Data Loss Prevention (DLP): What It Means in 2026 and Why Traditional Approaches Fall Short
Data loss prevention has been around for years. Most security teams recog...
For years, cybersecurity guidance in the defense supply chain left some room for interpretation. Organizations documented intent, relied on self-attestations, and addressed gaps over time. But that flexibility vanished once the protection of Controlled Unclassified Information (CUI) became a contractual obligation rather than a best practice.
To address the countless cyber threats, The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC). This framework establishes baseline cybersecurity requirements for any organization handling Controlled Unclassified Information (CUI) within the DoD’s supply chain.
CUI refers to sensitive but unclassified data that requires protection due to legal, regulatory, or policy-based restrictions. This can include financial records, legal documents, export control data, infrastructure details, and intelligence reports—all of which, if exposed, could pose a risk to national security.
Unlike previous self-assessment models, CMMC requires third-party certification to reinforce the need for robust data security measures. Since CUI encompasses financial, legal, infrastructure, and intelligence data, organizations must proactively identify, classify, and secure sensitive information across their cloud environments, endpoints, and data repositories.
What is CMMC Compliance?
CMMC defines the cybersecurity practices contractors must follow to protect Federal Contract Information (FCI) and CUI. Unlike earlier self-attestation models, CMMC requires verified assessments, enforced through contract language.
Compliance now determines:
- Whether an organization can receive a contract award
- Whether it can continue performing work
- Whether subcontractors remain eligible
CMMC requirements apply before award and must be maintained throughout the contract lifecycle.
What is Controlled Unclassified Information (CUI)?
CUI refers to sensitive but unclassified information that requires protection due to legal, regulatory, or policy requirements.
Examples include:
- Financial and billing records
- Legal documents and contracts
- Export-controlled data
- Infrastructure and system details
- Operational or intelligence-related information
If exposed, this data could harm national security, disrupt operations, or compromise missions. CMMC exists to prevent that outcome across the entire defense supply chain.
Who must comply with CMMC?
Any company working with the DoD, whether as a prime contractor, subcontractor, or foreign supplier, must obtain CMMC certification.
This includes:
- Small and mid-sized businesses
- Vendors across all tiers of the supply chain
- Commercial item contractors
The only exception applies to companies that exclusively produce Commercial-Off-The-Shelf (COTS) products.
The certification process is overseen by the CMMC Accreditation Body (CMMC-AB or the Cyber AB), which works with Third-Party Assessment Organizations (C3PAOs) to evaluate compliance. Any organization failing to meet CMMC requirements will be ineligible for new DoD contracts.
CMMC 2026 regulatory updates and what has changed since 2025
In 2025, The Department of Defense finalized updates to the Defense Federal Acquisition Regulation Supplement (DFARS), formally embedding CMMC 2.0 into DoD contracts. CMMC requirements can now appear directly in solicitations and awards, making compliance a contractual condition.
What contractors need to know
- CMMC compliance may be required before contract award
- Compliance must remain current for the duration of the contract
- Assessment results and affirmations must be reported in the Supplier Performance Risk System (SPRS)
- Flow-down requirements apply to subcontractors handling FCI or CUI
Phased enforcement rollout
- Phase 1 (late 2025): Levels 1 and 2 appear in select contracts with self-assessments and affirmations
- Phase 2 (2026): Expanded use of Level 2, including third-party assessments for higher-risk contracts
- Later phases (2027–2028): Broader enforcement and Level 3 requirements for high-sensitivity programs
CMMC compliance now affects eligibility, not just audit readiness.
What are the CMMC levels?
CMMC was simplified under CMMC 2.0 to focus enforcement on real risk. The framework now consists of three levels instead of five, each tied directly to the type of data an organization handles.
The required level is dictated by the contract.
The three CMMC levels explained
- Level 1 (Basic):
Applies to organizations handling Federal Contract Information (FCI) only. Requires basic cyber hygiene practices and an annual self-assessment with affirmation in SPRS. - Level 2 (Broad):
Applies to organizations handling Controlled Unclassified Information (CUI). Aligns with NIST SP 800-171 and requires either a self-assessment or a third-party assessment, depending on contract risk. - Level 3 (High level):
Applies to organizations supporting the most sensitive DoD programs. Requires enhanced protections and a government-led assessment.
Levels 4 and 5 were removed. Most contractors fall into Level 2, which represents the largest operational shift.
| CMMC Level | Focus | Data Type Covered | Assessment Type | Applies To |
| Level 1 | Foundational hygiene | FCI | Annual self-assessment + SPRS affirmation | Contractors handling FCI only |
| Level 2 | Advanced protection | CUI | Self-assessment or C3PAO assessment | Most DoD contractors and subs |
| Level 3 | Expert protection | High-value CUI | Government-led assessment | Sensitive DoD programs |
What CMMC level do you need?
Use this quick guide:
- Handle FCI only → Level 1
- Handle CUI → Level 2
- Support mission-critical DoD programs → Level 3
Why data discovery and classification are important for CMMC
One of the most common issues with CMMC readiness involves visibility.
That’s because many organizations struggle to answer basic audit questions:
- Where does CUI exist?
- Who can access it?
- How does it move between systems?
CUI spreads across cloud platforms, SaaS tools, endpoints, collaboration apps, and shared drives. Without automated discovery and classification, organizations face:
- Unintentional exposure of sensitive data
- Incomplete or inaccurate SPRS affirmations
- Over-permissioned access that violates CMMC controls
CMMC compliance depends on knowing what data exists before attempting to secure it.
How to prepare for CMMC
CMMC compliance should not be perceived as merely passing an audit. It requires organizations to incorporate strong data security practices into their daily operations.
Passing an assessment requires repeatable controls, continuous visibility, and defensible evidence.
1. Identify where FCI and CUI actually live
Inventory structured and unstructured data across cloud platforms, endpoints, SaaS tools, and collaboration systems. Assumptions do not hold up in assessments.
2. Classify data based on content and context
CUI rarely lives neatly in labeled folders. Classification must account for meaning, usage, and access patterns, not file names or locations.
3. Consistently validate access and sharing
Assess who can access sensitive data and why. Over-permissioning and unmanaged sharing remain top audit findings.
4. Align controls to evidence and not policy
Auditors expect proof that controls work in practice. That includes visibility into permissions, exposure, and remediation activity.
5. Prepare for ongoing assessments
CMMC compliance does not end after certification. Continuous monitoring and reporting are now part of contract performance.
How Concentric AI supports CMMC readiness
Concentric AI helps organizations meet CMMC expectations by addressing the hardest operational requirement: continuous visibility into sensitive data.
Semantic Intelligence™ identifies and classifies CUI across structured and unstructured data, including documents, emails, chats, audio, video and even GenAI data.
With Concentric AI, organizations get:
Context-aware risk analysis
Concentric AI highlights overexposed, misclassified, or improperly shared data that could trigger audit findings or compliance gaps.
Access control visibility
Security teams gain insight into who can access CUI, where permissions drift, and which sharing behaviors introduce risk.
Continuous compliance monitoring
Instead of point-in-time reporting, organizations get ongoing visibility that allow audit readiness.
With Concentric AI, DoD contractors can reduce compliance complexity, speed up the certification process, and improve their overall data security.
Compliance is no longer optional
CMMC compliance now directly affects contract eligibility and performance, so in order to prepare, documentation alone won’t cut it. Contractors must demonstrate continuous control over where sensitive data lives, who can access it, and how risk changes over time.
Organizations that invest early in visibility, classification, and monitoring put themselves in a stronger position to meet CMMC requirements and protect national security data with confidence.