Insights

CUI Is Everywhere. So Is Your Compliance Perimeter.

Written by James Reid | Jul 15, 2026 11:00:00 AM

If you’re a defense electronics manufacturer, starting November 10, 2026, CMMC Level 2 shifts from a framework to prepare for tomorrow to a requirement you have to meet today. If your contracts touch Controlled Unclassified Information (CUI), your ability to win and keep defense business may depend on demonstrating compliance.

Before you worry about Level 2’s 110 controls, answer this simple question: Where does your CUI live?

Putting the Tracing Exercise to Work

The best way to find out is also pretty simple: trace a single file and see where it takes you. The goal is to reveal all the data, systems, and workflows inside your compliance perimeter that you won’t see otherwise.

Here’s an example right from a defense electronics manufacturer:

  • 7:42 a.m. The file is born. The senior engineer opens a job packet from a prime contractor. Inside is a spec sheet containing design requirements, tolerances, config details, and test parameters. She saves it to the same project folder her team has used for years. The CUI journey through your organization has begun.
  • 8:15 a.m. The file gets forwarded. She needs pricing from suppliers, so she emails it to approved vendors. Whether those emails are encrypted or whether the vendors have adequate security controls is anyone’s guess. Multiple copies of the CUI have now left the company.
  • 9:30 a.m. It gets printed. A manufacturing technician prints it for use on the production floor. At the end of the shift, the printout goes into a recycling bin. Physical CUI is now outside the company.
  • 11:00 a.m. It gets uploaded. A revised version is too large for email, so it’s uploaded to a file-sharing account someone set up years ago for convenience. The account isn’t connected identity management, lacks audit logging, and operates outside formal security controls.
  • 2:45 p.m. It gets renamed and forgotten.
    An employee downloads the wrong version of the spec and spends hours working from outdated information. The corrected file is saved, but the employee doesn’t delete the old one. Now there are multiple versions of CUI on the network, all accessible to anyone with access to the folder.
  • 4:30 pm. The file goes home.
    A remote employee takes the file home on a personal laptop to finish a calculation. The device shares a home network with gaming consoles, a smart TV, and other personal devices. Nobody asked him to do this. Nobody told him not to.

Sounds like a horror story, but it was just another Tuesday.

If the scenario sounds familiar, you’re not alone. And your team is not to blame. They’re just doing their jobs like they always did. That’s why CMMC Level 2 is a game changer, and why the second of 14 control families of Level 2’s 110 is Awareness and Training.

The Firewall Isn’t the Compliance Boundary

A common mistake defense contractors make is thinking of CMMC compliance as another IT project. Whie it’s tempting to think that once you configure the firewall and deploy endpoint protection, you’re done.

But that’s not what CMMC Level 2 evaluates.

Assessors will look beyond your security tools for clear evidence that your organization has a documented, repeatable process for protecting CUI.1 You have to show them a System Security Plan (SSP) explaining how you’re implementing controls, a Plan of Action and Milestones (POA&M) for tracking and closing gaps, documented access controls, configuration management procedures, incident response plans, and training records that prove employees understand their responsibilities.

Building a CUI Enclave

The good news about CMMC Level 2 compliance is that your organization may not all need to be secured at the same time. Secure enclaves are dedicated environments with controlled boundaries, You can permit access to this dedicated area only to the users, systems, and applications that need to touch CUI. 2 This helps reduce compliance costs and operational complexity.

The first step is understanding where your CUI lives and how it moves through the business. That means mapping your environment by understanding:

  • Where does CUI enter our environment?
  • Where does it live?
  • Who can access to it?
  • Where does it go when it leaves?
  • What happens to it at end of life?

Know Where You Stand Before Certification

NexusTek's CMMC 2.0 Readiness Assessment is built for exactly this challenge.

Since we’re not certified CMMC assessor, we don’t perform the certification assessment itself. Instead, we help organizations prepare for Level 2 assessment, evaluating the environment against the 110 security requirements in NIST SP 800-171.

Once your SPRS baseline is established, we work with you to identify gaps and build a prioritized remediation roadmap. For a clear picture of where you stand today and what needs attention, start with a free CMMC 2.0 Readiness Assessment https://www.nexustek.com/cmmc-2-0-compliance-services.

Sources:

1. DefenseScoop, Pentagon begins enforcing CMMC compliance, but readiness gaps remain, November 2025
2. FedTech, Major Contractors Close In on CMMC 2.0 Readiness, April 2025
Social Posts