CMMC Cybersecurity
Onboarding Training

Controlled Unclassified Information — CUI — is government information that is sensitive enough to require protection but is not classified. It lives in a specific category defined by Executive Order 13556 and the DoD CUI Program.

CUI is not stamped SECRET or TOP SECRET. It does not require a security clearance to access. But it is legally controlled, and anyone who handles it — at any tier of the defense supply chaini — is legally obligated to protect it.

CUI is not an abstract category. It is the specific files, drawings, and data you work with every day. Here are common examples in defense manufacturing and contracting environments:

• Technical drawings and CAD files — specifications, tolerances, materials, assembly instructions for defense components
• Engineering models and simulation data — performance characteristics, test results, failure analysis
• Contract documents and statements of work — program names, delivery schedules, pricing structures
• Export-controlled technical data — anything subject to ITARi or EAR regulations
• Procurement and supplier information — vendor lists, pricing, supply chain structure
• Personnel security information — background check data, clearance status
• Network diagrams and system documentation — anything describing the IT systems that process defense data

Nation-state adversaries — primarily China, Russia, Iran, and North Korea — invest billions of dollars annually in stealing US defense technology. The goal is not random disruption. It is systematic reconstruction of American military capability without paying the research and development cost.

A single technical drawing from a defense subcontractor does not give an adversary a complete weapon system. But combined with drawings from other suppliers, performance data from program databases, and contractor communications intercepted over time, it contributes to a comprehensive intelligence picture. The adversary is building a puzzle. Every CUI document you allow to leave your protected environment is a piece they do not have to steal from somewhere harder.

Prime contractors like Electric Boat, Pratt & Whitney, and Sikorsky invest heavily in cybersecurity. They have dedicated security teams, sophisticated technical controls, and years of compliance maturity. Adversaries know this. They do not attack the front door of a heavily defended fortress. They find the subcontractor three tiers down whose network has default passwords and no security monitoring.

This means that your organization — regardless of its size — is a node in a security architecture that ultimately protects American military capability. A breach at your facility is not just your company's problem. It is a supply chain problem that potentially affects every program that flows through your work.

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's mandatory framework for verifying that defense contractors protect CUI properly. As of November 10, 2025, CMMC requirements are active in defense contracts. As of November 10, 2026, mandatory third-party certification becomes a condition of contract award for Level 2 contracts.

CMMC is not an IT department project. It is an organization-wide standard that requires every employee who touches CUI to understand and follow specific security practices. The 110 controls in NIST SP 800-171i that CMMC enforces are not abstract technical requirements — they are specific behaviors that prevent specific attacks that have already happened to organizations like yours.

On March 26, 2025, the Department of Justice announced that MORSECORP, Inc. — a Cambridge, Massachusetts defense contractor serving the US Army and Air Force — agreed to pay $4.6 million to settle False Claims Acti allegations. This was the first major FCA settlement based specifically on cybersecurity non-compliance.

Volt Typhoon is a Chinese nation-state threat actori documented by the FBI, NSA, and CISA. Beginning as early as 2019, Volt Typhoon penetrated US power grids, water systems, communications networks, and transportation infrastructure. They operated inside these networks for years — sometimes more than five years — without detection.

Their technique is called "living off the landi" (LOTL): using the legitimate tools already installed on compromised systems rather than deploying malwarei that security software would detect. They were invisible because they looked like normal system activity.

In March 2026, Iranian threat actor Handala — operating on behalf of Iran's Ministry of Intelligence — conducted a destructive cyberattack against Stryker Corporation, a major US medical device and defense contractor. The attack remotely wiped approximately 200,000 devices across 79 countries.

From at least January 2020 through 2022, the FBI, NSA, and CISA jointly documented a sustained Russian state-sponsored campaign targeting US cleared defense contractorsi at every tier of the supply chain — not just prime contractors, but small and mid-sized subcontractors with varying levels of cybersecurity maturity.

The targeted programs included command and control systems, intelligence and surveillance systems, weapons and missile development, and combat systems. The attackers used credential harvesting, spearphishingii, and exploitation of known software vulnerabilities to gain access. In many cases, the initial entry point was a small supplier whose defenses were significantly weaker than the prime contractors further up the chain.

The DoJ has now settled nine cybersecurity False Claims Act cases under its Civil Cyber-Fraud Initiative since 2021. The two largest settlements reached $11 million each. The enforcement campaign is accelerating, not slowing down.

These are not large prime contractors with complex fraud schemes. They are organizations — some of them small manufacturers — that signed SPRS compliance affirmations they could not support. The mechanism that exposed them in every case was the same: an insider who knew the stated controls were not actually in place and had financial incentive to report it.

Phishing

Generic phishing is mass email — fake bank alerts, package delivery notifications, password reset requests sent to millions of addresses simultaneously. Most people recognize these because they are generic. They are not addressed to you personally. They have no context about your job, your company, or your interests.

Spearphishing

Spearphishing is targeted. The attacker has researched you specifically — your name, your job title, your employer, your professional interests, possibly your personal interests from social media. The email they send you is crafted to be plausible and personally relevant. It references your actual industry, a conference you might attend, a publication you might read, a colleague you might know.

APT5 is a Chinese nation-state threat actori assessed to operate on behalf of Chinese state intelligence. In 2024 and 2025, APT5 conducted sustained spearphishing campaigns specifically targeting current and former employees of US aerospace and defense contractors.

The following patterns are consistent across documented spearphishing campaigns targeting defense contractors. None of them alone is definitive — but any combination should trigger verification before you click anything.

• Unsolicited conference invitations sent to your personal email, especially for events you have not registered for, even if the event is real
• Training or certification opportunities that arrive unexpectedly and require you to log in or download something to register
• Urgent requests from apparent colleagues, managers, or vendors asking you to act quickly — urgency is a manipulation technique designed to bypass critical thinking
• Links that require login before showing you content — especially if the login page asks for both a username/password and a multi-factor authenticationi code
• Attachments from unknown senders, even if the sender name appears to be someone you know — sender names are trivially easy to spoof
• Emails about your employer's contracts or programs sent to your personal email from an external party you have not previously corresponded with

Understanding what happens after a successful phishing click helps explain why these attacks are so dangerous and why catching them early is so critical.

• Step 1 — Credential harvest: The fake login page captures your username and password. The attacker now has your credentials — for your personal email account, and if you reused that password, potentially for your work accounts too.
• Step 2 — MFA bypass (AiTMi): Sophisticated attacks use adversary-in-the-middle techniques to capture your multi-factor authentication code in real time, bypassing even MFA-protected accounts.
• Step 3 — Lateral movementi: With access to your email, the attacker searches for useful information — your employer, your colleagues, your work accounts, any defense-related content. They use your account to target your contacts with trusted-sender spearphishing.
• Step 4 — Escalation: If your credentials work on any corporate system — VPNi, work email, project portals — the attacker escalates to your employer's network. One personal account compromise can become a corporate network intrusion.

Reporting suspected phishing is not an overreaction. It is a required security behavior under NIST 800-171 Control 3.2.3 — awareness of and reporting of indicators of potential insider threat and attack. Every report you make, even if the email turns out to be legitimate, gives your security team information that helps protect the organization.

• Do not click any links or open any attachments in a suspected phishing email
• Do not forward the suspicious email to colleagues to ask "does this look weird to you?" — this spreads the threat
• Report immediately using your company's designated reporting channel — typically a "Report Phishing" button in your email client or a direct email to your security team
• If you already clicked — report it immediately. Do not wait. Do not hope it was harmless. Reporting quickly gives your security team the best chance to contain any damage. You will not be punished for reporting a mistake.
• For personal email — report suspected spearphishing to your company's security team even when it arrives in your personal account, if it references your employer, your role, or defense programs

A valid username and password combination is the most valuable asset an attacker can obtain. It does not trigger malwarei detection. It does not set off intrusion alerts. It looks like a normal user doing normal work. Once an attacker has valid credentials for a system you have access to, they are effectively you — with all the access and permissions your account carries.

Nation-state actorsi do not typically need to break down the door. They prefer to walk in through the front with a key. Credential theft is the primary way they obtain that key — through phishing, through password reuse across breached sites, through brute force attacks on weak passwords, and through default credentials that were never changed.

The most important factor in password strength is length. A 16-character passphrasei made of random common words is stronger than an 8-character complex password with symbols. Modern password cracking tools work by trying billions of combinations per second — length exponentially increases the number of combinations they must try.

• Use passphrases — three or four random unrelated words strung together ("correct-horse-battery-staple") are both memorable and strong
• Minimum 12 characters for any account — NIST guidance now prioritizes length over complexity requirements
• Never use personal information — names, birthdates, pet names, employer names, or anything findable on social media are the first things an attacker tries
• Never use dictionary words alone — "password", "security", "welcome" are cracked instantly
• Never use keyboard patterns — "qwerty", "123456", "asdfgh" are in every attacker's first attempt list

Every major website or service that has ever been breached — and thousands have — has had its user credentials stolen and eventually published online. Attackers maintain enormous databases of these credentials and run them systematically against every other service they can find. This technique is called credential stuffingi.

If you use the same password for your personal email, your work email, and your Amazon account, and Amazon is breached, the attacker now has your work email password. They did not hack your employer's systems. They recycled a credential you handed them through a breach at a completely different company.

Multi-factor authentication (MFA) requires a second proof of identity beyond your password — typically a code from an app on your phone, a hardware tokeni, or a biometric. CMMC Level 2 requires MFA for all accounts accessing CUI systems and for all privileged accountsi.

MFA is the single most effective control against credential theft. Even if an attacker obtains your password, they cannot access your account without the second factor. The Stryker attack succeeded in part because the compromised administrator account did not have MFA enabled. One credential. 200,000 devices wiped.

• Authenticator appsi (Microsoft Authenticator, Google Authenticator) are more secure than SMS codes — SMS can be intercepted through SIM swappingi attacks
• Hardware tokens (YubiKey) are the most secure option for high-privilege accounts
• Never share MFA codes — a legitimate service will never call you and ask for your MFA code. If someone asks you for your code, it is an attack.
• Approve MFA prompts only when you initiated them — if you receive an MFA approval request you did not trigger, deny it immediately and report it

These are not suggestions. They are CMMC-required behaviors for anyone whose work involves CUI or CUI-adjacent systems. Your organization's security team will verify these practices as part of CMMC compliance.

• Change all default passwords immediately — any device or system you are responsible for that still has a manufacturer default credential is a critical vulnerability. Change it today.
• Use unique passwords for every account — no reuse between work accounts, personal accounts, or any other service
• Enable MFA on every account that supports it — work accounts, personal email, social media, banking, everything
• Use an approved password manager — do not store passwords in a spreadsheet, a sticky note, or your browser's built-in password manager on an unmanaged personal device
• Never share passwords — not with colleagues, not with IT support staff who call you, not even with your manager. Legitimate IT staff use administrative access tools — they do not need your password.
• Report unexpected MFA prompts immediately — an MFA request you did not initiate means someone has your password right now
• Lock your screen when you step away — an unlocked workstation in a shared environment is an open access point

CUI must be stored only in systems that have been approved by your organization for CUI handling. This is not a suggestion — it is a CMMC control requirement. Storing CUI in an unapproved location, even temporarily, creates a compliance gap that could affect your organization's certification.

• Approved: Systems within your organization's defined CUI enclavei — network drives, approved cloud storage, designated workstations that are part of your CMMC assessment scope
• Not approved: Personal cloud storage (personal Google Drive, Dropbox, iCloud), personal devices, USB drives unless specifically authorized, shared drives outside your enclave
• Never: Personal email accounts, consumer messaging apps (WhatsApp, iMessage, Facebook Messenger), social media platforms, any system outside your organization's control

Every time CUI moves from one location to another — from your system to a colleague's, from your organization to a supplier, from your server to a cloud platform — that transmission must be protected. NIST 800-171 Control 3.13 requires encryption in transit for all CUI.

• Email: Standard corporate email is generally acceptable for CUI if your organization's email system meets the required security baseline (FedRAMPi Moderate or equivalent). Personal Gmail, Yahoo, or Outlook.com are never acceptable for CUI.
• File sharing: Use only approved platforms. If you need to share a CUI file with an external party — a supplier, a subcontractor — use the approved method specified by your security team, not a consumer file-sharing service.
• Before sending, ask: Does the recipient have authorization to receive this CUI? Is the system I am sending through approved? Would I be comfortable if my security officer could see exactly what I am sending and how?

CUI does not only exist digitally. Printed technical drawings, physical contract documents, and handwritten notes that contain CUI are subject to the same handling requirements as digital files — and are often easier to lose.

• Do not leave printed CUI unattended — at your desk, at the printer, in a conference room, or in a vehicle. A document left on a printer for 10 minutes has been seen by everyone who walked past it.
• Lock physical CUI away when you step away from your workspace — in a locked drawer, a locked cabinet, or a secured room. The clean desk policy is a CMMC-required behavior, not a preference.
• Do not take CUI home in physical form without explicit authorization. A technical drawing in your briefcase is subject to the same requirements as the digital file it came from.
• Dispose of physical CUI properly — shredding in a cross-cut or micro-cut shredder, or in a designated secure destruction bin. Standard recycling bins and trash cans are not acceptable for documents containing CUI.

NIST 800-171 Control 3.1 — Access Control — requires that CUI is accessible only to people who have a legitimate need to access it for their work. This is called the "need to know" principle. The fact that a colleague works for your organization does not mean they have authorization to access all CUI your organization handles.

• Do not share CUI access credentials — if a colleague needs access to a CUI system or document, they need to obtain that access through the proper authorization process, not through your login
• Do not forward CUI emails to people who are not already authorized recipients — check with your supervisor if you are unsure whether a recipient has authorization
• Do not leave screens visible to unauthorized individuals — position your monitor so that CUI is not visible to visitors, maintenance personnel, or colleagues who do not have need-to-know
• Report unauthorized access attempts — if someone without apparent authorization asks to see CUI or attempts to access CUI systems, report it immediately

CUI handling decisions happen quickly in the course of a workday. When you need to make a fast decision about whether something you are about to do with a document or file is acceptable, these three questions provide a reliable filter:

If any answer gives you pause, the correct action is always to stop and ask — not to proceed and hope for the best. Your security officer and your supervisor are resources, not obstacles. The two-minute conversation that prevents a compliance incident is always better than the investigation that follows one.

An insider threat is a person who has — or had — authorized access to your organization's systems, facilities, or information, and who uses that access in a way that harms the organization, a government program, or national security. Insider threatsi are not always malicious. Many are accidental. Some are coerced.

• Malicious insider: Deliberately steals, leaks, or sabotages information for financial gain, ideological motivation, personal grievance, or on behalf of a foreign power
• Negligent insider: Causes harm through careless or reckless behavior — leaving CUI in unsecured locations, bypassing security controls for convenience, ignoring policies they consider unnecessary
• Coerced insider: Compelled to act against the organization by external pressure — blackmail, threats to family, financial desperation exploited by a foreign intelligence service

NIST 800-171 Control 3.2.3 requires all employees to be trained to recognize and report potential indicators of insider threat. The following behaviors, especially in combination, are documented indicators that warrant attention and reporting:

• Unusual data access patterns — accessing files, systems, or databases outside their normal work scope, especially late at night or on weekends
• Large-volume data downloads or exports — copying unusually large quantities of files to external drives, cloud storage, or personal email
• Unexplained financial changes — sudden unexplained wealth, new expensive purchases, paying off significant debt without an obvious explanation
• Contact with foreign nationals or foreign government representatives in contexts that seem out of place for their role
• Expressing strong grievances about the organization, supervisors, or US government policy combined with access to sensitive information
• Attempting to access areas or information beyond their authorization — repeatedly asking for access to systems or documents outside their job scope
• Working unusual hours specifically to avoid supervision, combined with other indicators

The MORSECORP False Claims Act case — the $4.6 million settlement you studied in Module 2 — was brought to the government's attention by an insider. A person who worked at MORSECORP, observed that the company's stated cybersecurity compliance was not accurate, and filed a qui tami complaint under the False Claims Act.

That person received $851,000 — 18.5% of the government's recovery. They were protected from retaliation under FCA whistleblower provisions. They did not need to prove malicious intent by the company. They reported what they observed, the government investigated, and the evidence supported the complaint.

Foreign intelligence services do not only use technical means to steal defense information. They also recruit insiders — defense contractor employees who are willing, or who are maneuvered into a position where they feel they have no choice but to cooperate.

Common recruitment approaches include:

• Professional flattery: Approaching defense employees at conferences, via LinkedIn, or through professional networks with offers of consulting work, speaking opportunities, or business partnerships that create a relationship and a financial connection
• Ideological alignment: Identifying employees who express sympathy with a foreign government or frustration with US policy and cultivating those views over time
• Honey traps and personal vulnerabilities: Exploiting financial desperation, romantic relationships, gambling debts, or other personal vulnerabilities to create leverage
• Gradual escalation: Starting with requests that seem harmless — "just tell me who works on that program" — and progressively escalating to requests for actual CUI

Knowing that you should report something and knowing how to report it are different things. Your organization's security officer will specify the exact reporting channels during your onboarding — typically a designated email address, a security hotline, or a direct conversation with the Facility Security Officer (FSOi).

• Report through your designated channel — do not post observations on company messaging platforms or discuss them with other colleagues before reporting officially
• Report facts, not conclusions — describe what you observed, when, and where. Do not attempt to diagnose whether it constitutes insider threat activity. That evaluation is your security officer's job.
• You are protected from retaliation for good-faith security reports. Federal law and most state employment laws prohibit retaliation against employees who report security concerns in good faith.
• Anonymous reporting may be available through your organization — ask your security officer whether an anonymous channel exists if that is a concern

The Supplier Performance Risk System (SPRS) is the DoD database where defense contractors post their cybersecurity compliance scores and affirmations. Under CMMC, every contractor must post an annual affirmation in SPRS signed by a designated senior company official — typically the CEO, COO, or an equivalent executive — certifying that the organization has implemented and is maintaining all required cybersecurity controls at the specified CMMC level.

This is not a checkbox on a procurement form. It is a legal certification. Federal law — specifically the False Claims Act (31 U.S.C. § 3729) — applies to anyone who knowingly submits or causes the submission of a false or fraudulent claim to the government. A SPRS affirmation certifying CMMC compliance that the signatory knows to be inaccurate is a false claim.

The MORSECORP case established a precedent that every defense contractor executive must understand: the government will pursue FCA cases against organizations that submit inaccurate SPRS scores, and the mechanism that triggers those cases is increasingly an insider — an employee who knows what the actual compliance posture is and has financial incentive to report the discrepancy.

The False Claims Act's qui tam provision allows any private citizen who has original knowledge of fraud against the government to file a sealed complaint on behalf of the government. If the case is successful, the whistleblower receives between 15% and 30% of whatever the government recovers. There is no minimum. There is no requirement that the whistleblower be harmed by the fraud.

What this means in a CMMC context: any employee who observes that their organization is certifying cybersecurity controls it is not actually implementing — a network administrator who knows the SIEMi is not configured, an IT manager who knows MFA is not deployed on privileged accountsi, a quality manager who knows the policies are not being followed — is a potential qui tam relator with significant financial incentive.

The most effective protection against FCA liability is genuine compliance — actually implementing the controls your SPRS affirmation certifies. But organizational circumstances change. A cloud migration changes the scope of your CUI environment. A new tool deployment may inadvertently create a gap. A network change may take a certified system out of compliance. The second most important protection is a process for detecting and documenting those gaps promptly.

• Documented gap assessments — regular reviews that identify current compliance status and gaps are evidence of good-faith effort
• Plans of Action and Milestones (POA&Mi) — documented plans to remediate identified gaps with specific timelines are recognized under CMMC and demonstrate that known gaps are being actively addressed
• Prompt SPRS score corrections — if a gap assessment or third-party review reveals that your current SPRS score overstates compliance, correct it immediately. The MORSECORP case was triggered not by the original gap, but by the failure to update a score the company knew was wrong.
• What does not protect you: Not knowing. Not asking. Delegating the SPRS signature to someone who has not verified its accuracy. Assuming the IT department has it handled.

Prime contractors bear an additional layer of legal and contractual obligation under DFARSi 252.204-7021: they must ensure that their subcontractors meet CMMC requirements appropriate to the CUI being flowed down to them. This is not aspirational guidance — it is a binding contractual condition. A prime that awards work to a non-compliant subcontractor is in breach of its own CMMC obligations.

This creates a specific risk for supply chain managers and procurement officials: every subcontract award for work involving CUI requires verification of the subcontractor's CMMC status before award. A purchase order to a subcontractor whose SPRS score is inaccurate or missing may expose the prime's own CMMC certification to challenge.

DFARSi 252.204-7012 requires that defense contractors report cyber incidents affecting CUI or defense information systems to the DoD within 72 hours of discovery. This is not a target — it is a legal requirement. The clock starts when the incident is discovered, not when it is confirmed as a breach.

Reports must be submitted through the DoD's DIBNeti portal. They must include specific information about the incident — what systems were affected, what information may have been compromised, the date and time of discovery, and initial assessment of the attack vector.

Under DFARS 252.204-7012, a reportable cyber incident is any action that results in — or could reasonably be expected to result in — an actual or potentially adverse effect on a covered contractor information system or CUI. This includes:

• Unauthorized access to systems that process, store, or transmit CUI — including any confirmed credential compromise that could have provided such access
• Suspected exfiltrationi of CUI — even if you cannot confirm data actually left your network, if it is suspected, it is reportable
• Malware infection on systems within your CUI environment — regardless of whether the malware appears to have accessed CUI
• Ransomware attacks affecting covered systems — ransomwarei encrypts data, which constitutes an adverse effect on the information system
• Phishing clicks that resulted in credential compromise — an employee who clicked a phishing link and had credentials stolen has triggered a reportable incident if those credentials provided access to CUI systems

The 72-hour clock starts when the organization discovers the incident — but the organization can only discover it if employees who observe something report it internally immediately. The most dangerous gap in breach response is the time between when an employee notices something wrong and when they tell someone who can act on it.

• Report immediately to your supervisor and your security officer when you observe any of the following: unusual system behavior, unexpected access alerts, suspicious files or activity on your workstation, any indication that your credentials may have been compromised
• Do not attempt to investigate yourself — do not try to determine what happened before reporting. Report first, investigate with trained personnel after.
• Do not delete, modify, or clean up anything on a potentially compromised system before your security team reviews it. Evidence of how the breach occurred is critical for the mandatory DoD report and for preventing the next breach.
• Preserve logs and records — if you have administrative access to systems that may be involved, do not rotate logs, do not clear caches, do not make configuration changes until your security team directs you to

Failing to report a cyber incident within the 72-hour window is a violation of DFARS 252.204-7012. It creates FCA liability if the failure to report was knowing. It also deprives the DoD and other defense contractors of threat intelligence that could prevent identical attacks against other organizations in the defense supply chain.

You do not need to be a security professional to fulfill your breach response obligations. You need to know three things: what to watch for, who to tell, and what not to do.

Completing this training module means you now know what every CMMC-compliant defense contractor employee is required to know. The knowledge is only valuable if you act on it. When you observe something — report it.

Your organization's CMMC certification covers a defined scope — specific systems, networks, and locations where CUIi is processed, stored, or transmitted. That scope was assessed by a C3PAOi. It includes your office network, your company-issued devices on that network, and the cloud services your organization approved. It does not include your home router, your personal laptop, the café Wi-Fi, or your phone unless those devices and connections have been specifically brought into scope and secured to the required standard.

When you work remotely in a way that has not been accounted for in your organization's security plan, you are potentially moving CUI outside the protected boundary — even if you do not realize it.

A VPN (Virtual Private Network) creates an encrypted tunnel between your remote device and your organization's network — making your connection functionally equivalent to being physically in the office, even when you are sitting in a coffee shop. NIST SP 800-171i Control 3.1.12 requires that remote access sessions be monitored, controlled, and protected using encryption. In practice, this means a company-approved VPN must be active any time you access systems that process or store CUI from outside the office.

• Always required: Any time you access company systems, files, email, or applications from outside the office network
• Required before access — not after: Connect the VPN before opening any work application or file. Do not open a CUI document and then connect — that sequence matters
• Your personal VPN service is not acceptable: Commercial consumer VPN services (NordVPN, ExpressVPN, etc.) are not your company's approved VPN and do not satisfy CMMC remote access requirements
• If the VPN is down: Stop work on CUI until you can reconnect. Do not work around it by using personal email or cloud storage as a substitute

Public Wi-Fi networks — at coffee shops, airports, hotels, conference centers, and coworking spaces — are fundamentally untrusted environments. You do not control who else is on the network, what the network operator logs, or whether the access point you are connecting to is legitimate.

• Never access CUI on public Wi-Fi without an active VPN — the VPN encrypts your traffic even if the underlying network is compromised
• Verify network names before connecting — ask a staff member for the exact Wi-Fi name rather than selecting the most plausible option from the list
• Prefer mobile hotspot over public Wi-Fi — your phone's cellular hotspot is a significantly more secure option for work sessions when away from the office
• Disable auto-connect — turn off the setting that automatically connects your device to previously used or open networks
• Use HTTPS — verify that any web-based tool or portal you access shows a valid HTTPS padlock before entering any credentials

BYOD (Bring Your Own Device) policies vary significantly across organizations. Some ban personal devices from accessing work systems entirely. Some allow limited access with specific security controls. Some have no policy at all — which is itself a compliance risk.

Regardless of your organization's specific policy, the following rules apply to any personal device that you use to access work systems or CUI:

• Personal devices used for work enter the compliance scope — if your personal phone syncs work email that contains CUI, that phone is technically within the CMMC assessment boundary and must meet the applicable security requirements
• You cannot install unauthorized apps on a BYOD device used for work — any app you install could access the same data your work applications do
• Personal device storage is not approved CUI storage — CUI that downloads to your personal device's local storage (through email attachments, cached files, etc.) creates a compliance violation
• If your personal device is lost or stolen, report it to your security officer immediately — it is a security incident, not just an inconvenience

If you regularly work from home and access CUI systems, your home network is effectively a branch office of your employer's CMMC-assessed environment. That does not mean your home must be assessed — it means the device you use and the connection you make must meet the security standard, and your home environment must not introduce risks that would undermine it.

• Change your home router's default password — the same default-password problem that enabled the F-35 breach exists in millions of home routers. A compromised home router can intercept your VPN credentials
• Keep your home router firmware updated — router vulnerabilities are regularly discovered and patched. An unpatched router is an entry point
• Separate work and personal devices on your home network — use a guest network for personal devices, smart TVs, gaming consoles, and IoT devicesi like smart speakers. These devices have poor security track records and should not share a network segment with your work machine
• Position your screen away from windows and shared spaces — shoulder surfing and visual interception of CUI is a physical security risk even at home, especially during video calls
• Lock your screen when stepping away — household members, guests, and repair workers do not have authorization to see CUI

Smartphones are the most commonly lost and stolen devices in the world — and for most employees they are also the device most closely integrated with work systems through email, calendar, authentication apps, and messaging. That combination of high risk of loss and high work data access makes mobile device security a critical control.

• Enable full-device encryption on any device that accesses work systems — both iOS and Android support full encryption, and it prevents data access if the device is seized or stolen
• Enable remote wipe capability — ensure your device is enrolled in a mobile device management system that allows your organization to remotely wipe work data if the device is lost
• Use a strong PIN or biometric lock — a 4-digit PIN offers 10,000 combinations; a 6-digit PIN offers 1,000,000. Use biometric (fingerprint/face) plus a strong PIN backup
• Do not jailbreak or root work devices — removing manufacturer security restrictions eliminates multiple layers of protection built into the operating system
• Install apps only from official stores — third-party app sources bypass the vetting process that catches the majority of malware before it reaches devices
• Report lost or stolen devices immediately — within minutes, not hours. Remote wipe capabilities are most effective before an attacker has time to extract data

Business travel introduces security risks that do not exist at your office or home: unknown networks, physical access by hotel staff and border agents, spearphishingi campaigns designed around specific conferences, and in international travel — the legal authority of foreign governments to inspect devices at the border.

• Request a travel loaner device for international trips — a clean device with minimal data reduces your exposure if it is seized or compromised abroad. Several US defense contractors have standing policies requiring loaner devices for travel to China, Russia, and other high-risk countries
• Never plug into unknown USB ports — airport charging kiosks, hotel desk ports, and conference charging stations can deliver malware through a technique called juice jackingi. Use your own charger plugged into a standard power outlet, or use a USB data blocker
• Be alert at defense conferences — APT5i and other nation-state actorsi specifically target defense professionals at industry events. Unexpected approaches offering consulting work, academic collaboration, or business partnerships are documented recruitment techniques
• Assume hotel room network is compromised — always use your VPN on hotel Wi-Fi, and consider using a cellular hotspot instead for sensitive work
• Border crossing with work devices — consult your security officer before international travel with any device that contains or can access CUI. Some countries have legal authority to compel device decryption at the border

Use this checklist every time you work outside the office on anything that involves CUI systems or data:

Nation-state actorsi routinely harvest open-source intelligence — publicly available information — from social media profiles of defense contractor employees. They do not need to breach your network if you voluntarily post the information they want. LinkedIn profiles, Facebook check-ins, Instagram photos, and Twitter/X posts have collectively revealed program names, facility locations, colleague networks, travel schedules, and technical details that are supposed to be protected.

This is not hypothetical. The FBI and DCSA have documented specific cases where foreign intelligence services built comprehensive profiles of defense programs and personnel entirely from open-source social media — without conducting a single hack.

The following categories are never acceptable to post on any public platform, personal or professional, regardless of how innocuous they seem in isolation:

• Program names or contract numbers — "working on the XYZ program" or "just landed a new DoD contract" tells adversaries which programs your organization supports
• Photos from the work facility — even a selfie at your desk can reveal equipment, documents, screen content, facility layout, badge design, and colleague identities
• Travel related to defense work — "heading to Electric Boati for a meeting" or "site visit to Groton this week" maps your organization's customer relationships
• Technical details about your work — materials, processes, specifications, test results — even framed as general professional discussion
• Colleague names and roles on defense programs — building an adversary's contact list for spearphishingi campaigns
• CUIi in any form — screenshots, photos of documents, paraphrased specifications. CUI does not become uncontrolled because you put it on Facebook
• Security procedures or access controls — badge systems, visitor policies, security checkpoints, even complaints about security inconveniences

LinkedIn is the most significant social media risk for defense contractor employees because it is professional, it is trusted, and it is where people are most likely to be specific about what they work on. A detailed LinkedIn profile describing your role on defense programs is a targeting document for foreign intelligence services.

• Describe your role in general terms — "aerospace manufacturing" not "F-35 component fabrication"
• Do not list program names or contract numbers in your experience section
• Be cautious with connection requests from unknown individuals in aerospace, defense, or government sectors — especially if they are based overseas or have sparse profiles
• Report unusual LinkedIn approaches to your security officer — an unsolicited message offering consulting work related to your defense programs is a reportable contact

OPSEC (Operational Security) is the practice of protecting information that could be combined with other information to reveal something sensitive. Individual pieces of information that seem harmless in isolation can be dangerous in combination. A photo of your office window view + a LinkedIn post about your employer + a Facebook check-in at an airport + a tweet about "big week ahead" collectively tells an adversary your facility location, your employer, when you are traveling, and that something significant is happening — enough to time a targeted attack.

• Think in aggregates, not individual posts — ask not "is this post sensitive?" but "what does this reveal when combined with everything else I have posted?"
• Be careful with location data — geotagged photos, check-ins, and "currently in [city]" posts create a movement pattern that intelligence analysts can map
• Work travel is particularly sensitive — posting about business travel reveals customer relationships, program timelines, and your absence from the facility
• Family members' posts can also expose you — a spouse posting "proud of [name] working on [program]!" is the same disclosure regardless of who posts it

Not everything about your professional life is off-limits. The goal is not silence — it is discipline. General information about your professional field, your skills, and your employer's public-facing activities is typically acceptable. Specific program information, technical details, and facility information is not.

• Generally acceptable: Your general professional field and skills, publicly announced contract awards (after official press release), general company culture, professional certifications, industry events you attended
• Requires approval: Any post that mentions a specific DoD program, contract, or customer relationship — even positive announcements. Check with your supervisor or communications team before posting
• Never acceptable: Anything in the hard-lines list from slide 10.2, regardless of how general or innocuous it seems to you

NIST SP 800-171i Control Family 3.10 — Physical Protection — requires that organizations limit physical access to systems containing CUI to authorized individuals, protect systems from unauthorized physical access, and maintain audit records of physical access. These are not soft guidelines. They are assessed controls that a C3PAOi will verify during certification.

Physical access bypasses every cybersecurity control in your environment. An attacker who can sit at an unlocked workstation, photograph a printed CUI document, or plug a device into an unattended machine has circumvented your firewall, your EDRi, your SIEMi, and your MFAi simultaneously.

Your access badge is a physical credential — the physical equivalent of a username and password. Every rule that applies to digital credentials applies to your badge.

• Wear your badge visibly at all times in controlled areas — it allows colleagues and security personnel to immediately identify authorized versus unauthorized individuals
• Never loan your badge to anyone — not to a colleague who forgot theirs, not to a visitor who needs temporary access, not to anyone. If someone needs access, they need to obtain it through the proper process
• Report a lost or stolen badge immediately — within minutes, not at the end of the day. A lost badge is a security incident. Report it to your security officer before you do anything else
• Do not prop doors open — even briefly, even for a delivery, even when you are coming right back. A propped access door is an open perimeter breach for its entire duration
• Challenge unescorted individuals without badges — politely but directly. "Can I help you find someone?" is sufficient. Unescorted, unbadged individuals in controlled areas are a reportable security observation

Visitors — including vendor representatives, auditors, maintenance personnel, delivery staff, and customers — who enter areas where CUI is processed or stored must be authorized, logged, and escorted. These are not optional courtesies. They are CMMCi-required access controls.

• Verify visitor identity before granting access — a government-issued ID should be checked against the expected visitor log
• Issue a visitor badge visually distinct from employee badges — visitors should be identifiable at a glance in any controlled area
• Escort visitors at all times in areas containing CUI systems or documents — "escort" means physical presence, not telling them which way to go
• Retrieve visitor badges on departure — a visitor badge that leaves the building is a physical access credential that may still work on re-entry
• Secure CUI before visitors enter the work area — lock screens, turn documents face-down, close sensitive applications

The clean desk policy requires that CUI — physical and digital — is secured when you are not actively working with it. This is an assessed CMMC control. A C3PAO assessor walking through your facility during the assessment will observe workstation practices as evidence of compliance.

• Lock your screen every time you step away — Windows: Win+L. Mac: Ctrl+Cmd+Q. No exception for "I'll be right back"
• Secure printed CUI in a locked drawer or cabinet when not in active use — not face-down on the desk, not in a stack that "nobody will look at"
• Clear the printer immediately after printing CUI documents — documents left at the printer are visible to every person who walks past
• Shred before discarding — any printed document containing CUI must be cross-cut shredded or placed in a secure destruction bin. It does not go in the recycling bin or the trash
• Whiteboard and notepad discipline — CUI written on whiteboards or notepads during meetings must be erased or secured before the room is vacated

Physical security depends on every employee acting as an observer. Security cameras cover a fraction of what human eyes cover. The most common physical breaches are caught — or not caught — by employees who noticed something and either reported it or did not.

• Report unescorted individuals without badges in controlled areas — to your FSOi or security officer, immediately
• Report suspicious behavior — someone photographing facility layouts, equipment, or documents; someone attempting to access areas they are not authorized for; someone removing items from the facility without apparent authorization
• Report lost or missing CUI documents — a missing printed CUI document is a reportable incident under DFARSi 252.204-7012 if there is reason to believe it left the facility
• Report found or abandoned media — a USB drive found in the parking lot, a document left in a conference room, a device left unattended in a public area. Do not plug in found USB drives. Report them.

NIST SP 800-171i Control 3.4 — Configuration Management — requires that organizations establish and maintain baseline configurations for their systems and control changes to those configurations. A core component of this is maintaining an inventory of authorized software and prohibiting the installation of unauthorized software.

This means that on any company-issued device or system within your CMMCi scope, you may only install software that has been reviewed, approved, and added to your organization's authorized software list. Installing software outside that list — regardless of how useful or harmless it seems — is a compliance violation that can affect your organization's CMMC certification status.

Shadow IT is technology used within an organization without official IT knowledge or approval. It includes unauthorized software, personal cloud storage used for work files, consumer messaging apps used for work communications, and web-based tools accessed through a browser without IT review.

• Common shadow IT risks: Personal Dropbox/Google Drive for work files, WhatsApp/Telegram for team communication, free online tools (file converters, PDF tools, translation services), browser extensions not reviewed by IT
• If an approved tool does not meet your needs: Report it to your supervisor and IT team so an approved alternative can be evaluated — do not work around it

Every software update notice you dismiss or postpone is a potential window an attacker can climb through. NIST SP 800-171 Control 3.14 requires that systems be protected against malware and that security-relevant software updates are installed promptly. Most major breaches in the past decade have exploited vulnerabilities for which patches were already available — the breach succeeded not because the vulnerability was unknown, but because the patch had not been applied.

Your organization's IT team has configured your work devices to meet CMMC requirements. Many of those configuration settings are security controls — they exist to limit what software can run, what network connections can be made, and what data can leave the device. Changing these settings — even to make something work more conveniently — can undermine the security baseline your organization was certified against.

• Do not disable antivirus or EDRi software — even temporarily, even because it seems to be slowing your computer down. If security software is causing a problem, report it to IT
• Do not disable the firewall — a disabled firewall removes the primary network-level barrier between your device and the internet
• Do not disable automatic updates — your IT team controls the update policy for a reason. If updates are disruptive, report the issue to IT rather than disabling the mechanism
• Do not change network proxy or DNSi settings to bypass content filtering — content filters are security controls, not just productivity monitoring
• Do not enable administrator access on your own account unless your role specifically requires it and IT has approved it

Browser extensions deserve specific attention because they are widely misunderstood as harmless productivity tools. A browser extension runs inside your browser with access to every page you visit, every form you fill out, and every credential you enter. A malicious or compromised extension is effectively malware with privileged access to your browsing session.

• Install only IT-approved browser extensions on work devices — treat extension installation with the same discipline as software installation
• Extensions can be compromised after installation — a legitimate extension purchased by a malicious actor and updated with new code is one of the most common supply chain attack vectors for browser-based espionage
• Review permissions before installing anything — an extension that requests "read and change all your data on all websites" has access to everything you do in your browser, including CUI in web-based portals
• Remove extensions you no longer actively use — unused extensions that remain installed are an ongoing exposure with no offsetting benefit

Generative AI tools — ChatGPT, Microsoft Copilot, Google Gemini, Claude, and others — are being used by defense contractor employees to draft reports, summarize documents, analyze data, write code, and translate technical specifications. In many cases, employees paste the content they are working with directly into the AI tool's input window. That content frequently contains CUI.

As of March 2026, the DoD has not issued definitive guidance on whether submitting CUI to commercial AI tools constitutes a DFARSi violation. This absence of explicit guidance does not mean it is acceptable — it means the question has not been formally resolved. The underlying CMMC and DFARS requirements have not changed: CUI must be processed only on systems that meet the required security baseline.

The lack of guidance creates a false sense of safety. Employees reason: "if it were prohibited, there would be a policy saying so." But the absence of an explicit prohibition does not create authorization. The existing CUI handling requirements apply to all systems — including commercial AI tools that have not been assessed, approved, or authorized.

Until your organization has evaluated and approved specific AI tools for CUI-adjacent work, the following are the hard lines that apply to any commercial AI tool — including free and subscription versions of ChatGPT, Copilot, Gemini, Claude, and any other generative AI service:

• Never paste CUI directly into any commercial AI tool — technical specifications, drawings descriptions, contract language, program names, or any other controlled information
• Never upload documents containing CUI to an AI tool's file upload feature — the document is transmitted to the tool's servers in its entirety
• Never use AI tools to summarize, translate, or analyze CUI documents — even if you believe you are paraphrasing or anonymizing the content, the underlying information may still be identifiable
• Never describe CUI in enough detail to reconstruct it — "help me write a report about a titanium alloy rotor component with [specific tolerance] for [specific defense program]" is a CUI disclosure even without copy-pasting a document

Restricting AI tool use for CUI does not mean you cannot use these tools at all. There is a clear line between work that involves controlled information and work that does not.

• Generally acceptable: Using AI to draft general professional communications that contain no CUI, research publicly available information, improve grammar or structure of non-sensitive documents, generate ideas or outlines for non-sensitive content
• Use approved internal tools when available: Some organizations deploy enterprise AI tools with appropriate data handling controls. If your organization has made such a tool available, understand its authorization scope before using it for CUI-related work
• The mental test: Before using any AI tool for a work task, ask: "Does what I am about to type or upload contain, describe, or reference CUI, program names, technical specifications, or contract information?" If yes — stop and use approved tools only

Understanding what happens to data after you submit it to a commercial AI tool helps explain why the prohibition is permanent, not just temporary. Unlike an email you can recall or a file you can delete from a shared drive, data submitted to an AI tool enters a system you cannot control.

• Data retention: Most commercial AI services retain conversation history for 30 days to indefinitely depending on account settings and tier. Enterprise accounts may have different retention policies — but free and standard accounts typically do not offer CUI-appropriate controls
• Model training: Some services use conversation data to improve their models. Content you submit may influence future model outputs. Even if the tool does not expose your specific submission to other users, the information has left your control
• No audit trail: Unlike your organization's email or file systems, there is no audit log you or your security team can review to see what was submitted to an external AI tool. This makes detection, investigation, and remediation significantly harder
• No recall mechanism: Once CUI is submitted to an external service, it cannot be retrieved or deleted from that service's infrastructure with any certainty

The threat environment facing defense contractors evolves continuously. Since the original onboarding training was completed, several significant developments have reinforced the core principles you learned:

• FCAi enforcement has accelerated: The DoJ has now settled nine cybersecurity False Claims Act cases since 2021. The Illinois machining subcontractor settlement in December 2025 confirmed that small manufacturers are active enforcement targets, not just large contractors. Every SPRSi affirmation your organization's senior official signs carries the same legal exposure as MORSECORP's.
• AI toolsi risk is new and growing: The use of generative AI tools in defense contractor workflows has grown significantly. If you completed onboarding before this topic was covered, review Module 13 in full. Submitting CUIi to commercial AI tools is the fastest-growing unaddressed compliance exposure in the supply chain.
• Phase 2 deadline is approaching: Mandatory C3PAOi third-party certification begins November 10, 2026. If your organization has not begun its readiness process, that process should be active now.
• APT5i targeting of personal accounts continues: Spearphishing campaigns targeting defense employees' personal Gmail and LinkedIn accounts are ongoing. The patterns described in Module 3 remain active threats.

Research on defense contractor breaches consistently shows that the majority of incidents involve one or more of six behavioral failures. These are the highest-leverage points where individual employee behavior directly determines security outcomes:

As of March 2026, the following threat actorsi and campaigns are actively targeting the US defense supply chain:

• Volt Typhooni (China): Pre-positioned access in US critical infrastructure supporting defense facilities. Using LOTLi techniques. Some footholds established in 2019 are still active. Focused on long-term intelligence collection and positioning for potential disruption.
• APT5 (China): Ongoing spearphishing of defense contractor employees via personal email and LinkedIn. Fake conference invitations, consulting offers, and job opportunities. Targeting personal accounts specifically to bypass corporate security controls.
• Handala (Iran): Confirmed destructive attack on Stryker Corporation in March 2026 — 200,000 devices wiped across 79 countries via one compromised admin credential. Demonstrated willingness to conduct destructive attacks against US defense-adjacent organizations.
• Russian SVR/GRU: Ongoing credential harvesting and spearphishingi against cleared defense contractors. Targeting weapon systems development, C2 systems, and combat support programs.

Reporting obligations under CMMCi and DFARSi require action in three distinct scenarios. Each has a different trigger and a different required action:

Completing this training — all 14 modules — means you have been educated on the specific threats targeting your industry, the legal framework that governs your organization's compliance obligations, and the specific behaviors required to protect the work you do and the programs you support.

The defense programs your organization contributes to — whether they are submarine components, aircraft engines, helicopter parts, or support systems — are ultimately used by people in uniform in situations where their effectiveness and security directly affect lives. The machinist who leaves a CUI technical drawing on an unsecured printer is not just creating a compliance gap. They are potentially contributing to a chain of events that ends in a compromised weapon system, a nation-state adversary with knowledge they should not have, or a program that fails to protect the people depending on it.

Your completion certificate for this full 14-module curriculum is waiting. Thank you for completing this training.