- CMMC Level 1 covers FCI with 17 self-attested practices, while Level 2 covers CUI with all 110 NIST SP 800-171 controls and a third-party C3PAO assessment.
- For many small suppliers, controlled data touches just a small slice of the work, sometimes only a folder of part drawings.
- Walling CUI into a separate governed SharePoint enclave, with the ERP linking rather than storing it, shrinks the entire audit scope.
- A separate GCC High government-cloud tenant for only the users who handle CUI avoids migrating the whole company off the commercial tenant.
In late April, a consultant leading an ERP search for a small defense-supply distributor said the quiet part out loud: "We don't really need to keep the controlled data in the ERP. We can keep it up in SharePoint and link to it." That one insight can save a small contractor an enormous amount of compliance pain.
CMMC, in two levels
If you do work for the Department of Defense, you're heading toward CMMC, the Cybersecurity Maturity Model Certification. The two levels most small suppliers care about are very different in effort:
- Level 1 covers Federal Contract Information (FCI). It's 17 basic practices, and you can attest to it yourself.
- Level 2 covers Controlled Unclassified Information (CUI). It requires all 110 controls from the NIST SP 800-171 standard, and for most contracts it's verified by an independent third-party assessor (a C3PAO), with certification good for three years.
That jump from "17 practices, self-attested" to "110 controls, audited" is steep. Which is why the most valuable move happens before any of it: deciding how much of your business actually touches CUI.
Scope the data before you scope the project
For a lot of small suppliers, controlled data touches a small slice of the work, sometimes just a folder of part drawings. If that's you, you do not have to drag your whole company, your ERP, and your email into the compliance boundary.
The pattern that saves small contractors the most: keep your ERP and everyday email "plain," and wall the CUI into a separate, governed SharePoint enclave that only the handful of people who need it can reach. The ERP can link to a controlled document without storing it. Shrinking what's in scope shrinks the entire audit.
Commercial versus government cloud
Many SMBs don't realize their Microsoft 365 tenant is the commercial one, which isn't built to hold CUI for Level 2. The common answer is a separate government-cloud tenant (GCC High) for just the users who handle controlled data, instead of migrating the whole company. Only those few people get the second, locked-down account.
What the pre-audit work involves
Getting Level 2 ready is a project: mapping your environment against the 800-171 controls, writing a System Security Plan (the document that says how you meet each one), and a Plan of Action and Milestones (the list of gaps and how you'll close them). Whether you can self-assess or need a third-party assessor depends on the contract, and that distinction has real cost implications.
If you're a small supplier staring down a CMMC requirement and dreading the scope, the first and most valuable conversation is about narrowing it. We're glad to help you figure out how small your compliance boundary can safely be. Let's talk it through.