cui
Safeguard articles tagged "cui" — guides, analysis, and best practices for software supply chain and application security.
6 articles
CMMC 2.0 Phase Two: What November 10, 2026 Means for Contractors
CMMC Phase 1 began in November 2025. Phase 2 lands on November 10, 2026, requiring mandatory C3PAO Level 2 assessments. We unpack the contractor implications.
CMMC 2.0 Final Rule Preparation in 2026
The CMMC final rule took effect in December 2024 and rolling contract clauses began appearing in 2025. Here is what contractors should be doing right now in 2026.
CMMC 32 CFR Part 170: The Program Rule and the Four Phases
DoD's CMMC program rule became effective December 16, 2024 with a four-phase rollout running through November 2028. The companion DFARS rule landed September 10, 2025.
NIST 800-171 Rev. 3 and the DoD Class Deviation: Stuck on Rev. 2
NIST published 800-171 Rev. 3 on May 14, 2024. Twelve days earlier, DoD froze DFARS 7012 to Rev. 2 via Class Deviation 2024-O0013.
FAR CUI Proposed Rule: An 8-Hour Clock and a Government-Wide Standard
The January 15, 2025 FAR CUI rule extends NIST SP 800-171 to every federal contractor and adds an 8-hour incident reporting clock for non-federal facilities.
CMMC Level 2 for Software Vendors: A Practical Roadmap
CMMC Level 2 means all 110 NIST SP 800-171 controls, assessed by a C3PAO for most contractors. Here's the scoping, gap-closing, and evidence roadmap for software vendors.