Justin Sloan

I’m not a compliance professional. I’m just an IT guy doing the work inside a TSP.

1 minute read

Technically, no. Realistically, yes.

If the subcontractor receives the information on their computers or enters the information into their computers, they must be CMMC compliant and registered in SPRS. This applies starting at CMMC Level 2, because L1 is all about FCI, while L2 introduces CUI.

For example, you could give someone a piece of paper with CUI and as long as they are not scanning it in, typing it into a computer, taking a picture of it, etc., they are exempt from CMMC. The same is true of the digital equivalent of a piece of paper, such as a portal that gives them access to view information but they cannot download it or forward it. This keeps the control of the information in your hands.

Here’s why that’s true:

  • § 170.19(c)(1) defines the scope of CMMC assessments based on asset categories.  Specifically, “Controlled Unclassified Information (CUI) Assets” are defined as assets that “process, store, or transmit CUI” — and these are the systems subject to CMMC Level 2 requirements. 

  • Out-of-scope assets are those that cannot process, store, or transmit CUI and do not provide security protection for such systems.  These are not assessed.

This means CMMC applies only when an organization or system handles CUI in one of those three ways (processing, storage, or transmission).  Mere verbal sharing of CUI (like a name and phone number) triggers compliance obligations because it constitutes transmission, but the requirement falls on the sender to protect the data — not the recipient, unless they retain or process it.

Here’s my approach

Minimize data as much as possible. For example, when hiring a subcontractor, have them bill you directly to avoid entering CUI into their systems. Provide only the necessary details—such as the work location address—without sharing additional information like names and phone numbers of your client. This approach ensures that you are sharing just one piece of information (an address) instead of multiple pieces (a name and an address), thereby removing the two-part threshold for PII.

Tags: ,

Updated:

You may also enjoy

Why are they making us do this?

2 minute read

I get it. As TSPs, we move household goods. Our military contracts deal with futons and family mementos, not highly classified defense projects. CMMC seems l...

Keep your military contracts. Here’s how.

3 minute read

So you provide transportation services for military household goods – moving families when they PCS (Permanent Change of Station)? That’s a valuable service,...