CUI Environment Decision Guide
1
Contract Type
2
CUI Status
3
Isolation
4
MSP
5
Platform
6
Mandate
7
User Scope
CMMC Decision Support

CUI Environment
Decision Guide

Seven structured questions. A precise environment profile. Built for technical leaders making platform decisions in the defense industrial base before contract pressure forces a reactive choice.

This guide produces
  • A recommended environment path — GCC High (Required, Strongly Recommended, Urgent, or Recommended), GCC Standard, or a requirements-first recommendation
  • Contract-aware architecture characteristics and operational implications
  • Risk and compliance callouts specific to your regulatory profile
  • A 6-month implementation timeline for your environment path
  • A Year 1 cost breakdown for planning and budgeting
  • A downloadable PDF assessment summary

Built on 25+ years of Aerospace and Defense program experience, direct CMMC assessment knowledge, and firsthand understanding of what C3PAO assessors look for on Day 1.

This guide is intended to support internal decision-making and clarify common architectural paths. It does not prescribe a specific solution or constitute formal system design.

Who This Is For
  • Defense subcontractors at any tier of the DoD supply chain
  • Engineering, program controls, and technical services firms supporting federal programs
  • Organizations on Commercial M365 pursuing CMMC Level 2
  • Technical leads and CTOs making platform decisions before contract award
  • Organizations that have been told CMMC is coming and don't know where to start
Question 1 of 7

What type of contracts involve CUI at your organization?

Select the option that best describes your current or anticipated contract structure.

Direct DoD or federal prime contracts
Your organization holds contracts directly with the Department of Defense or a federal agency.
Subcontractor under a prime
You receive CUI through a flowdown from a prime contractor, not directly from a federal agency.
Both direct contracts and subcontract work
Your portfolio includes both prime contracts and subcontractor roles.
Planning to pursue — no active CUI contracts yet
You are building toward DoD contracting and want to understand future environment requirements.
Context
Why Contract Structure Matters
Your position in the DoD supply chain determines which DFARS clauses flow down to your organization and how CUI reaches your systems. Subcontractors often underestimate their CUI exposure because controlled data arrives embedded in program documentation, technical data packages, contractual deliverables, and correspondence — not labeled as "classified." Defense subcontractors at every tier are among the most common sources of CUI handling gaps in the defense industrial base.
C3PAO Assessor Note
Assessors will ask to see your prime contract and any subcontract flow-down documentation on Day 1 of your assessment.
Question 2 of 7

Do you currently handle CUI, or are you planning to?

This helps establish the urgency and scope of your environment decisions.

Currently handling CUI in production
CUI is actively received, stored, processed, or transmitted in your environment today.
CUI expected within the next 6 months
You have contracts awarded or in negotiation that will involve CUI in the near term.
Exploring — no active CUI obligation yet
You are evaluating options before any formal CUI handling requirement is in place.
Context
CUI Arrives Before You Notice It
Most defense subcontractors begin handling CUI months before they formally acknowledge it. Program schedules, technical data packages, contract deliverables, correspondence with primes, and system configuration data frequently contain CUI — none of it labeled as such. If your organization supports any DoD prime contractor or federal agency, assume CUI is already present or imminent in your environment.
C3PAO Assessor Note
DFARS 252.204-7012 requires adequate security for covered defense information — including CUI — the moment it enters your environment, not when you formally categorize it.
Question 3 of 7

What level of network isolation is required for your CUI environment?

Consider requirements communicated by your prime, contracting officer, or internal security policy.

Full isolation — strict separation from corporate IT
CUI environment must be air-gapped or completely segmented from your general corporate network.
Logical segmentation — VLAN or access control separation
CUI can coexist on shared infrastructure as long as it is logically separated with documented access controls.
Not yet determined
Isolation requirements have not been formally established or communicated.
Context
Isolation is the Foundation of Your SSP
Your System Security Plan's entire architecture section is built on your isolation decision. SC.L2-3.13.1 requires CUI systems to be protected from unauthorized access — how you implement isolation determines how this control is documented and assessed. The most common C3PAO finding for small contractors is an informally defined or undocumented CUI boundary.
C3PAO Assessor Note
If you cannot draw a clear boundary around your CUI environment on a network diagram, your assessor will draw it for you — and you will not like where they draw it.
Question 4 of 7

Are you using, or planning to use, a Managed Service Provider for IT?

MSP involvement affects how controls are inherited and documented in your System Security Plan.

Yes — an MSP manages our IT environment
A managed service provider handles the majority of IT operations, including infrastructure and security tools.
Partial — some services are externally managed
Certain services are managed by a third party while core operations are handled in-house.
No — fully in-house IT team
All IT operations, security, and infrastructure are managed internally by your staff.
Evaluating options — not yet decided
A decision on managed services has not been finalized.
Context
Your MSP's Security Posture Affects Your Score
Under CMMC, your Managed Service Provider is classified as an External Service Provider (ESP). Their security practices, their own CMMC status, and their shared responsibility matrix directly affect your assessment scope. You are responsible for documenting every control your MSP handles on your behalf — and proving they handle it correctly.
C3PAO Assessor Note
Critical rule: The firm that manages your GCC High environment cannot also serve as your C3PAO assessor. A single vendor cannot provide both services to the same client — regardless of how they structure their business internally. This is a CMMC ecosystem independence requirement — not a preference.
Question 5 of 7

What is your organization's current primary IT environment?

Select the platform that best describes your existing infrastructure today — not where you plan to go.

Microsoft 365 Commercial
Standard Business or Enterprise plan — not a GCC or government variant.
Microsoft 365 GCC — Government Community Cloud
FedRAMP Moderate authorized government cloud tier, not GCC High.
Google Workspace
Standard or Enterprise Google Workspace environment.
On-premises infrastructure
Local servers or a private datacenter — minimal or no cloud dependency.
No established environment — starting from scratch
No primary IT platform has been selected or deployed yet.
Context
Your Migration Complexity Starts Here
Commercial Microsoft 365 is not compliant for CUI handling under DFARS 7012. It lacks the FedRAMP High authorization, U.S.-only data residency guarantees, and tenant isolation that CUI environments require. Commercial M365 to GCC High is a well-documented migration path with established tooling. Plan 6–10 weeks for a 25-user organization.
C3PAO Assessor Note
GCC and GCC High are not the same environment. GCC is FedRAMP Moderate. GCC High is FedRAMP High. Only GCC High meets the requirements for organizations subject to ITAR or prime mandates for sovereign cloud environments.
Question 6 of 7

Has your prime contractor, contracting officer, or contract documentation specified a required cloud environment?

Answer based on what is documented, not what you assume or have been told verbally.

Yes — GCC High or FedRAMP High is explicitly required in writing
Your contract, prime, or contracting officer has specifically required this environment in documentation.
Yes — ITAR or export-controlled data is involved in our contracts
Your work involves International Traffic in Arms Regulations (ITAR) or export-controlled technical data.
No — no specific environment has been mandated
Your contracts do not specify a required cloud environment at this time.
Unknown — we have not confirmed this with our prime or contracting officer
You are not certain whether a specific environment has been required — this needs to be confirmed.
Most Consequential Question
The Most Consequential Question in This Guide
Prime contractor mandates and ITAR obligations are binary — they either apply or they don't. If they apply, your platform choice is made for you. If you don't know whether they apply, you have an action item before you spend a dollar on infrastructure. Many defense subcontractors operate under flow-down requirements that mandate specific cloud environments — particularly those supporting weapons programs, federal research, systems integration, or classified adjacent work.
C3PAO Assessor Note
Verbal assurances from your prime that "GCC High isn't required" are not sufficient. Get it in writing. Assessors will ask for documented evidence of your regulatory obligations.
Question 7 of 7

How many personnel require access to CUI within your environment?

Include employees, contractors, and third parties who access systems that handle CUI.

1 to 10 personnel
11 to 50 personnel
51 to 250 personnel
More than 250 personnel
Context
Scope Reduction is Your Highest-ROI Decision
Licensing cost scales directly with users in scope. At 25 users, GCC High Business Premium runs approximately $45,000–$90,000 annually depending on add-ons and reseller. Every user removed from CUI scope saves $1,800–$3,600 per year. Before building your enclave, conduct a formal CUI access review — not everyone in your organization needs access to CUI systems.
C3PAO Assessor Note
Your assessor will verify that only authorized users have access to CUI systems. A bloated user scope creates more controls to document and more evidence to collect — keeping scope tight is a readiness strategy, not just a cost strategy.
Almost There
Your environment profile is ready.
Where should we send your results?
Please enter your first name to continue.
Please enter your organization to continue.
Please enter a valid email address.
Evaluating your environment profile
Analyzing contract structure, regulatory obligations, and platform status.
ENVIRONMENT PROFILE  —  CONFIDENTIAL ASSESSMENT

Based on your contract profile, regulatory obligations, and current infrastructure
Executive Summary
Architecture and Operations
Architecture Characteristics
    Operational Implications
      What This Means For You
      Risks to Consider
        Recommended Considerations
          Next Steps
          What Happens Next

          Your assessment is complete. Here is the recommended sequence based on your profile:

          1
          This Week
          Review these findings with your leadership team. Confirm your regulatory obligations with your prime contractor in writing. Share this assessment summary.
          2
          This Month
          Begin GCC High vendor evaluation. Select your MSP and C3PAO assessor as separate organizations. Initiate your CMMC readiness engagement to build your SSP and POA&M while your environment is provisioned.
          3
          Month 3–6
          Complete GCC High migration. Validate controls against your SSP. Schedule your C3PAO assessment with confidence that your documentation is complete and your environment is ready.
          Your Cyber TQ Analyst
          Discuss These Findings With Your Analyst
          Your Cyber TQ analyst can walk through these findings with you, answer questions about your specific contract environment, and help you confirm the right path forward before making any platform decisions.
          chris@cybertq.com 309-981-9841
          Next Step
          Schedule a Free 30-Minute Consultation
          Your assessment is complete. A 30-minute call with your Cyber TQ analyst costs nothing and clarifies everything — which environment path fits your timeline, which C3PAO makes sense for your profile, and what you should be doing right now while your GCC High environment is built.
          No pitch. No pressure. Just answers.
          Schedule My Free Consultation
          Veteran-owned  ·  CISSP certified  ·  25+ years A&D experience
          Same-day response  ·  No obligation
          This guide is intended to support internal decision-making and clarify common architectural paths. It does not prescribe a specific solution or constitute formal system design.