AI adoption under CMMC 2.0: What defense contractors need to know about CUI compliance

It’s hard to go anywhere without seeing a debate about artificial intelligence (AI) and its uses. Individuals as well as companies are feeling the need to understand and apply AI technologies. Many defense contractors are interested in using AI to enhance productivity, use predictive maintenance, assist with quality assurance, and more.

The desire to use AI throughout the company may conflict with compliance, especially compliance with Cybersecurity Maturity Model Certification (CMMC). Companies must balance the desire to apply AI technologies with the need to comply with cybersecurity requirements.

CMMC and AI

CMMC focuses on the protection of Controlled Unclassified Information (CUI). A CMMC level 2 certification requires organizations to meet all 110 controls of NIST SP 800-171r2.

Using AI isn’t specifically called out in the CMMC program, but 32 CFR part 170 mandates any use of cloud service providers (CSPs) for processing, storing, or transmitting CUI must be FedRAMP authorized or moderate equivalent. AI platforms are CSPs.

There are currently eight AI strategy implementation documents within Department of Defense (DOD), GAO-22-105834 AI report. Every one of them cites data protection as a critical element. The DOD is pursuing closed AI solutions for military use but hasn’t made such systems available to the Defense Industrial Base (DIB).

Examples of how AI can create a risky environment for CUI:

Cloud-based AI Tools

• Many AI apps rely on public cloud infrastructure
• Most of these are not FedRAMP authorized or equivalent, meaning they don’t meet DOD security baseline requirements.
• Uploading CUI into these systems may be a direct violation of the Defense Federal Acquisition Rules Supplement, contractual requirements, and/or CMMC rules.

Data exfiltration & telemetry

• Most AI tools transmit metadata, logs, and usage data for model improvement and sometimes without explicit user awareness. This potentially creates problems as manufacturers must verify where data is stored, how it’s encrypted, and who can access it.

Supply chain risks

• If you use AI to coordinate with suppliers, the entire communication path (including application programming interfaces or collaborative platforms) must meet CMMC requirements.
• Including small suppliers who aren’t prepared to handle CUI can create vulnerabilities in your compliance posture.

Next steps

Before using AI, organizations should:

Perform an AI risk assessment

• Identify all AI tools used or considered.
• Map their data flows.
• Evaluate compliance with NIST 800-171 requirements (e.g., access control, audit, encryption, and system boundary protections).

Segregate AI-enabled environments

• Prevent CUI from crossing into unapproved systems.
• Create isolated, CMMC-compliant enclaves for sensitive data operations and only allow CUI-compliant AI tools to use those enclaves.

Know how your vendor is using and protecting your data

• Be sure you understand:
• Where is data stored?
• Who owns model outputs?
• Are logs retained?
• Are systems FedRAMP or DOD IL-4/5 compliant?

Ensure your System Security Plan (SSP) remains up to date

• If AI is a strategic initiative, it must be documented in your SSP.

Bottom Line:

While AI is certainly a topic to consider and learn more about, DIB contractors must approach using AI with caution, and protecting DOD CUI must always remain the priority.

What questions can I help you answer about your cyber environment and AI tools? As always, I’m happy to help.

https://calendly.com/robert-mcvay/defense-munitions-meeting-15-min

Smithers
https://www.smithers.com

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.