CMMC compliance and the critical role of MDM-style USB control in protecting CUI

Regulatory updates

The U.S. Department of Defense has replaced the 32 CFR with the 48 CFR rules governing CMMC compliance, establishing a new enforcement framework for defense contractors. This change marks the beginning of a stronger, more enforceable compliance regime that requires organizations to validate controls and close any gaps to meet federal standards.

This transition represents a fundamental shift: CMMC is no longer aspirational. Compliance is now a measurable, enforceable requirement directly tied to contract eligibility.

The state of CMMC: what changed and why it matters

CMMC, or Cybersecurity Maturity Model Certification, isn’t new, but it’s now urgent. After years of uncertainty, the Department of Defense has finalized its updates through the 48 CFR, moving CMMC enforcement into reality. The rule’s publication started a short countdown to compliance, giving organizations limited time to align with requirements.

At its core, CMMC is proof that companies are meeting the standards outlined in NIST 800-171: protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). For organizations managing higher sensitivity programs, NIST 800-172 adds an additional layer of enhanced security requirements designed to protect CUI against advanced persistent threats (APTs). It’s not just about having policies in place; it’s about demonstrating control. FCI falls under Level 1 (self-assessment), while CUI requires compliance at Levels 2 and 3, verified through third-party or government audits. It’s important to note that Level 3 requirements extend beyond NIST 800-171 and align more closely with the enhanced protections defined in NIST 800-172.

CMMC assessment levels

• Level 1: Self-assessment (for FCI)
• Level 2: Third-party assessment (C3PAO required)
• Level 3: Government assessment (performed by DIBCAC)

The level requirement depends on the specific Department of Defense (DoD) contract. For primes and subs alike, compliance is now part of the cost of doing business.

Why CUI protection is more complex than you think

Confidential Unclassified Information (CUI) is the engineering, design, or project data that underpins government manufacturing and defense. Unlike typical industries, many DIB organizations operate in air-gapped environments to isolate critical systems from the internet. That means they still depend heavily on USB drives to move data between workstations, manufacturing tools, and partners.

Simply disabling USB ports isn’t an option. These organizations need the ability to transfer data securely while ensuring that CUI never leaves the controlled environment unencrypted or unauthorized.

Key definitions and requirements

• CUI (Controlled Unclassified Information): Sensitive engineering or project data that supports government or defense programs.
• FCI (Federal Contract Information): Data about government contracts that must be safeguarded.
• Encryption requirement: All CUI on USB drives must use FIPS-validated encryption, typically the AES-256 standard.
• Auditing: CMMC is proof-based, not trust-based. Companies must demonstrate compliance through assessments and evidence.

Rethinking MDM: managing USBs like mobile devices

Netwrix’s approach treats removable media with the same discipline applied to mobile devices. Netwrix Endpoint Protector functions as an MDM for USB drives, enforcing encryption, monitoring data movement, and providing centralized remote management. Administrators can automatically enforce encryption when a USB is connected, store decryption keys separately from the device, and revoke access instantly by disabling key availability. This separation enables true MDM-style control — even if the physical USB remains in the field — ensuring data cannot be decrypted or exfiltrated without authorization. They can also apply granular policies by user or device trust level and remotely wipe USB drives even when offsite.

This unified approach allows organizations to maintain productivity while ensuring compliance and control, especially in air-gapped environments where traditional data transfer methods are limited. Beyond encryption, it delivers complete control, visibility, and proof of compliance.

Netwrix Endpoint Protector provides:

• File tracing and shadowing: Full visibility into what data is written to or retrieved from any USB drive.
• Content-aware protection: Policies that detect and block specific CUI types or metadata.
• Media sanitization: Remote purge and overwrite aligned with NIST 800-88 standards.
• Integration with SIEM tools: Centralized monitoring of device activity across environments.

Together, these capabilities help organizations close some of the hardest CMMC gaps such as access control, encryption enforcement, multifactor authentication alignment, and data sanitization.

The bigger picture: securing data through identity

Endpoint protection is one piece of the puzzle. For full CMMC alignment, organizations also need visibility into how data moves and who has access to it. That’s where Netwrix Data Security Posture Management (DSPM) complements Netwrix Endpoint Protector, helping identify risks, monitor permissions, and detect data movement across hybrid environments.

Data security starts with identity, and CMMC reinforces that principle. Whether managing USB encryption or enforcing least privilege, the goal is the same: protecting the right data from leaving the right hands.