CMMC – How do I know if it is required?

Researchers working in a lab with Controlled Unclassified Information image

CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and (2) your DOD contract includes any of the following Defense Federal Acquisition Regulations (DFARS) clauses:

  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements
  • DFARS 252.204-7020, NIST SP 800-171 DOD Assessment Requirements’
  • DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements (through 9/30/2025)

Your Join Research Office for Contracts (JROC) team can assist in identifying whether these clauses are required and if the research contains FCI or CUI information.

If you plan to respond to a federal government RFP or RFI and anticipate that CUI may be involved then you must have adequate cybersecurity measures in place to accept said contract. Please contact the Joint Research Office for Contracts (JROC) to determine if the RFP/RFI will be subject to security requirements.


Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research


Showing: All results

CMMC – How do I know if it is required?

CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and…

CMMC – Model Framework

The Cybersecurity Maturity Model Certification (CMMC) framework organizes processes and cybersecurity best practices into a set of 17 capability domains…

CMMC – What information is protected?

CMMC is primarily designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)…

CMMC – What is it?

The Cybersecurity Maturity Model Certification (CMMC) is a program of unified standards and frameworks of cybersecurity best practices and controls …

CMMC – Why was it created?

The theft of intellectual property and sensitive information due to malicious cyber activity threatens economic security and national security…

CUI – Does my RFP/RFI involve CUI?

The below steps are designed to assist you in determining if a RFP/RFI will require safeguards to protect…

CUI – Training and Resources

All faculty and staff who may come into contact with CUI data in their course of performing their job duties are required to take training. The training required depends upon your job, and the nature of your interaction with CUI data here at the university.

CUI – What is it?

Controlled Unclassified Information (CUI) is a category of unclassified data that federal agencies create or possess, government, which is required…

CUI FAQ

Answers to frequently asked questions about the WUSTL-SEn environment for CUI data at Washington University in St. Louis.