All insights
AlignMicrosoft SecurityCompliance

CMMC level 2 for small defense suppliers: wall off your CUI instead of moving the whole company

When controlled data touches only a slice of your work, you can shrink CMMC Level 2 scope by walling CUI into a governed enclave instead of dragging the whole company in.

Wired CIOApril 22, 2026
The short version
  • CMMC Level 1 covers FCI with 17 self-attested practices, while Level 2 covers CUI with all 110 NIST SP 800-171 controls and a third-party C3PAO assessment.
  • For many small suppliers, controlled data touches just a small slice of the work, sometimes only a folder of part drawings.
  • Walling CUI into a separate governed SharePoint enclave, with the ERP linking rather than storing it, shrinks the entire audit scope.
  • A separate GCC High government-cloud tenant for only the users who handle CUI avoids migrating the whole company off the commercial tenant.
Bottom line: The most valuable CMMC Level 2 move happens before any controls work: shrinking how much of your business actually touches CUI.

In late April, a consultant leading an ERP search for a small defense-supply distributor said the quiet part out loud: "We don't really need to keep the controlled data in the ERP. We can keep it up in SharePoint and link to it." That one insight can save a small contractor an enormous amount of compliance pain.

CMMC, in two levels

If you do work for the Department of Defense, you're heading toward CMMC, the Cybersecurity Maturity Model Certification. The two levels most small suppliers care about are very different in effort:

  • Level 1 covers Federal Contract Information (FCI). It's 17 basic practices, and you can attest to it yourself.
  • Level 2 covers Controlled Unclassified Information (CUI). It requires all 110 controls from the NIST SP 800-171 standard, and for most contracts it's verified by an independent third-party assessor (a C3PAO), with certification good for three years.

That jump from "17 practices, self-attested" to "110 controls, audited" is steep. Which is why the most valuable move happens before any of it: deciding how much of your business actually touches CUI.

Scope the data before you scope the project

For a lot of small suppliers, controlled data touches a small slice of the work, sometimes just a folder of part drawings. If that's you, you do not have to drag your whole company, your ERP, and your email into the compliance boundary.

Shrink the Scope, Shrink the Audit

The pattern that saves small contractors the most: keep your ERP and everyday email "plain," and wall the CUI into a separate, governed SharePoint enclave that only the handful of people who need it can reach. The ERP can link to a controlled document without storing it. Shrinking what's in scope shrinks the entire audit.

Commercial versus government cloud

Many SMBs don't realize their Microsoft 365 tenant is the commercial one, which isn't built to hold CUI for Level 2. The common answer is a separate government-cloud tenant (GCC High) for just the users who handle controlled data, instead of migrating the whole company. Only those few people get the second, locked-down account.

What the pre-audit work involves

Getting Level 2 ready is a project: mapping your environment against the 800-171 controls, writing a System Security Plan (the document that says how you meet each one), and a Plan of Action and Milestones (the list of gaps and how you'll close them). Whether you can self-assess or need a third-party assessor depends on the contract, and that distinction has real cost implications.

If you're a small supplier staring down a CMMC requirement and dreading the scope, the first and most valuable conversation is about narrowing it. We're glad to help you figure out how small your compliance boundary can safely be. Let's talk it through.

Filed under
Compliance
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…