CMMC Level 2 Without Re-Architecting Everything

What CMMC Level 2 Actually Requires

The Cybersecurity Maturity Model Certification (CMMC) program establishes three levels of cyber requirements for companies that do business with the Department of Defense. Level 1 covers basic cyber hygiene for contractors handling Federal Contract Information (FCI). Level 3 applies to the most sensitive programs. Level 2 is the tier most defense contractors will need, it applies to any organization that handles Controlled Unclassified Information and maps directly to NIST SP 800-171 Revision 2: all 110 security requirements across 14 families.

For the majority of Level 2 contractors, the assessment is conducted by an accredited C3PAO (Certified Third-Party Assessment Organization), not a self-attestation. The C3PAO validates your implementation against each requirement and produces a scored assessment. That score is submitted to the Supplier Performance Risk System (SPRS), where contracting officers can see it. A self-assessment score is also required before C3PAO assessment for many contracts, so both matter.

The 110 requirements are not trivial. They cover access control, incident response, configuration management, media protection, risk assessment, system and communications protection, and more. Applying all of them broadly across an organization with 40 employees and a mixed IT environment is a significant undertaking. Applying them to a well-scoped enclave is manageable. That distinction is everything.

The Five Asset Categories That Define Your Scope

CMMC assessment methodology defines five categories of assets. Where your assets land determines how rigorously each requirement is assessed. Scope reduction is the art of moving as many assets as possible into the lower-impact categories.

Category	Definition	Assessment impact
CUI Assets	Systems that process, store, or transmit CUI directly, endpoints, servers, applications, cloud services where CUI lives or moves.	Full assessment against all applicable 110 requirements. Every control must be implemented and evidenced.
Security Protection Assets	Systems that provide security capabilities to CUI assets, firewalls, SIEM, identity providers, MFA solutions, patch management platforms.	Assessed for their security function. Controls covering those specific functions must be implemented; broader controls may not apply.
Contractor Risk Managed Assets	Systems that could reach CUI assets but are managed by the contractor to prevent that contact, general business laptops, shared file servers that are network-adjacent but CUI-free.	Reduced assessment. The contractor must document and implement controls sufficient to demonstrate that CUI does not reach these assets.
Specialized Assets	Assets that cannot fully meet 800-171 requirements due to their nature: OT/IoT devices, test equipment, government-furnished equipment, restricted-use systems.	Addressed through compensating controls and risk documentation rather than full requirement implementation.
Out-of-Scope Assets	Systems that cannot process, store, or transmit CUI and cannot reach systems that do, fully isolated from the CUI environment.	Not assessed. The documentation burden is demonstrating and maintaining that isolation.

Scoping is a design decision, not an audit response

The most expensive mistake in any CMMC engagement is treating scope as something you figure out after buying controls. Scoping is an architectural decision made before you purchase a single tool or write a single policy. Getting the boundary wrong, drawing it too wide, failing to enforce it technically, or discovering mid-assessment that CUI is leaking outside the enclave, is the single costliest outcome. Scope first. Build second.

The Enclave Strategy

An enclave is a dedicated, technically enforced boundary inside which all CUI is created, received, stored, processed, and transmitted, and outside which CUI is blocked. The enclave is your CUI asset set. Everything else in your business, including general corporate IT, becomes a Contractor Risk Managed Asset or goes out of scope entirely.

The enclave does not have to be a separate physical network in a separate building. For most small and mid-size suppliers, it is a logically isolated segment, implemented through a combination of cloud tenancy, network segmentation, endpoint controls, and identity policy. What it does have to be is real: technically enforced, documented, and auditable. A policy that says “employees should not email CUI” is not a boundary. A data loss prevention policy that blocks CUI from reaching non-enclave endpoints, enforced at the email gateway and DLP engine, is a boundary.

Cloud: Microsoft 365 GCC High or Equivalent

For most defense suppliers already using Microsoft 365, the enclave starts in the cloud. Microsoft 365 GCC High is a FedRAMP High authorized environment, physically and logically separated from commercial M365 tenants, and designed specifically to handle CUI and ITAR-controlled data. It satisfies the CMMC requirement for FedRAMP-equivalent cloud authorization for CUI storage and processing.

A properly configured GCC High tenant, with Conditional Access policies that enforce compliant devices and MFA, Exchange Online configured to prevent mail forwarding outside the tenant, SharePoint and OneDrive restricted to enclave users, and Teams federation disabled or restricted, is the backbone of the enclave for most document-centric workflows. The key word is “properly configured.” GCC High provides the authorization status; your configuration provides the actual control implementation.

If your workflow involves specialized tools, design environments, or applications that cannot run inside a Microsoft stack, a separately authorized SaaS application (FedRAMP Moderate or High authorized, as appropriate) or a dedicated cloud environment with equivalent controls can serve the same function. The principle is the same: CUI stays in an authorized, boundary-enforced environment.

Network Segmentation

On-premises infrastructure should segment the CUI enclave at the network layer, a dedicated VLAN or subnet, with firewall rules that permit only documented, necessary traffic flows between the enclave and the rest of the network. The goal is that a device on the general corporate network cannot reach enclave resources without going through an enforced access control point.

For most small suppliers, this means firewall-enforced VLAN segmentation, with the enclave VLAN permitting outbound to GCC High and authorized cloud services, and blocking inbound from general corporate segments except through authenticated VPN or zero-trust network access (ZTNA) for authorized users. Proper firewall and segmentation design is not optional here, it is the physical and logical foundation of the boundary claim in your System Security Plan.

Endpoints and Identity

CUI assets include any endpoint where a user accesses CUI. For most suppliers, that should be a small, defined population of managed devices, either dedicated CUI workstations or, where that’s impractical, virtual desktop infrastructure (VDI) sessions that run inside the enclave. The endpoint itself processes the session; the CUI never lands on the local disk.

Identity is the enforcement point. The enclave should have its own identity boundary, either a separate Azure AD tenant (as is standard with GCC High) or tightly controlled Conditional Access policies in a single tenant that gate enclave resource access to compliant, enrolled devices with phishing-resistant MFA. Users who handle CUI are members of an enclave identity group. Users who do not handle CUI are not, and the Conditional Access policy ensures they cannot access enclave resources even if they try.

Storage inside the enclave must use FIPS-validated encryption, at rest and in transit. This is a specific CMMC requirement (SC.3.177), not a general best-practice recommendation. GCC High and compliant on-premises configurations with FIPS mode enabled on Windows satisfy this; consumer cloud storage and standard commercial M365 tenants do not.

Data Egress Controls

Enclaves leak at the edges. The most common failure modes are email (CUI forwarded to a personal account or sent to a non-enclave address), file transfer (CUI copied to a USB drive or synced to a personal Dropbox), and collaboration (CUI shared in a Teams channel that includes non-enclave participants). All three require technical controls, not just policy:

• Email DLP: rules in Exchange Online or your email security gateway that detect and block CUI from leaving the enclave tenant. Classification labels (Microsoft Purview or equivalent) help automate this.
• Removable media: USB and removable media blocked or restricted by endpoint policy (Intune, Group Policy, or endpoint DLP agent) on all CUI endpoints.
• Cloud sync: personal cloud storage sync clients blocked on CUI endpoints; only authorized sync paths (GCC High OneDrive) permitted.
• External sharing: GCC High tenant configured to block or tightly restrict external sharing of files and calendars.

How Scope Reduction Actually Works: Mapping the Data Flow

The enclave strategy only pays off if you document the boundary clearly enough that an assessor can verify it. That documentation lives in your System Security Plan (SSP), and it starts with a data flow diagram: where does CUI enter your environment, where does it travel, where is it stored, and where does it exit?

Walk through the workflow step by step. A defense supplier receiving technical drawings from a prime contractor typically sees this flow: secure file transfer or email from prime → received in GCC High mailbox → opened on a CUI-designated, managed endpoint → stored in a GCC High SharePoint library → accessed by engineers via GCC High Teams or direct SharePoint access from managed endpoints → output (modified drawings, analysis reports) stored back in GCC High → transmitted back to prime via the same authorized channel.

Every step in that chain that touches CUI is a CUI asset. Every system that enforces the boundary (the firewall, the Conditional Access policy, the DLP engine, the endpoint management platform) is a Security Protection Asset. Everything that has no data-flow relationship to CUI, the point-of-sale system, the guest Wi-Fi network, the marketing team’s laptops, is a Contractor Risk Managed Asset or out of scope.

In practice, the step that most contractors skip is the audit of who actually handles CUI. Often it is a much smaller population than assumed: a program manager, two or three engineers, and an administrator. Map those roles, trace their workflows, and build the enclave around those workflows. The goal is not to build a perfect general-purpose security architecture, it is to build a defensible, auditable boundary around the specific places CUI actually lives.

What Your SSP and POA&M Must Cover

The System Security Plan is the central artifact of any CMMC assessment. It describes your system, your boundary, your asset categories, your data flows, and how each of the 110 requirements is implemented. An assessor who picks up your SSP should be able to understand your environment and your control posture without additional explanation. An SSP that says “we use Microsoft 365 for email” without describing the tenant type, the Conditional Access policies, the DLP configuration, or how that maps to specific requirements is not an SSP, it is a placeholder.

The Plan of Action and Milestones (POA&M) documents any requirements you have not yet fully implemented, with a realistic target date and interim mitigating controls. A POA&M is not a weakness, every mature program has one. What matters is that it is honest, current, and actively managed. An assessor who discovers gaps that are not in your POA&M has a much different reaction than one who sees those same gaps documented with a remediation plan already underway.

Your SPRS score, the self-assessment score submitted to the Supplier Performance Risk System, must be calculated and posted before many contracts can be awarded. The score is derived from the 110 requirements, with each unimplemented requirement carrying a point deduction from a maximum of 110. A score of 110 means all requirements are implemented; negative scores are common and permissible as long as a POA&M exists. Submitting an inaccurate SPRS score (claiming full implementation when gaps exist) carries False Claims Act risk. Accuracy matters more than a high number.

Flow-Down: Your Subcontractors Are in Scope

If you handle CUI and subcontract any work that involves CUI to another company, CMMC requirements flow down. You are responsible for including appropriate cybersecurity requirements in subcontracts and for understanding whether your subcontractors handle CUI. Discovering mid-assessment that a subcontractor who processes CUI on your behalf has no CMMC compliance posture is an assessment finding against you, not just them.

Practically, this means inventorying your subcontractor relationships, identifying which ones touch CUI, including cybersecurity clauses (DFARS 252.204-7012 and successor clauses) in those contracts, and obtaining assurance, through their SPRS score or their C3PAO assessment certificate, depending on what the contract requires, that they meet the applicable standard. Small suppliers are often surprised to find they have subcontractor obligations; the flow-down requirement has been in DFARS since 2017.

The Implementation Sequence That Works

1. Map your CUI data flows before touching any technology. Where does CUI come from, where does it go, who touches it, and what systems carry it? This takes one to two focused working sessions with your program managers and IT staff.

2. Define the enclave boundary on paper. Draw the line. Every asset either touches CUI, protects CUI assets, might reach CUI assets but doesn’t, or is completely outside. Write this down in your SSP draft before you spend a dollar on technology.

3. Select and configure the enclave platform. For most suppliers, this means provisioning GCC High (or confirming an existing GCC High tenant is correctly configured), establishing the network segment, and enrolling CUI-designated endpoints into management. Cloud infrastructure work, tenant configuration, Conditional Access, DLP, is the highest-leverage phase of the project.

4. Implement the 110 requirements against the enclave. With a defined, narrow scope, this is a project you can actually sequence and track. Requirements that would have applied to 80 endpoints now apply to 12. Configurations that would have needed to roll out across your entire network now apply to one VLAN.

5. Complete the SSP and calculate your SPRS score. Document every implemented control, every gap, and every POA&M item. Submit the score.

6. Engage a C3PAO for a readiness assessment before committing to the formal assessment. A pre-assessment gap review with the C3PAO (or an independent advisor) surfaces surprises in a context where you can still fix them.

How we approach this

We design and operate CUI enclaves for defense suppliers, from the initial data-flow mapping and boundary definition through enclave build, SSP authorship, and SPRS score calculation. Our compliance practice works alongside our security engineers so the segmentation design and the control documentation are built together, not reconciled after the fact. We have walked aerospace and defense suppliers through this process. If you are facing a contract that requires CMMC Level 2 or preparing for a C3PAO assessment, let’s talk.