Ooey Cooey

This episode is for informational purposes only and does not constitute legal advice. In this episode, I break down why building a trusted ecosystem of vendors, consultants, peers, and industry voices is essential to managing both cost and risk in today’s regulatory environment.I walk through how to properly vet each component of that ecosystem and what to look for, what to avoid, and where organizations consistently get it wrong. From evaluating vendor capabilities and consultant credentials to leveraging peer insights without falling into echo chambers, this episode focuses on practical, defensible decision-making.The goal is not to outsource responsibility, but to build a network that strengthens your governance model, reduces unnecessary spend, and positions your organization for sustainable compliance.If you are trying to navigate CMMC, NIST 800-171, or broader regulatory expectations without overspending this episode provides a structured approach to doing it right.The NICE Cyber Workforce Framework can be found here: https://niccs.cisa.gov/tools/nice-framework

In this special edition of Ooey Cooey, Leslie Weinstein—a recent graduate of the University of Baltimore School of Law—shares her firsthand experience taking the February 2026 Maryland UBE while it is still fresh. This episode is dedicated to her UBalt Law friends preparing for their own exam and is designed to reduce anxiety through practical insight and perspective Bar Exam EpisodeLeslie walks through:What to expect on exam day (location logistics, timing realities, laptop software surprises, and practical packing tips)The structure of the UBE (MPT, essays, and a full day of 200 multiple-choice questions)Study reflections, including her experience with Themis and how bar exam questions compared to prep materialsTactical multiple-choice strategies—especially spotting standards of review and reading the call of the question carefullyHigh-yield doctrinal refreshers across Civil Procedure, Criminal Law, Contracts, Property, and TortsNuanced distinctions that frequently appear on the exam (e.g., larceny by trick vs. false pretenses vs. embezzlement; impleader vs. interpleader vs. intervention; strict vs. intermediate vs. rational basis review)The episode closes with perspective: the bar exam is significant, but it is not destiny. Regardless of outcome, your professional future remains intact.A candid, structured, and practical debrief for law students who want clarity, reassurance, and a focused reminder of what actually matters when walking into the Uniform Bar Exam.

If you are considering entering the Department of Defense market—or you are already in it but hoping CMMC might quietly go away—this episode is for you.In this foundational discussion, I break down:What CMMC actually is (and what it is not)How CMMC relates to DFARS 252.204-7012 and NIST SP 800-171When CMMC applies—and when it does notWhy there is no universal CMMC deadlineWhat “condition precedent to award” really meansHow scoping decisions materially impact cost and audit burdenIn this episode, I also examine the phased implementation timeline, the contracting officer’s discretion in including CMMC requirements, and the structural realities of the C3PAO ecosystem that influence assessment cost and availability.Bottom line:CMMC is a DoD acquisition requirement designed to verify implementation of NIST SP 800-171. It becomes binding when it appears in your solicitation or contract—and it follows the flow of DoD information within your environment, not necessarily your entire enterprise.If you work with DoD information—or are considering entering that market—strategic scoping and early planning are not optional.Connect with me on LinkedIn, and if this episode clarified something for you, share it with your work bestie.And remember—don’t say “cooey.” It’s ooey.

Are you a defense contractor being told that everything is CUI—or that your contract contains CUI—without anything actually being marked? Or unsure whether you handle CUI at all, and therefore whether CMMC Level 1 or Level 2 applies to you?That confusion is exactly why Ooey Cooey exists.This re-introduction episode explains what this podcast is about, why it’s coming back now, and who it’s for. Ooey Cooey focuses on the full lifecycle of Controlled Unclassified Information (CUI)—from identification and designation to marking, safeguarding, sharing, retention, and destruction—and how those requirements actually show up in contracts and operations.Since the last episode aired in 2021, a lot has changed: CMMC 2.0, new DFARS clauses, recurring cybersecurity attestations, compliance scoring, and third-party assessments have created a more complex and higher-risk environment for contractors. This episode explains what’s changed, why enforcement looks different today, and why clarity matters more than ever.You’ll also hear how the podcast has evolved. Episodes will be short (15–20 minutes), focused on one concept at a time, and designed to answer four core questions: • What is the rule? • Who is responsible? • Where do contractors get it wrong? • What should you do instead?This is not a technical podcast, not vendor-driven, not fear-based compliance—and not legal advice. It’s about clarity, context, and making informed, defensible decisions.Earlier episodes from 2021 are still available and remain relevant for foundational CUI concepts based on the NARA CUI regulations. New episodes will build on that foundation and focus on how CUI requirements are being operationalized today.If you’re confused about how, when, and where CUI safeguarding requirements impact your company, this show is for you. If you’re looking for a checklist without context, it probably isn’t.Connect on LinkedIn: leslieweinsteinmba Resources for government contractors: www.the-cyberadvisor.comUntil next time—and remember: don’t call it Cooey. That would be Ooey.

32 CFR says that authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions:(1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments.(2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;(3) Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53.  

Have you ever wondered where NIST 800-171 came from or why it was written?  In August 2020 I had the opportunity to interview a representative from the Information Security Oversight Office (ISOO) on my YouTube channel DIB Tech Talk (https://www.youtube.com/c/DIBTechTalk).  This interview goes into the origins of NIST 800-171 with someone who was there when it happened. He walks us through some of the thinking behind the CUI program and why it's important.  

At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document. If portion markings are selected, then all document subjects and titles, as well as individual sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for unclassified information within CUI documents or materials is required.

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.  But how? Tune in to find out.

Established by Executive Order 13556 in 2010, the Controlled Unclassified Information (CUI) program standardizes the way the entire Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.  The Department of Defense (DOD) is an agency within the Executive branch of the U.S. government. But what is CUI?  Tune in to find out!