CMMC 2.0 Compliance: How Defense Contractors Can Protect CUI

The Stakes Have Changed for Defense Contractors

For years, cybersecurity compliance in the defense industrial base (DIB) was largely a matter of self-attestation. Companies certified their own security posture, and enforcement was inconsistent. That era is ending.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, now entering full enforcement as part of the U.S. Department of Defense (DOD)’s acquisition process, fundamentally changes the equation. Third-party assessments, stricter requirements for handling Controlled Unclassified Information (CUI), and contract-level enforcement mean that non-compliance is no longer a paperwork problem – it is a business risk that can disqualify organizations from DoD contracts.

Yet many contractors remain focused on the network controls they know well: firewalls, endpoint protection, and multi-factor authentication (MFA). These are necessary but insufficient. The larger and often overlooked gap lies in how CUI is handled at the document level in engineering files, technical specifications, subcontractor agreements, and the countless other unstructured assets that move across the supply chain every day.

 

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. DoD to ensure that defense contractors and their supply chain partners adequately protect sensitive federal information. It was created in response to a persistent and well-documented problem: CUI was flowing through the defense industrial base without consistent security controls in place.

CMMC 2.0 is the revised and streamlined version of the original framework, introduced in 2021 after industry feedback as overly complex and costly to implement. The revision simplified the structure, reduced the number of maturity levels, and recalibrated assessment requirements, but it did not reduce the fundamental expectation that organizations handling CUI must demonstrate technical, measurable security controls.

Critically, CMMC 2.0 is not a voluntary standard. Compliance is being embedded directly into DoD contracts. Organizations that cannot demonstrate the required maturity level for a given contract will be ineligible to bid or perform on that work. As enforcement ramps up through 2025 and into 2026, the framework is transitioning from a planning exercise to an operational reality across the DIB.

 

CMMC 2.0 Requirements at a Glance

CMMC 2.0 streamlined the original five-level model into three tiers, but the core obligations remain demanding for any organization handling CUI:

• Level 1 (Foundational): Covers 17 basic cybersecurity practices, primarily around access control and media protection. Self-assessment is permitted.
• Level 2 (Advanced): Aligns with NIST SP 800-171’s 110 security practices. Most defense contractors handling CUI will fall here. Annual self-assessments for some contractors; third-party assessments (C3PAO) for others.
• Level 3 (Expert): Adds practices from NIST SP 800-172 for the most sensitive programs. Government-led assessments required.

The critical phrase throughout all three levels is CUI – Controlled Unclassified Information. This category covers an enormous range of sensitive but unclassified data: technical drawings, research data, export-controlled materials, personnel information, and contract details. If your organization touches any of this data during DoD work, CMMC applies to how it is stored, processed, accessed, and shared.

The challenge is that CUI rarely stays in one place. It moves into emails, collaborative workspaces, subcontractor file transfers, and employee devices. Protecting it requires controls that travel with the data, not just controls at the network perimeter.

 

Why the Supply Chain Is the Hardest Part

Across the DIB, prime contractors often have mature security programs and the resources to pursue CMMC certifications. The harder problem is the extended supply chain: tier-two and tier-three subcontractors who receive CUI as part of their work but may lack the security infrastructure to protect it adequately.

Under CMMC 2.0, prime contractors bear responsibility for ensuring that CUI is protected throughout their supply chain. That means verifying not just that subcontractors have the right policies in place, but that the documents and files shared with them remain protected persistently, even after they leave the prime contractor’s environment.

This creates a practical dilemma that many organizations are only now confronting: traditional file-sharing mechanisms – email attachments, FTP transfers, generic cloud drives – offer no persistent control once a document is delivered. A CUI-tagged technical specification sent to a subcontractor can be copied, forwarded, printed, or stored indefinitely with no visibility or control from the originating organization. Access control must persist throughout the document’s lifecycle.

 

The CMMC Domains Where Document Security Is Critical

Several of CMMC 2.0’s practice domains directly implicate how unstructured data is handled. Organizations should pay particular attention to:

Access Control (AC)

CMMC requires that access to CUI be limited to authorized users and processors. This sounds straightforward, but document-level enforcement is more complex than network access control. A user may be authorized to receive a CUI document, but that authorization should be conditional – tied to their role, their need, and the timeframe of the project. Static file permissions don’t adapt as roles change or projects close.

Configuration Management (CM)

Organizations must maintain control over the configuration of systems that process CUI, including tracking what is stored where. When CUI documents proliferate across shared drives, personal devices, and subcontractor systems, configuration management becomes a data visibility problem as much as a technical one.

Identification and Authentication (IA)

Knowing who is accessing what is a baseline requirement. But meaningful identification and authentication at the document level means being able to answer who opened this file, when, from which device, and what they did with it? Audit logs at the system level often can’t provide this granularity for individual documents.

System and Communications Protection (SC)

CUI must be protected in transit and at rest. Encryption is the foundation, but encryption alone does not prevent an authorized user from exfiltrating or mishandling data once it has been decrypted. The protection layer must extend to how the data is used, not just how it is stored or transmitted.

Audit and Accountability (AU)

CMMC requires audit logging sufficient to detect, investigate, and report security incidents. For CUI documents, this means maintaining a verifiable record of every access event in a format that can support assessment and incident response.

 

The Gap the Most Assessments Will Expose

When third-party assessors evaluate CMMC compliance across the defense industrial base, they will look not just at policy documentation but at whether controls are technically enforced. Organizations that rely on perimeter-based controls and user training will face difficult questions:

• Can you demonstrate that access to this CUI document was limited to authorized users after it was shared with a subcontractor?
• Can you show a complete audit trail of who accessed this file, from which locations, and what actions they took?
• If an employee left the organization, can you confirm they no longer have access to the CUI they received?
• If a subcontractor relationship ended, what controls prevent continued access to CUI shared during that engagement?

These questions expose a structural weakness in how most organizations think about data security. Access control at the file system level is binary and static. Once a file is shared, the originating organization typically loses visibility and control.

Closing this gap requires a data-centric approach: persistent, file-level controls that enforce policy regardless of where the document resides, combined with the ability to revoke access remotely when circumstances change.

 

Building a Data Security Platform with Fasoo for CMMC 2.0

For organizations across the DBI working toward CMMC compliance, the following practices form the foundation of effective CUI data security:

1. Classify and Tag CUI Systematically

Effective protection begins with knowing what you have. Implement automated data discovery and classification tools that can identify CUI across repositories, endpoints, and cloud environments. Classification should be consistent and applied at the file level so that protection policies follow the document itself.

Fasoo Data Radar (FDR) helps organizations gain a clear understanding of their data landscape by identifying sensitive data in real-time. Security and compliance teams can gain a clear insight into where CUI exists and how it is classified.

2. Apply Persistent, File-Level Protection That Travels with the Data

CMMC’s access control and protection requirements cannot be met by perimeter controls alone. When CUI documents move – to subcontractors, external systems, or personal devices – the protection must move with them.

Fasoo Enterprise DRM (EDRM) applies persistent encryption and access policy at the file level. Regardless of where a CUI document is stored or transmitted, only authorized users can open it. Permissions are granular and policy-driven, embedded directly into the file itself to ensure that it is protected wherever or whenever it is.

3. Maintain a Complete, Verifiable Audit Trail

CMMC’s Audit and Accountability domain requires organizations to demonstrate that they can detect, investigate, and report on security incidents involving CUI. It requires document-level audit trails: who accessed which file, when, from which device, and what actions they performed.

Fasoo EDRM provides centralized, real-time audit logs for every document interaction. These records are structured for compliance reporting and incident response, providing the evidentiary foundation that third-party assessors will expect during C3PAO evaluations.

4. Extend Control Across the Supply Chain

Because prime contractors bear responsibility for CUI protection throughout their supply chains, it is not sufficient to secure documents within your own environment. Files shared with tier-two and tier-three subcontractors must remain under your control even after they leave your systems.

Fasoo enables organizations to share CUI documents with external partners while maintaining encryption, access restrictions, and audit visibility. Subcontractors access files under an enforced policy, not as open, uncontrolled copies. When engagements end, access can be revoked across all distributed copies, eliminating the residual risk of CUI exposure after a contract closes.

 

The Assessment Is Coming – Is Your Document Security Ready?

CMMC 2.0 enforcement is no longer a future planning exercise. It is an operational reality that is being embedded into DoD contracts across the defense industrial base. Organizations that have invested in network security controls but overlooked document-level protection will face significant gaps when assessors evaluate technical enforcement, not just policy documentation.

Closing those gaps requires a data-centric approach: persistent, file-level controls that enforce access policy regardless of where CUI resides, combined with comprehensive audit trails and the ability to extend protection across the full supply chain.

For defense contractors and their subcontractor partners preparing for CMMC assessment, Fasoo’s Data Security Platform provides the foundational capabilities to address the document security requirements that perimeter controls cannot reach.