RackTop Systems
Federal & Defense

CUI lives in files. Protect it there.

Controlled Unclassified Information is overwhelmingly unstructured — drawings, specs, contract documents on file shares. CMMC assessments increasingly come down to whether you can control and account for those files.

RackTop SystemsJune 30, 20262 min read

Key takeaways

  • CUI is mostly unstructured file data, and it concentrates on shares and NAS.
  • NIST 800-171 controls map directly to file-level access enforcement and audit.
  • Platforms with built-in enforcement turn assessment evidence from a project into a report.

Strip the acronyms away and CMMC compliance is largely a question about files. Controlled Unclassified Information in the defense industrial base is technical drawings, specifications, contract deliverables, test data — documents that live on file shares, get copied into project folders, and accumulate for the life of a program. The NIST 800-171 control families behind CMMC — access control, audit and accountability, media protection, incident response — all land, in practice, on how those files are governed.

Where assessments get uncomfortable

The hard questions in an assessment are rarely about policy documents. They are operational: show that only authorized identities can reach CUI, that access is limited to need, that you can produce an audit trail of who accessed what, and that you would detect and respond to unauthorized access. Static share permissions and a native audit log strain under those questions, especially when programs share infrastructure and people rotate across contracts.

Attribute-based access control changes the shape of the answer. When policy is evaluated per operation — clearance, program, citizenship, device, context — the same storage can hold multiple programs with enforced separation, and the enforcement itself generates the evidence: an immutable, per-operation record of every access decision.

Beyond the checkbox

The deeper point is that the adversary CMMC exists to frustrate is not the assessor. Nation-state collection against the defense supply chain targets exactly this data, often with valid credentials and patience. Controls that only satisfy the paperwork do not change that outcome; behavioral detection and per-operation enforcement on the CUI itself do. Contractors that build to the threat, rather than to the checklist, tend to find the checklist takes care of itself.

See data-layer defense in action

A 30-minute demo shows Active Defense stopping an attack inline, immutable recovery, and surgical rollback — mapped to your environment.

Protecting CUI on File Shares: CMMC and NIST 800-171 | RackTop Systems