ongoing maintenance. Executives must understand the risks of non-compliance, which can jeopardize contracts and revenue opportunities especially when securing government contracts.

A Call to Action

Fundamental Responsibilities

The importance of C-suite cybersecurity responsibilities in a viable information security management system are not fully appreciated by many businesses today. Unfortunately, the notion that cybersecurity responsibilities can be delegated to the IT department still hangs on. Cybersecurity requirements must be addressed by top management to address regulatory and contractual requirements. They must also address business continuity and financial risks associated with potential cyber incidents.

Defining the Scope of the Cybersecurity Program

Defining the scope of a program prioritizes efforts and ensures that all critical areas are addressed systematically. Typically this involves identifying objectives, determining which systems and assets need protection, engaging stakeholders, and understanding applicable regulatory requirements.

Perhaps the most daunting task, especially for older organization is determining which assets are to be protected. Information in various forms is shared in various departments throughout an organization. Positively identifying and labeling large amounts that data can be challenging. In many cases automated tools can be used to perform these tasks but this can sometimes hamper productivity by creating excessive access rights.

Establishing a Compliance Culture

Cybersecurity is a responsibility for every person in an organization. Establishing a culture that prioritizes cybersecurity helps mitigate risks and enhances overall security posture. This can be accomplished by establishing policies that outline how an organization protects its digital assets and sensitive information. This should include defining roles and responsibilities to ensure compliance and security.

Requirements for employee awareness and training should be ascertained and addressed. Role specific training requirements should also be considered for key positions within the program.

Monitoring and Maintaining a Cybersecurity Program

It is essential that a cybersecurity program is regularly assessed to identify vulnerabilities and determine program effectiveness in a changing risk environment. This includes assessing the organization’s current cybersecurity posture, discussing potential risks, and evaluating the effectiveness of existing measures. Organizations should conduct internal audits at least annually. However, more frequent audits may be necessary based on changes in systems, processes, or regulations.

CVG Strategy Information Security Management System Consultants

CVG Strategy can assist your organization meet the challenges in developing a cohesive information security management system. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

Identify CUI Areas with CVG Strategy Signs

Sequencing MIL-STD-810 Test Methods

February 6, 2026May 30, 2025 by Jamie Hamilton

Sequencing MIL-STD-810 tests methods can be a challenge when developing an Environmental Test and Evaluation Master Plan (ETEMP). Determining a representative test sequence is essential for generating representative cumulative environmental stressors that will provide an accurate evaluative process. The standard provides, in most cases, vague and general guidance in Part 1 and in each of the methods.

Test Program Parameters

Test programs can vary greatly dependent on the type of equipment under test, the size of the equipment, and the number of available units for testing. When multiple units are available multiple path testing can be performed. As an example, Low Pressure, High Temperature, Ballistic Shock, and Sand and Dust could be performed on a unit or set of units while a different series of tests are being conducted on separate units.

Consideration should always be given to perceived vulnerabilities in the equipment under test. Gaskets and seals are often at risk of degradation through thermal extremes, deformations due to shock, and material deterioration due to exposure to chemical agents. These concerns should be taken into consideration when immersion or water jet testing is to be conducted.

Sever testing parameters can also be an area of special concern for sequencing. In certain cases, performing Pyroshock testing early in the test program may be advantageous if a failure would result in significant redesign and retest.

Pyroshock, even for far field, can involve amplitudes approaching 1,000 g’s with frequencies up to 3 kHz. This can cause multiple types of failures that would not be seen in other types of testing. If cumulative effects are of concern then Pyroshock could be performed again at the end of a sequence.

MIL-STD-810 Sequencing Guidance

MIL-STD-810 offers guidance throughout parts 1 and 2 of the document on test sequencing. In most cases the guidance advises that the anticipated life cycle be used to access the cumulative effects but concedes, that in most cases, that there is not a single definable sequence. A number of factors including situation dependent usage and test program assets will contribute to the final sequence selection.

Hard and Fast Sequencing Rules

There are certain hard and fast rules in MIL-STD-810 sequencing that must be followed. Certain methods should be considered end of sequence methods because the Unit Under Test (UUT) will have been severely degraded or will be rendered unsuitable for further testing. These methods include Contamination by Fluids, Corrosive Atmosphere, Acidic Atmosphere, Ballistic Shock, and Sand and Dust.

A UUT should not be introduced into an environmental chamber after Contamination by Fluids or Acidic Atmosphere testing because it could contaminate the chamber. Sand and Dust testing can leave deposits of dust that would provide nutrients for Fungus testing. Sand and Dust will also degrade finishes and provide misleading results if followed by Corrosive Atmosphere. Guidance for these concerns is provided in each method.

Take Aways

Sequencing of MIL-STD-810 is an often overlooked element in developmental test and evaluation. Inadequate attention in developing a rationale can result in misleading results from laboratory testing. However, no matter how well a plan has been put together, test failures, requisite redesigns, lab scheduling, and test item availability can all require sequence changes.

CVG Strategy Test and Evaluation Expertise

We provide a variety of services to help you garner the most from your test and evaluation program. Our course Understanding MIL-STD-810 help you develop a more effective product test program. CVG Strategy offers this webinar to increase your knowledge of the entire standard. The course stresses the importance of the tailoring process and addresses sequencing of MIL-STD-810 test methods.

We can create LCEPs and EICLs that reflect your product’s needs. We provide EZ-Test Plan Templates for product segments such as Ground Mobile, Shipboard Controlled, and Aircraft Military. Our test and evaluation experts can also create custom test plans for your product requirements.

To assist your product development during this Covid-19 crisis we offer test program management and test program witnessing. This frees your team from travel requirements and ensures that testing is performed as specified. CVG Strategy is partnered with labs in the Florida area to help you.

Organizations Are Not Ready for CMMC

April 16, 2025April 16, 2025 by Jamie Hamilton

Recent studies have shown that organizations are not ready for CMMC. The Aware but not Prepared report from Redspin states that only half of the Defense Industrial Base (DIB) are even moderately prepared for a Level 2 certification. Despite a five year roll out for the final rule from the Department of Defense (DoD) DIB members, both large and small, site costs, a lack of technical expertise, and confusing information from the DoD as challenges for Cybersecurity Maturity Model Certification (CMMC) compliance.

Management Commitment

A recurring theme in studies and guidelines in cybersecurity of management commitment and organizational support were echoed in the report. Unfortunately, in many organizations, the proception that cybersecurity is an IT function remains in place. A functional information security system involves participation in all levels of the business. This especially true for management, where risk assessments and continual improvement must be driven through communication of commitment and provision of adequate resources.

Getting Started

The first step in achieving compliance is to ascertain the organization’s cybersecurity status. This can be accomplished by performing a Gap Assessment. Finding for each control should be broken down into the following categories: Fully Compliant, Partially Compliant, and Non-Existent Controls. Then an effort should be made to target the low hanging fruits to demonstrate progress and enhance the organization’s cybersecurity effectiveness.

Implementing External Service Providers (ESPs)

The report recommends that organizations utilize External Service Providers to mitigate risks and maintain the information security system. A cybersecurity external service provider is a third-party organization that offers cybersecurity services to other companies, helping them protect their information systems from threats. These services can include monitoring, threat detection, incident response, and vulnerability management.

System Security Plans (SSP)

A majority of participants in the study reported having a System Security Plan in place though less than half have finalized this document. A System Security Plan (SSP) is a formal document that outlines the security requirements for an information system and describes the security controls in place or planned to meet those requirements. It serves as a comprehensive overview of how an organization protects its systems and data from unauthorized access and threats.

The Redspin report found that organizations that use the SSP to address each objective and then actively work through those objectives had a higher rate of success in achieving and maintaining compliance.

CMMC in the Trump Administration

CMMC 2.0 is not expected to be eliminated as a result of Trump administration deregulatory efforts. CMMC requirements are seen as a necessary measure for cybersecurity in the defense sector. While there may be discussions about regulatory burdens to smaller organizations, the program is likely to continue due to its importance in protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Issues Beyond the DIBs

Beyond the fact that organizations are not ready for CMMC, there may not be enough accredited Third Party Assessment Organization C3PAO auditors to meet the growing demand for CMMC certification. The process for granting C3PAO status is stringent and has resulted in a limited number of organizations being approved. This could lead to logistical challenges for defense contractors seeking certification in the near future.

The Bottom Line

Organizations are not ready for CMMC. CMMC compliance presents several challenges, particularly for small and medium businesses, including high costs for achieving and maintaining certification, complex requirements, and the need for significant investments in technology and processes. Additionally, the evolving nature of cybersecurity threats makes it difficult for organizations to keep up with the necessary standards and practices.

CVG Strategy Information Security Management System Consultants

CVG Strategy can assist your organization meet the challenges in meeting the CMMC final rule. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

Identify CUI Areas with CVG Strategy Signs

Integrated Business Management Systems for Effectiveness

February 2, 2026December 16, 2024 by Jamie Hamilton

Integrated business management systems provide more effective solutions to the challenges facing organizations today. This approach consolidates business processes and systems across teams and unifies objectives. It can effectively address requirements for quality management, export compliance, information security management, and other concerns, ensuring compliance without gaps, duplication of efforts, or teams working at cross purposes.

Quality Management Systems (QMS)

Quality Management Systems (QMS) are systems that document responsibilities, processes, and procedures of an organization to achieve policies and objectives. These objectives are not limited to maintaining customer satisfaction for an organization’s products or services but extend to any external and internal issues relevant to objectives. As defined in clause 4.3 of ISO 9001:2015, external issues include applicable statutory and regulatory requirements.

To accomplish these objectives, it is critical that leadership demonstrate leadership and commitment by ensuring that these requirements are integrated into business processes and provided adequate resources. Furthermore, leadership must evaluate these requirements using a process approach and risk-based thinking to provide continuous improvement. Leadership is also responsible for review of these inputs to address non-conformities and determine the extent to which objectives have been met.

Export Compliance Management Program Requirements

Export compliance presents challenges for organizations due to its complexity and because regulations are Both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) have requirements for effective export compliance programs.

ITAR Program Requirements

As with ISO 9001:2015, the Directorate of Defense Trade Controls (DDTC) sites management commitment as an important factor for a successful program. This is essential for promoting a culture of compliance and ensuring that adequate resources to the program are available for its operation. The ITAR also stresses the importance of performing risk assessments and regular program audits.

Training is a requirement for organizations that are subject to ITAR export requirements. This training should be job specific and offered on a recurring basis. Records should be maintained for training activities. Additionally resources should be available for personnel to reference when export questions arise.

EAR Program Requirements

The Bureau of Industry and Security (BIS) places a strong emphasis on the need for commitment from senior management. This top-down approach is to emphasis allocation of sufficient resources, public support of policies and procedures related to the export compliance program, and provision of training.

The BIS strongly advises that regular risk assessments be performed to identify and address preventable risk that could result in release of controlled items or technical data. They also the performance of audits to check for program deficiencies and enable corrective actions to be taken through management processes.

Export Opportunities

Much emphasis is placed on the ramifications of being in violation of export violations, and justifiably so. Export violations can result in costly fines, loss of business reputation, debarment from export activities, and even imprisonment. However, maintaining an awareness of changes in export regulations can also result in new opportunities for business. Examples of this are the AUKUS defense trade integration that has resulted in relaxation of controls of exports between Australia, the United Kingdom, and the United States, and recent developments in the commercial space sector.

Cybersecurity and Information Security Management Systems

Regardless of sector, businesses today are facing increasing pressure to ensure the confidentiality, integrity, and availability of data. This is applicable not only to data directly held by the organization but to data and products vulnerable to unauthorized access in the supply chain. As with quality management and export compliance these security risks must be addressed by an integrated business management approach.

Security breaches must be prevented through implementation of digital controls and physical security. These same physical controls are shared with export compliance requirements. They must also be prevented by management backed policies that are communicated to all personnel and external providers.

Cyber incidents must also be prevented through adequate training because the weakest link in cybersecurity is often the human factor. This training should include security literacy, should inform personnel of changes to policies or procedures, and should stress recognizing and reporting indicators of insider threats or social engineering activities.

NIST SP 800-53, NIST SP 800-161, NIST SP 800171, and ISO 27001 all place requirements for management to define security and privacy risk tolerance to establish a scope for mitigation strategies. This allows for a consistent application of a strategy that is both broad-based and comprehensive.

CVG Strategy Consultants

Quality Management

CVG Strategy quality consultancy team can help your organization implement an integrated business management system effectively and painlessly. Our consulting services will guide you through all phases of QMS, from assessment and development to the certification process.

CVG Strategy also provides the inclusion of statutory requirements for export compliance into your program. Ask our experts how we can provide this feature into your quality management system. Additionally, CVG Strategy can provide you with Quality Management training courses that will empower your team to achieve in a QMS environment.

CVG Strategy has experience in a large number of quality management systems standards. In addition to ISO 13485:2016 our Global Exemplar Lead Auditors can assist you designing and implementing a QMS to the following standards:

- - AS9100
  - ISO 27001
  - BS EN 13485:2016
  - FDA Title 21 Part 820
  - EN ISO 14971:2019

CVG Strategy can provide a QMS that incorporates multiple quality standards. This includes incorporating management strategies for ensuring compliance to industry regulations such as EU Directive 98/79EC for medical devices.

CVG Strategy Export Compliance Solutions

While many export compliance providers offer programs geared toward compliance with a single set of regulations, CVG Strategy offers a harmonized program that will ensure that your company is compliant to ITAR, EAR and international regulations. Furthermore we consolidate this program in a collection of documents that can be integrated into a quality management system.

Cyber Security Consulting

CVG consultants have over a decade of experience with ISMS, Quality Management Systems (QMS) and Export Compliance. We understand that each business has a unique set of requirements that demand tailored solutions.

CMMC Final Rule to be Implemented in 2025

November 15, 2024 by Jamie Hamilton

The Department of Defense (DoD) has released its Cybersecurity Maturity Model Certification (CMMC) final rule. This rule will now require contractors to verify that required security measures have been implemented for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These requirements will are to be implemented in early to mid-2025 when verification of security controls will appear as a condition in Requests for Proposals (RFP). It can be expected that these information security requirements will quickly flow down to subcontractors.

CMMC Three Levels of Compliance

There are three defined levels of CMMC security compliance requirements for defense industrial base contractors.

Level 1

Level 1 requirements apply to contractors handling Federal Contract Information (FCI). FCI is information provided or generated by the U.S. government that is not intended for public release that has been created under contract in reference to the provision of a product or service. Requirements for Level 1 compliance are defined in Federal Acquisition Regulation 52.204-21.

Level 2

Level 2 requirements apply to contractors that handle Controlled Unclassified Information (CUI). CUI is unclassified information required by or possessed by the U.S. government. CUI controls as specified in NIST SP 800-171, are required to prevent the release of information pertaining to defense and national security.

Level 3

Level 3 requirements apply to contractors engaged with critical programs or high value assets. Contractors falling in this category must meet all requirements of Levels 1 and 2 CMMC and meet 24 additional requirements specified in NIST SP 800-172.

The potential effective dates for final implementation of this Cybersecurity Maturity Model Certification (CMMC) Program structure are March of 2025 for Levels 1 and 2, and March of 2028 for Level 3.

Cybersecurity Certification

The DoD has relied on a system of contractor self affirmations for cybersecurity requirements. This has been seen as largely ineffective given the active level of threat presented by foreign adversaries. This CMMC final rule will now require verification through Third-Party Assessment Organizations (C3PAOs) that organizations are compliant with NIST SP 800-171, rev. 2 requirements.

Concerns for Contractors and Subcontractors

There are numerous concerns for businesses in the defense industry that are in the process of implementing required controls. Firstly, implementing an effective information security program is an involved process that requires a considerable amount of time and capital. This is having a disproportional impact on smaller subcontractors.

Secondly, there are insufficient numbers of personnel qualified for critical roles in an information security program. Additionally, that even if a business is prepared for certification, that there is an insufficient amount of C3PAOs to assess them.

Presently, many contractors are already rolling out requirements to subcontractors ahead of final CMMC implementation. This raises concerns that businesses may drop out of the already shrinking defense industrial sector.

Changes Implemented in the Final Rule

Requirements were removed for External Service Providers (ESP) that do not process, store, or transmit CUI for meeting FedRAMP requirements of DFARS 252.204-7012. ESPs are third-parties that deliver services affecting the confidentiality, integrity, or availability of DoD CUI. This provision applies to both ESP that provide cloud services and those that do not.
Definitions were added to the CMMC for temporary deficiencies and enduring exception. These terms provide contractors to address security requirements not yet in place through a Plan of Action and Milestones (POA&M).
Reassessments are now required for organizations undergoing Mergers and Acquisitions (M&A). New assessments would evaluate significant architectural or boundary changes to systems handling CUI.