25 For years, defense suppliers treated the Cybersecurity Maturity Model Certification (CMMC) as something coming later. That window has closed. The final rules are in force, and certification is becoming a condition of winning and keeping Department of Defense work. If your firm handles Controlled Unclassified Information (CUI), the storage that holds it is squarely in scope, and a gap there can put a contract at risk. This guide is for the person who owns that storage. It explains what CMMC actually certifies, how the levels change what your storage must do, the specific controls that apply to data at rest, how to scope a CUI enclave so an assessment stays affordable, and what to do given the phased rollout running through 2028. It is educational and vendor-neutral, written to help you decide rather than to sell you anything. What CMMC is, and why it now matters CMMC is the Department of Defense program that verifies contractors in the Defense Industrial Base (DIB) are actually protecting the sensitive information they handle. It rests on two familiar foundations: the basic safeguarding requirements in FAR 52.204-21 for Federal Contract Information (FCI), and the 110 security requirements of NIST Special Publication 800-171 for CUI. The most sensitive tier reaches into NIST SP 800-172. What changed is enforcement. The CMMC program rule (32 CFR Part 170) took effect in December 2024, and the acquisition rule that puts the CMMC clause into contracts (the DFARS rule, clause 252.204-7021) took effect on November 10, 2025. Through a four-phase rollout, a CMMC level becomes a condition of award on applicable solicitations. In other words, this is now contractual language, not guidance. (Recent federal materials refer to the Department of War alongside the Department of Defense; this guide uses DoD as the familiar term.) FCI versus CUI The distinction drives everything. FCI is information provided by or generated for the government under a contract that is not intended for public release. CUI is a broader, more sensitive category, including much of the technical data, drawings, and specifications defense suppliers work with every day. Handling only FCI points you toward the lowest level. Handling CUI, which most suppliers do, raises the bar considerably. The three CMMC levels and what they ask of storage CMMC defines three levels, scaled to the sensitivity of the data and the threats it faces. Level 1 (Foundational) covers contractors that handle FCI but not CUI. It requires the 15 basic safeguarding practices from FAR 52.204-21 and allows annual self-assessment. For storage, this is fundamental hygiene: control who has access, protect the systems, and manage credentials. Level 2 (Advanced) is where most defense suppliers land. It maps to the 110 requirements of NIST SP 800-171 and applies to CUI. Depending on the contract, it is met through self-assessment or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). This is the level whose storage requirements deserve the most attention, and the focus of the rest of this guide. Level 3 (Expert) is for the most critical CUI facing advanced persistent threats. It layers additional requirements from NIST SP 800-172 on top of Level 2 and involves a government-led assessment. Fewer firms need it, but those that do face the strictest expectations on data protection and recovery. The pattern is simple: the higher the level, the more rigorous the demands on the storage that holds the data. Does storage have to be “CMMC certified”? This is the point most vendors get wrong, so it is worth stating plainly. CMMC certifies your assessment scope, meaning your environment and the boundary you define around it. It does not certify a storage product on its own. There is no such thing as a “CMMC certified” storage array you can buy to check the box. What matters is whether the storage that stores, processes, or transmits CUI implements the required controls and can produce evidence that it does. Any storage that touches CUI is in scope. That single fact turns storage architecture into a compliance decision, because where you let CUI live determines how much of your estate an assessor has to review. Which leads to the most useful idea in this whole guide: the CUI enclave. Rather than letting CUI spread across every server, share, and laptop, high-performing DIB firms concentrate it in a defined, access-controlled boundary. Do that well and the assessment gets smaller, the evidence gets cleaner, and the risk of a costly finding drops. The storage-relevant CMMC and NIST 800-171 controls You do not need to memorize all 110 requirements to make good storage decisions. A handful of control families do most of the work where data at rest is concerned. FIPS-validated encryption of CUI, at rest and in transit NIST 800-171 and CMMC require that cryptography protecting the confidentiality of CUI be FIPS-validated (this is control 03.13.11, previously written 3.13.11). The nuance that trips people up: the requirement is a cryptographic module validated under the NIST Cryptographic Module Validation Program (CMVP), with an active certificate. Using a strong algorithm like AES-256 is not the same as using a validated module. Ask specifically whether the storage uses a FIPS 140-3 validated module, and note that the government is completing the move from FIPS 140-2 to 140-3. Access control, multi-factor authentication, and least privilege CUI storage must limit access to authorized users and processes, enforce multi-factor authentication for privileged and remote access, and apply least privilege down to the level of shares, buckets, and objects. The goal is that only the people and systems that must reach CUI can, and that every one of them is accounted for. Media protection 800-171 has a full family devoted to media, and storage sits right in it. That means marking CUI media, controlling and sanitizing it, protecting it during transport, and, importantly, protecting backups on and off site with FIPS-validated encryption. Backups of CUI are still CUI. Audit and accountability You must be able to show who accessed CUI, when, and from where, and your logs must resist tampering. Storage that produces complete, exportable audit records and feeds them to your monitoring tools makes this control far easier to satisfy and to prove. Integrity and recovery Protecting CUI is not only about keeping it secret; it is about keeping it intact and recoverable. Guidance increasingly treats recoverability as a security concern, which means immutable or air-gapped backups that survive a ransomware event are a real part of a defensible posture, not a nice-to-have. Scoping a CUI enclave to make CMMC affordable Because everything that touches CUI is in scope, architecture is the biggest lever you have on the cost and difficulty of certification. Spread CUI everywhere and your entire environment becomes the assessment boundary. Concentrate it and you shrink the problem. A consolidated, access-controlled storage enclave for CUI does several things at once. It keeps the assessed boundary tight, so an assessor reviews less. It centralizes the controls (encryption, access, logging) so the evidence is consistent. And it reduces the chance that CUI leaks into a system that was never hardened for it. For most suppliers, deciding where CUI is allowed to live is the highest-leverage early move in a CMMC program. On-premises, government cloud, or private cloud: choosing where CUI lives There is no single right home for CUI. Many DIB firms deliberately keep it on-premises or in a controlled private environment, both for maximum control and because they will not place sensitive technical data in general commercial cloud. Others adopt a government community cloud offering built for CUI. Each path can meet CMMC as long as the controls and evidence are in place. Two constraints should shape the decision. First, data residency and access: CUI generally needs to stay on US soil with access limited to authorized personnel. Second, and often overlooked, much defense technical data also carries ITAR obligations, which restrict access to US persons. That overlap frequently pushes firms toward architectures where they retain tight control over exactly who and what can reach the data. The deployment model is a control and sovereignty decision as much as a cost one. What to do now, by rollout phase The rollout is phased, and timing your work to it avoids both panic and complacency. Through the first phase, which runs from November 2025 into November 2026, self-assessment requirements begin appearing in applicable solicitations, and contracting officers may require third-party assessment. The practical goal now is a genuine Level 2 posture and a defensible score, not a paper exercise. From November 2026, the second phase makes C3PAO Level 2 certification mandatory for applicable contracts involving CUI. Assessment capacity is finite and lead times are real, so firms that wait until they need the certificate to start will be too late. Later phases introduce Level 3 and move toward full implementation by 2028. The message for a storage owner is straightforward: the controls you put in place now are the ones an assessor will examine, so build for the assessment you will face, not the self-attestation you can get away with today. A checklist for storage in a CMMC environment Use this as a quick screen: FIPS 140-3 CMVP-validated encryption for CUI at rest and in transit (ask for the certificate) Multi-factor authentication and role-based access control on every CUI store Media protection: marking, controlled handling, sanitization, and encrypted backups on and off site Immutable or air-gapped backups that can survive and recover from ransomware Complete, tamper-resistant audit logs that export to your monitoring tools A defined CUI enclave that keeps the assessment boundary tight Data-residency controls and US-persons access where ITAR applies Putting it together CMMC compliant storage comes down to a few disciplined choices. Concentrate CUI in a defined enclave so your scope stays small. Encrypt it with a validated module, not just a strong algorithm. Protect and be able to recover your backups. Keep access tight and your logs complete. Then choose the deployment model, on-premises, government cloud, or private cloud, that matches your control, cost, and sovereignty needs. And hold on to the one idea that cuts through the vendor noise: storage is not “CMMC certified” on its own. It is in-scope infrastructure inside the boundary you get certified. Design that boundary well and the storage decisions get much easier. Frequently asked questions Is storage CMMC certified? No. CMMC certifies a contractor’s assessed environment and its scope, not an individual storage product. Storage is in scope when it stores, processes, or transmits CUI, and it must implement the required controls. What CMMC level do defense contractors need? It depends on the data. Firms handling only FCI generally need Level 1; those handling CUI, which is most suppliers, need Level 2; the most sensitive critical-CUI programs may require Level 3. Does CMMC require FIPS-validated encryption for CUI at rest? Yes. NIST 800-171 and CMMC require FIPS-validated cryptography to protect CUI, meaning a NIST CMVP-validated module with an active certificate. Confirm FIPS 140-3 validation specifically. Can on-premises storage meet CMMC Level 2? Yes. Compliance is about meeting the controls and producing evidence, not about being in a particular cloud. Many DIB firms keep CUI on-premises or in a controlled private environment for exactly this reason. What is a CUI enclave and why does it matter for storage? A CUI enclave is a defined, access-controlled boundary where CUI is allowed to live. Concentrating CUI there keeps your CMMC assessment scope small, your controls consistent, and your costs and risk down. Further reading (educational): a primer on FIPS 140 validated encryption, our guide to FedRAMP compliant object storage for cloud services, and how immutable, air-gapped storage supports recovery. For the authoritative program details, see the DoD CIO CMMC resources.