CMMC 2.0 and Your AI Strategy

The Convergence Point

Two forces are converging for defense contractors: the pressure to adopt AI for competitive advantage, and the pressure to comply with CMMC 2.0 for contract eligibility.

These aren't separate initiatives. Every AI tool that processes CUI falls under CMMC scope. Your AI strategy and your compliance strategy must be the same strategy.

Where AI Meets CMMC

Consider how AI typically interacts with controlled information:

• Proposal drafting - AI helping write responses to RFPs containing CUI
• Document search - AI querying across technical documents
• Email assistance - AI summarizing or drafting communications about controlled projects
• Code assistance - AI helping developers work on controlled systems

Each of these use cases puts CUI in contact with AI systems. Each requires the same controls you'd apply to any system processing CUI.

The Controls That Matter

Several CMMC controls have direct AI implications:

• AC.L2-3.1.3 - Control the flow of CUI in accordance with approved authorizations. AI that sends data to external services may violate this.
• AU.L2-3.3.1 - Create and retain system audit logs. AI interactions must be logged like any other system activity.
• SC.L2-3.13.1 - Monitor and control communications at external boundaries. AI API calls are external communications.
• IA.L2-3.5.3 - Use multifactor authentication. AI systems accessing CUI need proper authentication.

The Consumer AI Problem

Consumer AI services—ChatGPT, Claude via web interface, Copilot—are not designed for CUI handling: