Ooey Cooey

Episode 2 - How to Build a Trusted Cyber Compliance Ecosystem to Manage Cost and Risk

This episode is for informational purposes only and does not constitute legal advice.  In this episode, I break down why building a trusted ecosystem of vendors, consultants, peers, and industry voices is essential to managing both cost and risk in today’s regulatory environment. I walk through how to properly vet each component of that ecosystem and what to look for, what to avoid, and where organizations consistently get it wrong. From evaluating vendor capabilities and consultant credentials to leveraging peer insights without falling into echo chambers, this episode focuses on practical, defensible decision-making. The goal is not to outsource responsibility, but to build a network that strengthens your governance model, reduces unnecessary spend, and positions your organization for sustainable compliance. If you are trying to navigate CMMC, NIST 800-171, or broader regulatory expectations without overspending this episode provides a structured approach to doing it right. The NICE Cyber Workforce Framework can be found here: https://niccs.cisa.gov/tools/nice-framework

Special Edition- My Bar Exam Experience

In this special edition of Ooey Cooey, Leslie Weinstein—a recent graduate of the University of Baltimore School of Law—shares her firsthand experience taking the February 2026 Maryland UBE while it is still fresh. This episode is dedicated to her UBalt Law friends preparing for their own exam and is designed to reduce anxiety through practical insight and perspective  Bar Exam Episode Leslie walks through: * What to expect on exam day (location logistics, timing realities, laptop software surprises, and practical packing tips) * The structure of the UBE (MPT, essays, and a full day of 200 multiple-choice questions) * Study reflections, including her experience with Themis and how bar exam questions compared to prep materials * Tactical multiple-choice strategies—especially spotting standards of review and reading the call of the question carefully * High-yield doctrinal refreshers across Civil Procedure, Criminal Law, Contracts, Property, and Torts * Nuanced distinctions that frequently appear on the exam (e.g., larceny by trick vs. false pretenses vs. embezzlement; impleader vs. interpleader vs. intervention; strict vs. intermediate vs. rational basis review) The episode closes with perspective: the bar exam is significant, but it is not destiny. Regardless of outcome, your professional future remains intact. A candid, structured, and practical debrief for law students who want clarity, reassurance, and a focused reminder of what actually matters when walking into the Uniform Bar Exam.

Episode 1 - What is CMMC and How Does it Effect Me?

If you are considering entering the Department of Defense market—or you are already in it but hoping CMMC might quietly go away—this episode is for you. In this foundational discussion, I break down: * What CMMC actually is (and what it is not) * How CMMC relates to DFARS 252.204-7012 and NIST SP 800-171 * When CMMC applies—and when it does not * Why there is no universal CMMC deadline * What “condition precedent to award” really means * How scoping decisions materially impact cost and audit burden In this episode, I also examine the phased implementation timeline, the contracting officer’s discretion in including CMMC requirements, and the structural realities of the C3PAO ecosystem that influence assessment cost and availability. Bottom line: CMMC is a DoD acquisition requirement designed to verify implementation of NIST SP 800-171. It becomes binding when it appears in your solicitation or contract—and it follows the flow of DoD information within your environment, not necessarily your entire enterprise. If you work with DoD information—or are considering entering that market—strategic scoping and early planning are not optional. Connect with me on LinkedIn, and if this episode clarified something for you, share it with your work bestie. And remember—don’t say “cooey.” It’s ooey.

Episode 0: Ooey Cooey Is Back

Are you a defense contractor being told that everything is CUI—or that your contract contains CUI—without anything actually being marked? Or unsure whether you handle CUI at all, and therefore whether CMMC Level 1 or Level 2 applies to you? That confusion is exactly why Ooey Cooey exists. This re-introduction episode explains what this podcast is about, why it’s coming back now, and who it’s for. Ooey Cooey focuses on the full lifecycle of Controlled Unclassified Information (CUI)—from identification and designation to marking, safeguarding, sharing, retention, and destruction—and how those requirements actually show up in contracts and operations. Since the last episode aired in 2021, a lot has changed: CMMC 2.0, new DFARS clauses, recurring cybersecurity attestations, compliance scoring, and third-party assessments have created a more complex and higher-risk environment for contractors. This episode explains what’s changed, why enforcement looks different today, and why clarity matters more than ever. You’ll also hear how the podcast has evolved. Episodes will be short (15–20 minutes), focused on one concept at a time, and designed to answer four core questions:  • What is the rule?  • Who is responsible?  • Where do contractors get it wrong?  • What should you do instead? This is not a technical podcast, not vendor-driven, not fear-based compliance—and not legal advice. It’s about clarity, context, and making informed, defensible decisions. Earlier episodes from 2021 are still available and remain relevant for foundational CUI concepts based on the NARA CUI regulations. New episodes will build on that foundation and focus on how CUI requirements are being operationalized today. If you’re confused about how, when, and where CUI safeguarding requirements impact your company, this show is for you. If you’re looking for a checklist without context, it probably isn’t. Connect on LinkedIn: leslieweinsteinmba [https://www.linkedin.com/in/leslieweinsteinmba/] Resources for government contractors: www.the-cyberadvisor.com Until next time—and remember: don’t call it Cooey. That would be Ooey.

Storing CUI

32 CFR says that authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions: (1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments. (2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI; (3) Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and (4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53.