Nolan Glinko
Managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is mission-critical for DoD contractors. Here’s how to do it right without getting lost in compliance complexities.
Why This Matters
If your company engages with the Department of Defense (DoD), you’re likely handling FCI, CUI, or both. With CMMC 2.0 on the horizon, a comprehensive System Security Plan (SSP) that documents how you’re protecting that data is more than just a best practice it’s a requirement.
Fortunately, getting started doesn’t mean rearchitecting your entire IT environment. The smartest companies are approaching CMMC readiness by narrowing their focus, acting with urgency, and cutting through the noise. The key? Know your data and its boundaries.
Know What You’ve Got
Start with clarity. Identify what qualifies as FCI and CUI in your environment. It could be proposals, technical drawings, internal emails, or anything contract-related and not meant for public release.
A common trap? Trying to protect everything. One of our clients initially scoped their entire network into their SSP only to realize they could isolate all CUI within a single secure environment (an enclave). By locking down only what matters, you reduce complexity and shrink your compliance footprint.
Map Data Flow, Draw the Line
Once you know what’s sensitive, trace where it lives and how it moves. Mapping data flows helps define your system boundary what’s in and what’s out.
Ask hard questions: Who touches the data? Which systems store or transmit it? Are there consumer-grade tools or personal devices sneaking into the process? These insights surface risks and help ensure the right systems not every system are covered.
Build the Right Enclave
Here’s where efficiency goes from theory to reality. Create a secure enclave a contained, controlled zone where all FCI and CUI are processed. This might be a FedRAMP-compliant cloud workspace, a dedicated virtual environment, or a physically segmented network.
Why go this route? Because enclaves dramatically reduce your attack surface. They centralize controls, isolate sensitive workflows, and make compliance simpler and more defensible. You’re not trying to boil the ocean you’re securing a clearly defined pool.
What’s in the SSP?
Your SSP is your cybersecurity blueprint. It identifies the systems in scope, assigns accountability, details how you control access and respond to threats, and maps your practices to the 110 controls required under NIST SP 800-171.
Just as important, it includes your Plan of Action and Milestones (POA&M) a living document that tracks what still needs fixing, by whom, and when. This isn’t a box to check. It’s how you demonstrate a plan, not perfection.
Quick Wins That Matter
Still at square one? No problem. Start by securing the systems that handle CUI and phasing out the rest. Turn on multi-factor authentication (MFA) across all access points. Encrypt everything data in transit and at rest. Train your people on how to recognize and handle sensitive data. Stick to FedRAMP-authorized cloud services where possible they’re purpose-built for this. And if you’re feeling overwhelmed, lean on a security partner who’s walked this path before.
Each step isn’t just a safeguard it’s momentum.
Avoid the Rookie Mistakes
Don’t try to secure everything. Don’t download a cookie-cutter SSP template and hope it fits your operations. And definitely don’t overlook your supply chain. Your service providers and subcontractors are often holding the same sensitive data if they mishandle it, your business takes the hit.
Worst of all? Waiting until a contract deadline is looming. That’s when corner-cutting and “good enough” planning creep in and that’s exactly what gets flagged during audits.
Where Focus Comes In
At Focus Technology, we don’t treat compliance like a checkbox. We help organizations get there with confidence. That includes running hands-on data classification workshops, designing enclave architectures, drafting tailored SSPs and POA&Ms, and supporting ongoing operations with vCISO services and managed security.
We don’t just write the playbook. We help execute it.
CMMC compliance is non-negotiable. For contractors handling CUI, a CMMC Level 2 certification will be required at the time of contract award once the rule is finalized expected later this year, with a phased implementation starting in early 2025.
The good news? You still have time to prepare. By identifying your sensitive data, mapping its flow, and isolating it within an enclave, you can fast-track your way to audit-readiness.
Act now. Scope smart. Better to be ahead of the curve than caught behind it.
Nolan Glinko is a cyberecurity engineer with Focus Technology Solutions.
