By Melissa McCoy, Chief Information & Security Officer – CISSP-ISSAP, CCSP, RP

Protecting CUI Under CMMC Level 2

In Locking Down the Network: CMMC Level 2 in Action, a key component of Cybersecurity Maturity Model Certification (CMMC) Level 2 is protecting Controlled Unclassified Information (CUI) as it traverses networks. The System and Communications Protection domain (SC) addresses this by mandating robust network security controls. The core principle is to protect the confidentiality of CUI at rest and in transit, which means implementing strong encryption protocols. This includes encrypting data sent over internal networks and securing all remote access with solutions such as a Virtual Private Network (VPN). A critical, often overlooked control is ensuring that a company’s network denies all communications traffic by default, allowing only approved services and protocols. This “deny-all, permit-by-exception” approach significantly reduces an organization’s attack surface and is a fundamental pillar of a secure network architecture.

Securing Wireless Access Points

The CMMC framework also places a strong emphasis on securing wireless access. A simple, unsecure Wi-Fi network can be a backdoor for an attacker to gain access to your entire internal network and the CUI it contains. To meet CMMC requirements, wireless access points must be protected with both strong authentication and encryption. This means moving beyond simple passwords to using more secure methods, such as Wi-Fi Protected Access 3 (WPA3) with Enterprise mode, which authenticates individual users or devices. Additionally, contractors must establish a formal policy for wireless usage, including the authorization process for company devices, whether personal devices are permitted on a separate guest network, and the controls in place to ensure that only approved devices can connect to the secure network. These combined controls build a resilient defense against threats, whether they originate from inside or outside the physical office.

Strengthening Network Security for Lasting Compliance

Securing your network isn’t just a technical requirement; it is one of the most impactful steps you can take toward achieving and sustaining CMMC Level 2 compliance. By encrypting CUI in transit and at rest, enforcing a deny-by-default architecture, and implementing strong wireless security policies, organizations dramatically reduce the likelihood of unauthorized access or accidental exposure. These are not one-time fixes but ongoing practices that harden the environment against evolving threats. As contractors continue navigating the complexities of CMMC, a disciplined approach to network security will remain a foundational element of both compliance and true operational resilience.

Consistent CISO Guidance for Compliance

Melissa McCoy of Kaizen Approach, Inc. shares biweekly insights to help your organization take a smarter, more confident path toward CMMC compliance. Like and share the CISO Perspectives blog to help us continue improving the IC’s security posture.