All truths are easy to understand once they are discovered; the point is to discover them.
Galileo Galilei
Please see my book for in-depth coverage of these topics. All content available for free at my website.
Last week I attended CS5, the official conference of the Cyber AB and felt equal parts validation (resonance) and enlightenment (revelation). I look forward to attending the CMMC Midwest Conference next week to continue to learn from these industry luminaries.
1. Reduce Audit Scope: What is Controlled Unclassified Information?
A defense contractor’s primary responsibility regarding CUI is to protect it from unauthorized access or disclosure throughout its entire lifecycle. A precise understanding of what is and is not CUI can dramatically simplify your compliance efforts.
A helpful mental model is the COPR framework: Creation, Ownership, Possession, and Regulation. Many contractors mistakenly assume liability for every piece of government data they touch. However, Possession is what triggers your compliance burden.
Ryan Bonner from DEFCERT led a great Identifying CUI roundtable that introduced me to COPR and scratched the surface of this fundamental topic. If FutureFeed is the QuickBooks of CMMC, DEFCERT is the tax accountant helping you to reduce your auditable “surface area” and, therefore, compliance liability.
The greatest danger in CMMC is the default assumption that “Everything is CUI” — a mindset that cataclysmically expands your audit scope. Once you definitively identify your CUI and stop the sprawl, your next strategic step is to architect your systems to restrict which components ever take possession of it. Points 2 and 3 below provide two ways to achieve exactly that.
2. Reduce Audit Scope: Azure Virtual Desktop Secure Enclaves
When a user logs into an Azure Virtual Desktop with KVM (keyboard-video-mouse) access, the secure Azure cloud houses and processes the CUI. The user’s physical laptop merely receives a stream of pixels (a video feed) of the data. Because the actual file never downloads to the local hard drive, the local laptop never takes possession of the CUI. You have effectively removed the physical endpoint from the CUI scope.
Thomas Graham, VP and CISO of Redspin described this model in his Scoping Physical and Logical Boundaries roundtable. Island Systems delivers turnkey Azure Virtual Desktop Enclaves for CUI. My team at Mindline also has delivered these per documentation here.
3. Reduce Audit Scope: Secure Enclaves Within A Tenant
Some service providers aim to reduce their clients’ compliance burden even further by provisioning secure enclaves for client organizations within a single tenant. This allows the service provider to take on configuration, infrastructure, and audit management responsibilities on behalf of their client organizations, further reducing client organization cost of compliance. Information Barriers, Sensitivity Labels, and Data Loss Prevention policies help achieve this intra-tenant isolation. Mindline documents this approach we have taken with clients here.
4. Pass Your Audit: Organize Your Evidence
Stuart Itkin, Chief Revenue Officer of FutureFeed has never failed to provide me valuable assistance whether I am trying to understand how assessors evaluate compliance evidence or trying to find my car after a conference. Think of FutureFeed as your simplified source of truth, helping you organize your compliance evidence to pass your CMMC audit. They were giving away the Sixth Edition (April 2026) version of The CMMC Everything You Need To Know To Get Started. Phillip Donald from IntelliGRC facilitated a Shared Responsibility Matrix roundtable. IntelliGRC is another de facto standard tool with automation making it easier for MSPs to manage compliance for their clients. Justin Beals is CEO & Founder of Strike Graph, an AI-native compliance company offering a 60-day free trial to start your CMMC Level 2 Self-Assessment.
5. Pass Your Audit: Never Fail An Audit
Ned Butler, a lead CCA at RedSpin advised on whether Teams meetings from secure enclaves are compliant (spoiler: he thinks so, but it depends on your C3PAO). Ned emphasized the importance of asking questions like this during your C3PAO selection process so you wind up with a C3PAO aligned with both your compliance and your business requirements.
The single most useful audit-etiquette tip I took away from the conference came from hallway conversations rather than any one session. CMMC Assessors are explicitly prohibited from consulting with, coaching, or implementing solutions for a client they are actively assessing. Therefore, during an audit, if you are asked about a control that you neglected to implement (or perhaps forgot that you had already implemented), say these three sentences:
We don’t have the right person on the call.
Let’s circle back on this during hot wash.
We will provide you the control information then.
(About To Be) CMMC L2 Certified Organization