TL;DR: CMMC is aimed at unclassified government data that still requires protection, especially Controlled Unclassified Information, rather than classified material, according to Secureframe. The practical issue is scope: defence contractors must know what data they handle, where it lives, and which systems actually need safeguards.
NHIMG editorial — based on content published by Secureframe: Classified vs. Unclassified Data: Understanding the Government Data Hierarchy and Where CMMC Fits
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: What breaks when organisations treat all unclassified data the same under CMMC?
A: They either under-scope and miss CUI protections, or over-scope and burden the whole environment with unnecessary controls.
Q: Why does CUI create access governance problems for defence contractors?
A: Because CUI usually lives in commercial systems where many identities can touch it, including users, service accounts, and integrations.
Q: What do security teams get wrong about enclaves for CMMC?
A: They often treat an enclave as a documentation exercise instead of a control boundary.
Practitioner guidance
- Define the CUI boundary explicitly Create a system and data inventory that shows where CUI is stored, processed, transmitted, and backed up, then link each location to an accountable owner and assessor-ready evidence set.
- Map human and non-human access to CUI Review user roles, service accounts, API integrations, and automation paths that can reach CUI, then remove access that is not justified by contract scope or operational need.
- Use enclaves only with enforced identity controls If you reduce scope with an enclave, require strong authentication, logging, segmented connectivity, and offboarding for every identity that can enter or manage it.
What's in the full article
Secureframe's full article covers the operational detail this post intentionally leaves for the source:
- The article’s plain-language breakdown of each data category and the examples contractors are most likely to encounter.
- The detailed comparison of CUI, CDI, FCI, and classified information and how those labels affect scope decisions.
- The explanation of how enclaves can reduce assessment scope when CUI is concentrated in a limited part of the environment.
- The article’s CMMC and NIST 800-171 mapping context for contractors preparing for assessment.
👉 Read Secureframe's guide to classified vs unclassified data and CMMC scope →
CMMC and unclassified government data: where does the real risk sit?
Explore further
CUI scoping is an identity governance problem before it is a compliance problem: the article is right to frame CMMC around where data lives, but the deeper issue is who and what can reach it. Humans, service accounts, and integration identities all expand scope when their permissions are not tied to data classification. In practice, CMMC readiness depends on identity lifecycle discipline as much as document handling.
A question worth separating out:
Q: Who is accountable when CMMC scope decisions are wrong?
A: Accountability sits with the organisation’s compliance leadership and the Affirming Official who signs the determination, especially when the decision affects assessment scope or contract eligibility. That is why scope changes need documented review, change control, and evidence that the final decision was made against current system reality.
👉 Read our full editorial: Classified vs unclassified data: what CMMC really protects