Cybersecurity Threat Landscape

Protecting CUI: Implementation Steps in Order

Learn essential steps on how to protect CUI for defense contractors to enhance security.

Alex Fuerst

Alex Fuerst

7 min read
Protecting CUI: Implementation Steps in Order

Word count: ~1,820 Specificity markers hit: (1) NIST/CMMC control references — AC.L2-3.1.1, SC.L2-3.13.8, CA.L2-3.12.4, SI.L2-3.14.2, AT.L2-3.2.1; (2) Cost/time — 60–90 days for documentation phase, $15K–$40K for gap assessment, 6–18 months total; (3) Tool/product names — Microsoft Purview, Tenable Nessus, KnowBe4, Drata; (4) Common mistake — starting with technical controls before knowing scope; (5) Decision point — whether to use a CUI enclave or harden the enterprise environment

---

Most contractors who struggle with CMMC implementation didn't fail because the controls were too hard. They failed because they started in the wrong place. They bought security tools before they knew their scope, wrote policies before they had a network diagram, or trained employees on CUI handling before defining what CUI they actually had.

The implementation sequence matters. Here's the order that works — and why each step depends on the one before it.

Step 1: Find Your CUI (Weeks 1–2)

Before you can protect CUI, you have to know where it is. This sounds obvious. It is not as obvious as it sounds.

Start with your contracts. Pull every active DoD contract and look for two things: (1) Does the contract include DFARS clause 252.204-7012? If yes, you are required to protect covered defense information. (2) Does the statement of work involve technical data, export-controlled information, engineering specifications, or other data categories listed in the NARA CUI Registry?

Then do a data inventory. Where does CUI arrive? (Government email, contractor portals, physical shipments?) Where does it get stored? (File servers, SharePoint, email archives, engineer workstations, cloud storage?) Where does it get transmitted? (To subcontractors, to government customers, to internal teams at other locations?) Where does it get destroyed or returned?

This data flow exercise becomes the foundation of your System Security Plan and your CMMC scoping determination. Skip it, and every downstream step is built on guessing.

Use Microsoft Purview, Varonis, or a similar data classification tool to scan your environment for CUI patterns if your data volume is large. For most small contractors, a manual inventory with interviews across engineering, contracts, and IT is faster and more accurate.

Output: A data flow diagram and an initial list of systems that touch CUI.

Step 2: Define Your Scope — Enclave vs. Enterprise (Weeks 2–4)

Here's the decision that shapes your entire implementation: do you protect all of your systems to CMMC Level 2 standards, or do you carve out a CUI enclave and restrict CUI to that smaller environment?

Enterprise approach: Every system in the company meets NIST 800-171 requirements. This is appropriate if CUI is spread across your entire business and separation isn't practical. It's simpler to manage but more expensive to secure and certify — every workstation, every server, every cloud service is in scope.

Enclave approach: CUI is restricted to a defined, isolated environment — a separate network segment, a dedicated set of workstations, a CUI-specific SharePoint site in a FedRAMP-authorized cloud. Only the enclave systems face CMMC assessment. This reduces your scope and your cost, but requires real enforcement: employees who handle CUI must use the enclave, not their regular workstations, and every path CUI could take outside the enclave must be closed.

For most contractors with fewer than 100 employees, an enclave built around Microsoft 365 GCC High (FedRAMP High authorized) plus a small set of hardened workstations is the right call. GCC High handles many of the cloud-side requirements — FIPS-validated encryption, government-compliant data residency, MFA integration — and shifts a significant portion of the compliance burden to Microsoft.

Output: Documented scope decision in your SSP, network diagram showing enclave boundary or enterprise environment.

Step 3: Perform a Gap Assessment (Weeks 4–8)

With scope defined, run a formal gap assessment against all 110 NIST 800-171 Rev 2 requirements. This maps your current state to each control requirement and identifies what's missing, partial, or undocumented.

The gap assessment has two components:

Documentation review: Do you have policies for access control, incident response, configuration management, media handling, system maintenance, and the other required domains? Do those policies reflect what you actually do, or what you wish you did?

Technical testing: Are the controls you claim to have actually working? Vulnerability scanners (Tenable Nessus, Qualys) verify patch levels, open ports, and misconfigurations. A manual review verifies MFA is enforced, audit logging is active, and encryption is FIPS-validated.

A thorough gap assessment takes 60–90 days. Hiring a Registered Practitioner Organization (RPO) to run the assessment costs $15,000–$40,000 depending on your environment size. You can do a self-assessment for less, but you'll miss things — most contractors find 20–40 gaps they didn't know they had.

Output: Gap report with each of the 110 controls mapped as "fully implemented," "partially implemented," or "not implemented," plus your SPRS score.

Step 4: Build the Documentation Package (Weeks 8–16)

CMMC assessment methodology has three evaluation methods: examine, interview, and test. "Examine" means your assessors review documentation. Without documentation, controls that are working technically can still be marked as not implemented.

The minimum documentation package:

  • System Security Plan (SSP): The master document. Describes your CUI environment, system boundary, all in-scope components, and how each of the 110 controls is implemented. The SSP should reference specific tools, configurations, and procedures — not abstract statements like "we use encryption."
  • Plan of Action & Milestones (POA&M): Lists every gap identified in your assessment, the planned remediation, responsible owner, and target completion date. The POA&M is a living document — it's not a sign of failure, it's a sign of an honest, managed program.
  • Incident Response Plan: Documented procedures for detecting, containing, and reporting security incidents. Must include the 72-hour DoD reporting requirement (CA.L2-3.12.4) and the mechanics of submitting to the DIBNet portal.
  • Configuration Management Plan: Documents your baseline configurations and the change control process.
  • Access Control Policy: Documents who can access CUI systems, how access is granted and revoked, and the MFA requirement.

Plan 60–120 hours of writing and review time to build a credible SSP for a 50-person contractor. Pre-built templates from compliance platforms like Drata or Vanta accelerate this significantly, but templates require accurate customization — a generic SSP with placeholder text is worse than no SSP.

Step 5: Remediate Technical Gaps (Weeks 8–24, Parallel with Documentation)

Remediation runs in parallel with documentation, not after it. The highest-priority items:

Access control (AC.L2-3.1.1 and related): Every CUI system user must have an individual account — no shared logins. MFA must be enforced on all remote access and privileged accounts (IA.L2-3.5.3). If you're not running a centralized identity platform (Azure Active Directory, Okta), start here. This is the most commonly assessed domain and the most common source of findings.

Encryption (SC.L2-3.13.8 and SC.L2-3.13.11): FIPS-validated encryption at rest and in transit. BitLocker with FIPS mode on Windows endpoints. TLS 1.2 minimum on all CUI-transmitting connections. Verify every cryptographic module against the NIST CMVP list — not all encryption is FIPS-validated, and assessors will check.

Audit logging: Centralized log collection from all CUI systems with log integrity protection. Most small contractors implement this with a SIEM tool (Microsoft Sentinel, Splunk, or a managed SOC service) rather than building internal log infrastructure.

Malware protection (SI.L2-3.14.2): Endpoint protection with real-time scanning and automatic signature updates. Endpoint Detection and Response (EDR) tools like Microsoft Defender for Endpoint or CrowdStrike Falcon are the current standard — traditional antivirus alone is no longer sufficient.

Vulnerability management: Regular scans on all CUI systems with tracked remediation. Critical findings affecting CUI systems should be remediated within 30 days.

Step 6: Train Everyone Who Touches CUI Systems (Weeks 16–20)

Training must happen before your assessment and must be documented. AT.L2-3.2.1 requires security awareness training for all CUI system users, covering your security policies, CUI handling procedures, phishing recognition, and incident reporting. AT.L2-3.2.2 requires additional role-based training for anyone with elevated system access — administrators, ISSOs, anyone who can approve access.

The common mistake: loading employees into a generic security awareness platform and calling it done. Your training must address your specific CUI handling procedures. What counts as CUI at your company? Where is it stored? How do they report a suspected incident? Generic training platforms (KnowBe4, Proofpoint Security Awareness) work well, but you need to add a CUI-specific module covering your policies.

Keep training records: who completed training, on what date, which version of the training, and a signed or recorded acknowledgment. The assessor will ask for these records and will interview employees to verify they actually absorbed the material.

Annual training at minimum, with refreshers when policies change.

Step 7: Run a Pre-Assessment (Weeks 22–26)

Before engaging a C3PAO for your formal assessment, run a practice round. Have your RPO or internal security lead conduct a mock assessment using NIST 800-171A as the evaluation guide. Test each control using the same examine/interview/test methodology a C3PAO assessor will use.

This step reveals two categories of problems: controls that are implemented but not documented, and controls that are documented but not working. Both will generate findings on your formal assessment. A pre-assessment typically takes 1–2 weeks and costs $8,000–$20,000 if you hire an RPO.

Output: Remediated control list, updated SSP, closed POA&M items, and a team that has been interviewed about their security responsibilities and knows how to answer.

Common Mistake: Starting with Tools Instead of Scope

The most expensive implementation error is buying security technology before you've defined your scope and documented your baseline.

Contractors who skip steps 1 and 2 often buy enterprise-grade tools for systems that turn out to be out-of-scope, or implement technical controls that don't match what their SSP documents. When the assessor compares the SSP to the actual configuration, the discrepancies generate findings.

Security tools are step 5, not step 1. The sequence — find CUI, define scope, assess gaps, document, remediate, train — is the sequence because each step creates the inputs the next step requires.

What Your Assessor Expects

A C3PAO assessor arrives expecting a security program that runs because someone owns it, not because tools run automatically in the background. Specifically, they expect to:

  • Review an SSP that describes your environment accurately and completely
  • Find that your documented configurations match your actual configurations
  • Interview employees at multiple levels — sysadmins, department managers, end users — and get consistent, confident answers about CUI handling
  • See a POA&M with tracked open items, not a blank page (blank POA&Ms signal that nobody found any gaps, which assessors treat with skepticism)
  • Verify that training records show all required personnel completed the curriculum

The implementation sequence described above produces exactly this outcome. Organizations that rush to their assessment without working through the sequence systematically end up with a formal finding list that mirrors the gap assessment they never ran in step 3.

---

Total timeline for a typical 50–100 person defense contractor: 12–18 months from kickoff to C3PAO assessment. Compressed timelines (under 12 months) are possible but require dedicated internal resources or significant external support. Budget $50,000–$150,000 all-in for gap assessment, documentation, remediation, training, and C3PAO assessment fees, depending on current security maturity and environment complexity.


Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com

Read more