Any file that contains export-controlled specs, design schematics, or technical data related to DoD contracts can be considered Controlled Unclassified Information (CUI). These files must be stored and shared only within CMMC-compliant environments like GCC High or Azure Government. Access should be limited to authorized personnel—often U.S. persons if ITAR applies. Encryption, access logging, and physical security measures (such as file vaulting for hard copies) are also required to demonstrate full compliance.

Yes. If you’re handling blueprints, material specs, or subcontracted engineering documents under a prime contract that involves CUI, those files fall within your CMMC scope. Even if the prime owns the original data, your role in storing, transmitting, or modifying the data means you must protect it to the same standard. Flow-down rules under DFARS 252.204-7012 apply whether you’re a general contractor or a subcontractor.

For companies managing Building Information Modeling (BIM) workflows that involve CUI, Microsoft GCC High, Azure Government, and Azure Virtual Desktop are the most secure and compliant hosting environments.

Commercial cloud platforms do not meet FedRAMP Moderate or ITAR compliance requirements.

We help AEC firms migrate data and workflows, including BIM models and CAD files, into these compliant environments while ensuring performance and usability are preserved.

Cross-cloud collaboration between GCC, GCC High, and commercial tenants is limited. Unified global address list sync is not supported across sovereign clouds, and certain Teams features like file co-authoring or external invites may not work as expected. Summit 7 supports secure collaboration using B2B guest access and dynamic group membership—but strict governance is required to prevent compliance violations during cross-tenant sharing.

No—if you’re storing or transmitting CUI. Commercial cloud platforms like Dropbox or standard Microsoft 365 do not meet FedRAMP Moderate or ITAR requirements. Contractors must use environments such as GCC High or AWS GovCloud, which are specifically authorized to handle CUI. Using non-compliant services—even briefly—can result in audit failure or a breach of contract with the DoD or prime contractors.

The best approach is to create a separate enclave for CUI-handling teams. This enclave includes dedicated systems, user accounts, file repositories, and access policies. Rather than trying to retrofit compliance across your entire firm, isolating CUI users into a dedicated environment allows you to maintain operational efficiency while meeting all CMMC Level 2 requirements. Summit 7 specializes in this scoped enclave strategy.

Yes, if they process, store, or transmit CUI from a people, facility, or technology perspective.

All subcontractors must be CMMC Level 2 certified (or in the process) if they handle controlled unclassified data. This includes architecture firms, civil engineers, structural analysts, and others supporting federal construction projects. Many primes are already requiring CMMC certification as a prerequisite for teaming, even ahead of formal DoD enforcement.

Subcontractors must only upload files through secure portals hosted in FedRAMP-authorized environments (like GCC High or Azure Government). You should avoid shared commercial platforms. Summit 7 recommends enforcing access control policies, maintaining a control responsibility matrix, and ensuring all file uploads are logged and monitored. Flow-down language in contracts must also hold subs accountable for their data handling practices.

Yes. Physical environments used to process or store CUI—whether permanent or mobile—must meet NIST SP 800-171 physical protection controls. This includes badge access, locked storage for printed documents, surveillance, and visitor logs. A common failure point is treating construction trailers or field offices as out-of-scope, when in fact they must be assessed and secured like any other part of the enclave.