|

AI and Federal Data Management: Key Considerations of Cybersecurity Maturity Model Certification Level 1 Requirements

By: Jason Cahoon, Nathan Flynn, Nathan Layman, Sarah Martonick, Barrie Robison, Luke Sheneman, and Dashiell Tyler

CAUTION: THIS ARTICLE IS NOT MEANT TO OFFER OFFICIAL GUIDANCE ON ACHIEVING CMMC LEVEL 1, 2, OR 3 COMPLIANCE

On November 10, 2025, the Department of Defense (DoD) began the phased implementation of Cybersecurity Maturity Model Certification (CMMC), requiring contracting officers to meet CMMC Level 1 requirements in applicable contracts, thereby safeguarding Federal Contract Information (FCI). Ensuring CMMC compliance becomes more complex when evaluating the requirements against data management systems that integrate artificial intelligence into their processes. AI tools, including large language models such as ChatGPT and Claude, can improve efficiency and innovation but also introduce new risks relevant to CMMC compliance. These risks include reliance on third-party services and limited transparency into model behavior, which creates uncertainty around data handling, data retention, and limits the traceability and auditability of outputs. Research administrators must therefore pay additional attention to data security practices to ensure FCI is protected in accordance with CMMC requirements when leveraging AI.

The following section provides an explanation of the three CMMC certification levels, outlines their key requirements, and offers an overview of how our institution, the University of Idaho, has implemented CMMC controls on DoD funded projects including how our AI tools handle and store FCI. This content is intended to highlight potential considerations when handling federal data requirements. It is not meant to serve as official guidance or advice on achieving CMMC compliance.

What is the CMMC program?

The three levels of CMMC

The CMMC program requires defense contractors and subcontractors to meet specific cybersecurity standards based on the sensitivity of the information they handle. These standards are organized into three increasingly stringent levels:

  • Level 1: Basic cybersecurity and safeguarding of FCI, which requires self-assessment. FCI refers to information provided by or generated for the government that is not intended for public release.
  • Level 2: Intermediate cyber security and protection of Controlled Unclassified Information (CUI), which can require either a self-assessment or a third-party assessment depending on the contract. CUI includes sensitive information that requires safeguarding but is not classified.
  • Level 3: Advanced cybersecurity for critical or highly sensitive CUI which requires rigorous evaluation by an internal DoD assessor.         

FCI and CMMC protected systems clarification

CMMC introduces safety protocols for systems that protect Federal Contract Information (FCI) and the more sensitive Controlled Unclassified Information (CUI). FCI is defined and regulated through Federal Acquisition Regulation (FAR 52.204-21) as, “…information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” The key distinction separating FCI from other types of non-protected data is that the former is “not intended for public release.” Publicly undisclosed documents generated under contract such as reports, deliverables, status updates, technical specifications, information shared during proposal evaluation, and budgets would likely be considered FCI.

When information requires a higher level of protection due to law, regulation, or government-wide policy, it is categorized as Controlled Unclassified Information (CUI). Established by Executive Order 13556 and managed by the National Archives and Records Administration (NARA), CUI is defined as information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. While almost all CUI is technically FCI, not all FCI is CUI. NARA maintains a registry of CUI and provides resources and training to learn more. CMMC Level 1 focuses on the basic safeguarding of FCI and levels 2 and 3 establish the additional requirements necessary for systems processing CUI.

Documents that are publicly available, such as public solicitations, laws, policies, press releases, open-access data sets, public facing award announcements, and general marketing materials, are not considered FCI and are not required to be processed by CMMC protected systems.

Good practice in protecting data

There are three broad categories to consider when safeguarding data. Physical practices include things like storing equipment in secure locations and restricting access to authorized personnel.  Behavioral practices include establishing and enforcing appropriate security education and training. Technical practices include things like patching vulnerabilities, detecting anomalies, and protecting systems from threats.

CMMC identifies six core practices for data security, each with their own section in the CMMC Assessment Guide linked below:

  1. Access control
  2. Identification and authentication
  3. Media protection
  4. Physical protection
  5. System and communication protection
  6. System and information integrity

These six categories apply to every level, with levels 2 and 3 following increasingly strict guidelines for achieving compliance. The key components linking these core practices together are restricting access to authorized entities, documenting access to the data, and storing data in a secure location. For more information on ways you can protect your data, see the Legal Information Institute’s suggestions on safeguarding covered contractor information systems.

DoD classification of cloud-based AI providers

The DoD classifies Cloud-based AI services as External Service Providers (ESPs). When ESPs store, process, or transmit FCI or CUI they fall within the scope of CMMC requirements (CMMC Program Section 17 CMMC Applicability to ESPs section a). The requirements include policies, technical controls, or alternative deployment models that prevent unauthorized generation or exposure of FCI. For more information on how ESP and CSPs are defined, review the CMMC Applicability to ESPs (b) guidelines in 32 CFR part 170, section 17.

Security risks posed by cloud-based AI providers

The use of cloud-based AI ESPs requires special care regarding FCI and CUI data. Many widely used AI services provide limited transparency into how data is processed, logged, retained, or transmitted. CMMC regulations require organizations to follow cybersecurity best practices, including access controls, data flow documentation, and audit logs identifying both who can access FCI and how it moves between systems, including ESP. LLMs generate outputs probabilistically which causes the outputs to be inconsistent even when the prompt used, model employed, and data queried are the same. Furthermore, model behavior can vary between interactions, causing the accuracy of the outputs to be inconsistent. Because the fundamental variability in AI algorithms can produce outputs across a range of accuracy and quality, reproducing results and maintaining consistent documentation can be challenging without additional controls. As a result, organizations using AI should rely on well-documented models, self-hosted deployments, or compensating controls for CMMC compliance.

In addition, some publicly available LLM services may retain user inputs or outputs in cloud environments that are outside the organization’s direct control. For example OpenAI’s security policy states that they will, “… retain your Personal Data for only as long as (they) need in order to provide (their) services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with (their) legal obligations.” (OpenAI Privacy Policy; accessed 01/06/2026).

Because organizations typically have limited visibility into how externally hosted LLMs process, retain, or segregate data during inference, it can be difficult to ensure consistent control over the creation, storage, and dissemination of FCI without additional safeguards.

Additional information on the responsibilities of OSAs and ESPs

The DoD provides information regarding who is responsible for evaluating ESP requirements, stating that “the CMMC compliance of an ESP, including a CSP, falls under the OSA’s assessment. If an ESP is used to meet any of the CMMC requirements for the OSA, then the ESP is part of the scope of the OSA’s assessment, and the compliance of the ESP will be verified.” (CMMC Program Section 17 CMMC Applicability to ESPs section d). For more information regarding how to evaluate ESP requirements, see  CMMC Program Section 17 CMMC Applicability to ESPs section d.

How our team implements CMMC Level 1 controls: An example

The University of Idaho is implementing CMMC Level 1 controls across a variety of AI and data processing applications including our AI document processing tool, Vandalizer. Vandalizer is used here as a representative system to demonstrate how FAR 52.204-21 and CMMC Level 1 safeguarding requirements are implemented in practice. Vandalizer is a web-based document ingestion and analysis platform developed at the University of Idaho.  It allows users to upload documents and leverage LLMs to conduct a variety of useful tasks.  Currently, it is primarily used by research administrators for agreement analysis, document comparison, and proposal compliance reviews. These uploaded documents may contain sensitive data (including FCI) and the Vandalizer is therefore deemed “in scope” for CMMC Level 1 controls. 

The following table provides a direct, line-by-line mapping of the Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, to the technical, administrative, and physical controls implemented for the Vandalizer system. Each requirement is addressed using controls provided by the Vandalizer application itself and by enterprise security services operated by the University of Idaho. This mapping demonstrates how Vandalizer satisfies all seventeen FAR 52.204-21 safeguarding requirements for the protection of FCI.

FAR 52.204-21 Requirement

Vandalizer Implementation

(b)(1) Limit information system access to authorized users

Vandalizer requires authentication for all access and integrates with Microsoft Entra ID (formerly Azure AD). Only explicitly authorized users may access the system.

(b)(2) Limit information system access to the types of transactions and functions that authorized users are permitted to execute

Role-based access controls restrict regular users from administrative actions including adding or removing other users or changing their access privileges.

(b)(3) Verify and control/limit connections to and use of external information systems

Vandalizer uses on-premises local AI models (gpt-oss:120b) by default and does not transmit data to external or cloud-based (SaaS) LLM providers unless users deliberately change the model to a public LLM.

(b)(4) Control information posted or processed on publicly accessible information systems

Vandalizer is publicly reachable but requires authentication. It does not retain prompts or completions on inference servers; AI processing data is ephemeral.

(b)(5) Identify information system users, processes, or devices

All users are uniquely identified via Entra ID. System services run under uniquely identified service accounts.

(b)(6) Authenticate (or verify) the identities of users, processes, or devices

Authentication is enforced through Entra ID with Duo multi-factor authentication (MFA), centrally managed by University OIT.

(b)(7) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse

Media associated with Vandalizer systems is sanitized or destroyed according to University of Idaho media disposal and sanitization procedures.

(b)(8) Limit physical access to information systems, equipment, and operating environments to authorized individuals

Vandalizer runs on a physical server in a central University data center with cardkey and PIN-controlled access.

(b)(9) Escort visitors and monitor visitor activity

Visitors are required to sign in, escorted by authorized personnel, and monitored by security cameras.

(b)(10) Maintain audit logs of physical access

Physical access is logged via electronic access control systems and visitor sign-in records.

(b)(11) Control and manage physical access devices

Card keys and PINs are issued, managed, and revoked through centralized University access management processes.

(b)(12) Monitor, control, and protect communications at external boundaries and key internal boundaries

Institutional firewalls and network monitoring protect system boundaries. Only explicitly permitted network communications are allowed.

(b)(13) Implement subnetworks for publicly accessible system components

Vandalizer is hosted on a segmented public-facing network logically separated from internal systems and managed via our central OIT Network Management System (NMS).

(b)(14) Identify, report, and correct information and information system flaws in a timely manner

The Vandalizer server is scanned using Tenable. Systems are patched weekly or immediately when high-impact vulnerabilities are identified.

(b)(15) Provide protection from malicious code

Sophos Endpoint provides real-time malware protection on the Vandalizer host.

(b)(16) Update malicious code protection mechanisms when new releases are available

Sophos malware definitions and protection mechanisms are updated automatically.

(b)(17) Perform periodic scans of the information system

Periodic vulnerability scans are conducted using Tenable, and regular malware scans are performed by Sophos.

Steps to self-certify CMMC Level 1:

Self-certification requires 3 main steps. Note: regulations are subject to change! First review the current CMMC documentation and FAR requirements then:

  1. Acquire a “SPRS Cyber Vendor User” role, which is required to complete CMMC Assessment. This is available through the  Procurement Integrated Enterprise Environment (PIEE).
  2. Review the Supplier Performance Risk System (SPRS) site CMMC level 1 self-assessment quick entry guide
  3. Review the assessment details, certify review of the affirmation statement, and then the affirming official can affirm the assessment.

Future considerations

Staying informed of considerations when handling federal data requirements is a crucial responsibility for anyone who handles FCIs at any of the three levels. We all play a crucial part in protecting our institutions against security threats. For any institution, taking an informed approach to performing a self-assessment in response to CMMC requirements is the ONLY way to ensure compliance. Additionally, it better prepares you for potential changes to federal security requirements from other data governing entities. As the federal landscape changes, it is probable that other federal domains will adopt similar security requirements.

We are curious about how your institution responds to these requirements. How is your institution reacting to the changing federal landscape? How has your institution been reacting to changes in the FAR 52.204-21 requirements? Does your institution have any data processing agreements in place that might make certifying your AI tools for CMMC L1 easier, such as agreements with Microsoft that might permit Co-Pilot use? Let us know in the comments below!

Important links/references (as of 01/01/2026):

Leave a Reply

Your email address will not be published. Required fields are marked *