Protecting CUI: Where to Focus

Word count: ~1,760 Specificity markers hit: (1) NIST/CMMC control references — AC domain (22 controls), SC.L2-3.13.8, IA.L2-3.5.3, AU.L2-3.3.1, RA.L2-3.11.2; (2) Cost/time — MFA deployment 2–4 weeks, SIEM ~$3K–$8K/month managed; (3) Tool/product names — Azure AD / Entra ID, Microsoft Defender for Endpoint, Splunk, Tenable; (4) Common mistake — treating encryption as checked off without verifying FIPS validation; (5) Decision point — whether to implement a full SIEM or use a managed SOC

---

You have 110 controls to implement for CMMC Level 2. They're not all equal. Some control failures will end your assessment on day one. Others are minor documentation gaps you can close in an afternoon. Knowing which is which is the difference between an efficient implementation and an expensive treadmill.

Here's where to put your energy — ranked by how often gaps appear in assessments and how severe the consequences are.

Priority 1: Access Control

The Access Control (AC) domain has 22 requirements at CMMC Level 2. It's the largest single domain by control count, and it's where assessors spend the most time.

The controls that generate the most findings:

AC.L2-3.1.1 — Authorized user access. Every person accessing a CUI system must be individually identified and authenticated. Shared accounts fail this immediately. If your engineering team shares a "cad-workstation" login, that's a finding. Fix: individual accounts in Active Directory (or Azure AD / Entra ID), documented in your SSP.

IA.L2-3.5.3 — Multi-factor authentication. Required for all privileged access and all remote access to CUI systems. This is non-negotiable. The most common failure isn't that MFA doesn't exist — it's that it isn't enforced for everyone. Conditional Access policies in Azure AD with no exceptions are the right implementation. SMS-based MFA (text message codes) is technically acceptable but assessors will note it as a weakness; use authenticator apps or hardware tokens.

AC.L2-3.1.12 — Remote access controls. All remote connections to CUI systems must go through managed access points with monitored, encrypted channels. A VPN with FIPS-validated encryption is standard. Remote Desktop exposed directly to the internet without a VPN is an immediate finding.

AC.L2-3.1.3 and AC.L2-3.1.4 — Least privilege and separation of duties. Users get access only to the CUI they need. Admins have separate admin accounts from their regular user accounts. Review your access control lists before the assessment — you will find people with access they no longer need.

AC.L2-3.1.10 — Session lock. Automatic screen lock after 15 minutes of inactivity. This is enforced through Group Policy, not assumed. Assessors test it.

Getting all of the AC domain controls to "fully implemented" status takes 4–8 weeks of focused work for a typical small contractor. It's also the work that reduces your actual risk the most — access control failures are how most breaches start.

Priority 2: Encryption

Encryption-related controls fall primarily in the System and Communications Protection (SC) domain, and they have a specific trap that catches most contractors.

SC.L2-3.13.8 — Encryption at rest. Full disk encryption on all CUI systems. On Windows, BitLocker with FIPS mode enabled (set through Group Policy: System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing). On macOS, FileVault with an Apple T2 or Apple Silicon chip. On cloud storage, FIPS-validated encryption from your cloud provider.

SC.L2-3.13.11 — Encryption in transit. TLS 1.2 or higher with FIPS-validated cipher suites on all connections carrying CUI. TLS 1.0 and 1.1 must be disabled. Your VPN client and server must use FIPS-validated algorithms.

The common mistake: Assuming encryption is covered because it's enabled. Most Windows workstations have BitLocker turned on, but "BitLocker enabled" is not the same as "FIPS-validated encryption implemented." FIPS mode must be explicitly configured, and you must be able to produce the validation certificate number from the NIST Cryptographic Module Validation Program (CMVP) list for each cryptographic module protecting CUI.

Assessors will ask: "How do you know your encryption is FIPS-validated?" You need a documented answer that points to the CMVP list, not "because BitLocker is on."

Encryption compliance is typically a 2–4 week remediation item if you're starting from a reasonably modern Windows environment. The harder work is documenting the validation evidence.

Priority 3: Audit Logging

AU.L2-3.3.1 and AU.L2-3.3.2 — Audit record creation and retention. Every CUI system must generate audit logs covering logon events, account management, privilege use, policy changes, and system events. Logs must be retained long enough to support incident investigation — 90 days online, 1 year archived is a common policy.

The gap here isn't usually that logging doesn't exist — Windows Event Logs run by default. The gaps are:

1. Logs aren't centralized. Logs living only on the endpoint can be wiped if the endpoint is compromised. Centralized SIEM or log management is the requirement.

1. Logs aren't reviewed. Having logs you never look at is technically compliant with the creation requirement but fails the review requirement (AU.L2-3.3.2 requires regular review of audit logs). Assessors will ask who reviews logs, how often, and what they look for.

1. Log retention is undefined. Your policy should specify retention periods, and your actual log infrastructure should enforce them.

Decision point: Do you run an internal SIEM or use a managed SOC?

For most contractors under 200 employees, a managed Security Operations Center (SOC) service is more practical than an internal SIEM. Managed SIEM/SOC services from providers like Perch Security, Arctic Wolf, or Blumira run $3,000–$8,000/month depending on log volume and coverage. That includes the infrastructure, the monitoring, and a human analyst reviewing alerts — all of which you'd need to staff and fund internally with a DIY SIEM.

If you're using Microsoft 365 GCC High, Microsoft Sentinel integrates natively and handles much of the log collection automatically. Pricing is consumption-based but typically $1,000–$3,000/month for a typical small contractor's log volume.

Priority 4: Vulnerability Management

RA.L2-3.11.2 — Vulnerability scanning. You must scan CUI systems for vulnerabilities regularly and remediate findings on a documented timeline. The common policy: scan monthly, remediate critical findings within 30 days, high findings within 90 days.

Vulnerability scanning tools: Tenable Nessus Professional ($3,390/year for 16 IP addresses) or Qualys VMDR. For Microsoft Azure environments, Microsoft Defender for Cloud includes vulnerability assessment at no additional cost.

The gap that surprises contractors: scanning isn't enough. You need to track findings, document remediation, and show evidence that vulnerabilities were actually closed. An assessor who sees your scan reports will also look for evidence that the findings from three months ago were actually patched, not just acknowledged.

Priority 5: Configuration Management

CM.L2-3.4.1 — Baseline configurations. Every system type in your CUI environment needs a documented, approved baseline configuration — and your actual systems must match it.

The practical implementation: use CIS Benchmarks or DISA STIGs as your baseline, document which benchmark you're following, apply it consistently across similar systems, and use a configuration management tool (Microsoft Endpoint Manager / Intune, or a third-party MDM) to enforce it.

CM.L2-3.4.6 — Least functionality. Disable services, ports, and protocols that aren't required on CUI systems. Default Windows installations run dozens of services that aren't needed in most environments. A hardened baseline turns them off.

Configuration management findings are almost always documentation problems: the configuration is correct but nothing proves it was intentional or reviewed. Maintain change records showing that baseline configurations were approved and that deviations require an approved change.

Where Most Contractors Fall Short

Based on the pattern across CMMC assessments, the four most common categories of findings:

1. Undocumented controls. The control works — the technical implementation is correct — but the SSP doesn't describe it accurately. The assessor can't give credit for a working control if the documentation claims something different.

2. MFA exceptions. MFA is configured but there are carve-outs: service accounts, certain users, certain applications. Every exception is a gap.

3. Encryption validation. Encryption exists but can't be traced to a FIPS-validated module.

4. Access not removed after separation. The HR-to-IT offboarding process has no teeth. Former employees retain system access for days or weeks after separation. This violates AC.L2-3.1.1 (only authorized users should have access) and will be discovered when the assessor reviews your user account list.

What Your Assessor Expects

When your C3PAO assessor evaluates CUI protection, they're not just checking a list. They're forming a view of whether your organization actually runs these controls or just documented them.

In the Access Control domain: They will pull your user account list and look for inactive accounts, shared accounts, and accounts belonging to former employees. They will attempt to access a CUI system from a remote connection without MFA and see what happens. They'll verify session lock settings through Group Policy review.

On encryption: They'll ask for the CMVP validation certificate numbers for every cryptographic module protecting CUI. "We use BitLocker" is not a sufficient answer.

On logging: They'll request a sample of audit logs and ask who reviewed them recently. If you can't produce a named person who conducts regular log reviews, that's a gap.

On configuration management: They'll compare your documented baseline against an actual system configuration. Configuration drift — where systems don't match the documented baseline — is one of the most reliable indicators that your program runs on paper rather than in practice.

Focus your preparation on making these controls demonstrable, not just describable. Working controls with evidence always beat theoretical compliance.

---

The practical priority order for a contractor starting from scratch: Get identity management and MFA right first (4–8 weeks). Then encryption with validated documentation. Then centralized logging. Then vulnerability scanning with tracked remediation. Then configuration baselines. The rest of the 110 controls fill in around this core — but if these five areas aren't solid, the rest doesn't matter.