Safeguarding Sensitive Government Information: Why The Cybersecurity Maturity Model Certification (CMMC) Matters For The Global Defense Innovation Ecosystem

Over the past decade, a vibrant defense‑innovation ecosystem has emerged across the U.S. and Europe, powered by venture‑backed defense tech startups, dual‑use technology companies, and commercial‑first innovators entering national‑security markets. As these companies begin collaborating with defense agencies, they encounter compliance obligations for handling sensitive government information. For those seeking to enter the US national security innovation sector, the center of attention remains on safeguarding Controlled Unclassified Information (CUI).

While the recently codified Cybersecurity Maturity Model Certification (CMMC) addresses more than CUI, its principal aim is to remediate inconsistent compliance with the implementation of the NIST SP 800-171 controls required to safeguard CUI in the Defense Federal Acquisition Supplement (DFARS). Whether or not a company sees itself as a "defense contractor," understanding CUI and CMMC is rapidly becoming essential for participating in this expanding global ecosystem.

Against that backdrop, this post outlines CUI's role within CMMC, identifies the primary sources of the underlying safeguarding obligations, and explains how CMMC operationalizes verification of those requirements, especially at Level 2.

What Is Controlled Unclassified Information (CUI)?

CUI is information that the U.S. government is required to protect based on legal, regulatory, or policy‑based authorities, which vary depending on the type of information involved.

CUI is sensitive government information such as legal records, financial data, or technical materials that could cause harm if disclosed broadly or accessed by unauthorized individuals.

The U.S. National Archives and Records Administration maintains a master registry of CUI. The U.S. Department of War (DOW) maintains its own CUI registry.

Some CUI, called CUI Specified, require additional controls based on the law or regulation that applies to it. An example is information subject to the International Traffic in Arms Regulations (ITAR) regarding the export and handling of defense‑related articles, services, and technical data listed on the U.S. Munitions List.

Safeguarding CUI in Non‑Federal Systems

For companies doing business in the U.S. national security sector that need to handle CUI within their own business systems (e.g., email, document storage, or customer relationship management apps), the focus turns to how to protect that CUI.

A key requirement is set forth in DFARS 252.204‑7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause applies to prime contracts and subcontracts, including those for commercial products and services. It requires contractors to implement the 110 cybersecurity controls set forth in NIST SP 800‑171 and to report certain cyber incidents.

These safeguarding requirements are not new. Many companies already operating in the defense ecosystem have implemented them. This is also an area of increasing enforcement activity with the U.S. Department of Justice actively relying on the False Claims Act to pursue alleged CUI-related misrepresentations.

Enter CMMC

Codified at DFARS 252.204‑7021 in November 2025, the CMMC program allows national security agencies to condition contract eligibility on a contractor's ability to demonstrate compliance with required cybersecurity controls before award.

CMMC Levels 1 and 2 do not introduce new cybersecurity controls; instead, they formalize assessment and certification of safeguards that already exist under DFARS. (Level 3 requires additional controls and is intended for higher-impact CUI.)

While Level 1 addresses the protection of Federal Contract Information, most compliance risk, cost, and enforcement exposure tends to be concentrated at Level 2, where CUI is involved. That is because Level 2 aligns with implementing the controls of NIST SP 800‑171, which as described above, has long been a DFARS requirement for safeguarding CUI.

For companies newly entering the US national security ecosystem, CMMC functions as a gatekeeper, making the ability to demonstrate CUI safeguarding a prerequisite.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.