New Defense Supplier Startup Package

Crawl, Walk, Run!

• C-Q10: Are CMMC assessments required for organizations that only handle hard-copy CUI?

  C-A10. No. Organizations that only handle hard-copy CUI should not be required to complete a CMMC Assessment. CMMC assessment requirements address cybersecurity-related risk to CUI and apply only when the CUI is processed, stored, or transmitted on a contractor-owned information technology system. Nonetheless, contractors are required to protect the hardcopy CUI. Per DoDI 5200.48, paragraph 1.1(b), any contractor or subcontractor that receives CUI is required to safeguard that information with Government training and safeguarding requirements. Additionally, if a contractor who was only provided hardcopy CUI plans to place the hardcopy CUI on an information technology system (e.g., scanned, entered, photographed, uploaded, printed, emailed), then that information technology system is subject to the applicable CMMC assessment requirements prior to the CUI being placed on the system. For organizations that handle paper CUI in addition to processing, storing, or transmitting CUI in a contractor-owned information technology system, the necessary CMMC assessment will address both the paper CUI and the digital CUI, in accordance with the applicable NIST SP 800-171 security requirements. For further information about DoD policy regarding safeguarding CUI, refer to DoDI 5200.48 .

$999.00 Complete!

702.634.7233 or cmmc@planetsecurity.net

The NDSSP is Designed for the Entrepreneur Who is Trying to Hurdle the Barrier to Entry known as CMMC!

2-Week Full Implementation Available Nationwide!

• Includes Everything Necessary to Comply with Protection Requirements for Controlled, Unclassified Information (CUI) for the Would-be Defense Supplier.

  • Organizational Information Security Policy for Safeguarding Hard-Copy CUI

  • Organizational Operational Procedures for Safeguarding Hard-Copy CUI

  • Physical Protection Mechanisms for Safeguarding Hard-Copy CUI

  • Required Information Security Training for Safeguarding Hard-Copy CUI

  • 3x Monthly vCISO Meeting with a Planet Security Senior Cybersecurity Subject Matter Expert (One per month for 3 months)

  • Life-Line for real-time q/a with the Planet Security Help Desk for 1 Year

  • When the time comes to grow beyond the Entry Package, 100% of your purchase price may be used towards your own Cybersecurity Protected Enclave Level 2 for full CMMC 2.0 Level 2 Assessment Readiness!

The New Defense Supplier Starter Package from Planet Security is a targeted, practical offering for small or emerging defense contractors (especially those in the Defense Industrial Base, or DIB) that may initially handle only hard-copy (paper/physical) Controlled Unclassified Information (CUI)—such as printed technical drawings, specifications, contracts, or other documents received from DoD primes or agencies.

The Package aligns exceptionally well, while following our established methodology of "Most Critical Path @ Least Cost" (to assist our clients in being as competitive in the marketplace as they possibly can be), with DoD requirements for safeguarding hard-copy CUI under DoDI 5200.48 ("Controlled Unclassified Information," effective March 6, 2020, with ongoing relevance in 2026), which mandates protection for any contractor receiving CUI, regardless of format. Key obligations include:

• Proper marking (e.g., using CUI banners, portion markings, and covers like SF 901 or SF 902 labels).

• Physical safeguarding (e.g., controlled environments with locks, limited access, barriers like locked drawers/cabinets, visual control when in use, no unattended exposure in open areas).

• Secure storage (e.g., locked areas or containers preventing unauthorized access; no GSA-approved safes required, but adequate physical/procedural controls needed).

• Handling and reproduction controls (e.g., keep under direct control, use cover sheets to conceal from casual viewing, limit copying to lawful government purposes).

• Destruction (render unreadable/irrecoverable, per NIST SP 800-88 guidelines for hard media).

• Training for personnel on these requirements.

Since purely hard-copy CUI does not require a CMMC assessment (per official DoD CMMC FAQ C-Q10/C-A10, as it focuses on cybersecurity risks to CUI on IT systems), this package smartly avoids unnecessary digital compliance burdens like full NIST SP 800-171 implementation or CMMC Level 2 certification—while still meeting core safeguarding duties.

What's Included and Why It Matters

• Organizational Information Security Policy for Safeguarding Hard-Copy CUI Provides a foundational written policy documenting your approach to compliance (e.g., roles, responsibilities, procedures). This helps demonstrate due diligence to contracting officers or auditors.

• Organizational Operational Procedures for Safeguarding Hard-Copy CUI Step-by-step guidance on day-to-day handling, marking, storage, transport, and incident reporting—essential for consistent implementation and training.

• Physical Protection Mechanisms for Safeguarding Hard-Copy CUI Likely includes recommendations or templates for locks, access controls, visitor logs, cover sheets (e.g., SF 901), barriers, and secure storage setups. Aligns directly with NIST SP 800-171 physical/media protection controls (e.g., 3.8.1, 3.10.1) that apply even to paper CUI.

• Required Information Security Training for Safeguarding Hard-Copy CUI Covers mandatory topics like identification, marking, safeguarding, dissemination, destruction, and incident reporting (per DoDI 5200.48 and related guidance). DoD encourages or requires this for contractors; the free DoD Mandatory CUI Training (via CDSE/Security Awareness Hub) fulfills much of this, but customized materials can help tailor it to your operations.

• 3x Monthly Meetings with a Planet Security Senior Cybersecurity SME (one per month for 3 months) Personalized expert guidance to review your setup, answer questions, and refine implementation—valuable for new entrants navigating DoD expectations.

• Life-Line for real-time Q&A with the Planet Security Help Desk for 1 Year Ongoing support reduces risk of missteps, especially useful during contract bidding or initial CUI receipt.

This package positions a would-be supplier to confidently bid on or accept contracts involving hard-copy CUI without immediate digital/IT scoping risks. It emphasizes proactive compliance with physical protections and training, which remain required even if no CMMC applies yet.

The New Defense Supplier Starter Package is an exceptionally cost-effective way to build a compliant foundation and scale up as needed!

Q: Why do I need this package if I'm only handling hard-copy (paper) CUI and don't need a full CMMC assessment?

A: Even without digital CUI, DoD requires every contractor or subcontractor receiving CUI to safeguard it properly under DoDI 5200.48—including physical protections, marking, handling procedures, secure storage, and mandatory training. Skipping these steps risks contract rejection, audits, or liability if mishandled. This package gives you everything needed to comply confidently from day one, without overpaying for unnecessary digital/IT-focused services.

Q: What makes this Starter Package better than just using free DoD resources (like CDSE CUI training or generic templates)?

A: Free resources are a good start, but they're generic and don't provide customized, organization-specific policies, procedures, or physical setup guidance tailored to your operations. Our package delivers ready-to-implement, professional-grade materials (policies, procedures, training content, and physical protection recommendations) plus 3 months of direct expert coaching and 1 full year of real-time help desk support. This turns compliance from a headache into a streamlined, low-risk process—saving you time, avoiding mistakes, and making you look professional to primes and contracting officers.

Frequently Asked Questions (FAQ)

Q: How does this package help me win my first DoD contract or subcontract?

A: Many primes and DoD agencies now ask for evidence of CUI safeguarding plans during bidding or onboarding—even for hard-copy only. Having documented policies, procedures, training records, and physical controls in place demonstrates you're serious and ready. This package positions you as compliant and low-risk right away, helping you stand out in competitive bids and avoid delays or disqualifications due to unclear safeguarding capabilities.

Q: I'm a small company with limited budget and no in-house cybersecurity expertise— is this affordable and practical?

A: Absolutely. Designed specifically for new or small defense suppliers, it's a cost-effective "starter" solution focused only on what's required for hard-copy CUI—no bloated digital compliance extras. You get high-value deliverables (customizable policy/procedure docs, training, physical recommendations) plus personalized expert access (monthly SME meetings + year-long help desk) to guide implementation. It's far cheaper and faster than hiring consultants or building everything from scratch.

Q: What happens if I later need to digitize CUI (e.g., scan documents or email them)?

A: The package builds a strong foundation in physical and procedural safeguards that carry over. When you transition to digital, you'll already have key elements (like training awareness and handling policies) in place—making it easier and less expensive to scale up to full NIST SP 800-171/CMMC requirements later. Our experts can advise on that next step during your included meetings or help desk support.

Q: How quickly can I get up and running with this package?

A: Most customers implement the core elements within weeks. You receive all materials immediately upon purchase, start your 3 monthly SME meetings right away, and have ongoing help desk access for a full year. This rapid setup lets you bid on opportunities now instead of waiting months to "get compliant."

Q: Is this package backed by real expertise in DoD compliance?

A: Yes—Planet Security specializes in helping defense suppliers navigate CUI and CMMC requirements. Our senior SMEs have deep experience in the Defense Industrial Base, and the package is built around official DoD guidance (DoDI 5200.48, NIST physical/media controls, etc.). You're not buying a generic template—you're getting proven, practical tools and direct support from experts who understand the real-world stakes.