In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶ 324)We also noted that nearly five years after first announced, DOD’s Cybersecurity Maturity Model Certification (CMMC) Program will finally become operational at some point in fiscal year 2025 as the means by which DOD intends to protect CUI. As we noted in Part I, many gaps in the DOD CUI Program have yet to be filled. These gaps took center stage in comments DOD received when it issued its Final Rule. Disappointingly, DOD made no effort to fill in these gaps in responding, thus ensuring that Defense Industrial Base (DIB) contractors and subcontractors will be in for a bumpy ride.