Sum IT Up: CMMC News Roundup
Episode Title: 48% vs 9%? The DoD's CUI Numbers Don't Add Up
Host: Summit 7
Date: February 19, 2026
Episode Overview
This episode unpacks a major oversight issue in the Department of Defense’s (DoD) Controlled Unclassified Information (CUI) program: a massive and confusing discrepancy between reported statistics on unmarked CUI documents. While the DoD Inspector General (IG) reported in 2023 that nearly 50% of CUI documents were unmarked, the DoD’s own CUI website cited only 9%. The hosts dig deep into why these numbers don’t add up, discuss persistent problems with CUI marking and dissemination, and clarify the key differences between the CUI and the CMMC (Cybersecurity Maturity Model Certification) programs. They also analyze fresh findings from recent IG advisories, discuss systemic failures, and share skepticism about whether proposed fixes will finally resolve the longstanding issues.
Key Discussion Points & Insights
1. The Core Issue: Unmarked CUI and Conflicting Reports
- Blistering IG Report (2023):
- Found that nearly 50% of CUI documents weren’t marked at all.
- Contradicts DoD CUI website's chart reporting only 9% were unmarked in the same year.
- Current State (2026):
- Very little improvement; persistent under marking continues.
Notable Quote:
“The math ain’t mathing and that’s how you get the Inspector General all up in your business.”
— Host A (00:23)
2. The Systemic Under Marking of CUI
- Contrary to popular belief, CUI is not over-marked but under-marked within the DoD.
- Misconception: Many think data is over-protected; the reality is widespread failure to properly mark sensitive data.
- Under marking leads to confusion and improper handling further down the chain.
Notable Quote:
“Controlled unclassified information in the Department of Defense isn't over marked. It is systemically under marked...most people think that they are overmark[ing] that data.”
— Host A (00:47)
3. Impact on Supply Chains and CMMC Compliance
- Suppliers face challenges complying with CMMC, as the presence (or lack) of CUI markings directly affects requirements.
- Markings (or lack thereof) can determine whether a supplier must satisfy higher CMMC levels, increasing compliance burdens and costs.
Memorable Moment (Paraphrased Jay-Z Reference):
“The dibs got 99 problems and their customer appropriately marking CUI is causing more than one.”
— Host B (01:48)
4. Clarifying the Different Programs and Who’s at Fault
- CMMC and CUI Programs Are Separate:
- CUI Program: Managed by Undersecretary for Intelligence and Security (INS).
- CMMC Program: Managed by DoD CIO (different office) — verifies compliance, but doesn’t control CUI marking.
- Contract Clauses (DFARS): Managed by Undersecretary for Acquisition and Sustainment (ANS).
- Misplaced blame: Many wrongly target the CMMC office for CUI marking problems.
Notable Quote:
“You gotta know which office to yell at if we want this to actually improve.”
— Host A (03:52)
5. How Did this Advisory Come About?
- The latest IG management advisory arose incidentally while investigating another issue (the “Signal Gate” problem).
- The severity of CUI marking failures was so prominent it merited an instant advisory, separate from regular audits.
Memorable Analogy:
“We saw the drip in the water...then realized there was a whole reservoir that was leaking.”
— Host B (10:47)
6. Findings from the IG Advisory
- Ignored recommendations: Of 8 recommendations from the 2023 IG report, 7 are still open.
- New review: 70% of documents are either unmarked or use legacy markings (“For Official Use Only” – FOUO), though that practice should have ended years ago.
- Of the 30% correctly marked, 100% applied unnecessary limitations on dissemination (e.g., “Fed Only” or “FedCon”).
Notable Quote:
“70% of the documents aren’t marked at all. But then...every [correctly marked] document included a limited, a limited dissemination restriction...”
— Host A (20:18)
7. Why Marking (and Training) is So Bad
- INS training and guidance is conflicting, outdated, and insufficient, leading to default over-restriction or outright failures to mark CUI.
- INS failed to act on repeated recommendations — primarily, updating guidance, instructions, mandatory training, and auto-marking capabilities.
- Lack of coordination and shared responsibility among the verticals (INS, ANS, CIO).
Notable Quote:
“You would think they would all talk to each other. … Apparently the DoD inspector general doesn’t understand how that’s possible either.”
— Host A (08:44)
8. The Consequences and Open Recommendations
- The unaddressed issue leads to:
- Failure to protect data appropriately
- Confusion and extra costs in the defense supply chain
- Primes requiring unnecessarily high CMMC levels from all suppliers “just in case”
- Of the latest IG recommendations, only minor website/training aid updates are confirmed closed. Meaningful systemic changes (updating instruction 5248, retraining, auto-marking) are still pending with only “plans” but little action.
- Hosts doubt that any significant change will occur given the previous track record.
Notable Quote:
“They got a nice sounding plan, but, you know, we’ve heard that one before.”
— Host A (28:22)
9. Looking Ahead: Will Anything Change?
- Hosts are skeptical that the management advisory will spark real change, given the lack of progress since 2023.
- Expectation: Next year’s numbers may improve marginally, but not to acceptable levels.
Closing Thought:
“In geometry, it takes two points on a graph to draw a line. Now we’ve got the second point in this issue and that line is not trending in the right direction, everybody.”
— Host A (32:20)
Timestamps for Key Segments
- The Numbers Don’t Add Up — 00:00–01:46
- CUI Under Marking & Industry Impact — 01:46–05:13
- Deep Dive: Origin & Responsibility for CUI and CMMC — 05:13–09:16
- How IG Found These Issues (Signal Gate) — 09:16–11:03
- IG Management Advisory Findings — 11:03–21:03
- Why Guidance and Training are Broken — 21:03–23:27
- Compounding Problems & Lack of Accountability — 23:27–25:27
- Reviewing IG Recommendations and (Lack of) Progress — 25:27–28:22
- Closing Thoughts & Predictions — 29:43–32:40
Episode Tone & Final Thoughts
The conversation is energetic, sardonic, and frustrated, blending humor (e.g., pop culture references, analogies) with technical accuracy. The hosts clearly care about better cybersecurity but are candid in their skepticism about real change, urging listeners not to expect clarity on CUI or CMMC compliance soon.
Bottom Line:
Despite years of IG scrutiny and actionable recommendations, DoD’s CUI marking remains deeply flawed, leaving the defense industrial base burdened with confusion and unnecessary compliance hurdles. The latest IG advisory highlights systemic failures and a lack of follow-through that leaves little hope for immediate improvement. As rollout of CMMC continues, expect the confusion to persist, with more pressure forecasted on suppliers and contractors.
