Potentially, but it depends on what they access.

If these vendors are exposed to CUI (drawings, specs, part numbers, etc.), they fall in scope under your CMMC obligations and would be required to hold the same CMMC certification level as you.

Even if they only perform services like heat treating, the flow of controlled data must be considered.

If CUI is shared, the vendor must either be part of your CMMC enclave or independently certified at the appropriate level.

Supply chain risk management and flow-down enforcement are critical.

ERP systems are only out of scope if they truly don’t process, store, or transmit CUI. If the ERP links to CUI documents but does not hold them, it may be excluded. However, if it contains technical data (e.g., part specs or export-controlled details), even if not explicitly labeled, it is considered in scope. Misclassifying ERP systems is a common pitfall, and assessors will scrutinize these connections. Always validate with a proper CUI scoping engagement before excluding systems.

You must enforce strict control of all CUI shared externally. This includes encrypting files in transit and at rest, using FedRAMP-authorized platforms, and ensuring access is limited to U.S. persons if ITAR applies. Additionally, you must include CMMC flow-down language in contracts, verify your subcontractors’ compliance posture, and maintain records of what data was shared and when. Without proper control, even a well-meaning subcontractor can create significant compliance risk.

Azure Government does support CAD/CAM software inside of an Azure Virtual Desktop (from an enclave perspective) which allows you to have internal and external collaboration by granting access to the virtual desktop.

It's important to note that Microsoft GCC High is FedRAMP High and ITAR compliant, but not all commercial plug-ins or automation tools will work as expected. Careful planning is needed to ensure compatibility. File storage, version control, and identity management are handled securely, but native support for high-end CAD collaboration tools should be tested and validated early.

Yes, but you’ll need to implement compensating controls.

Legacy systems often lack native support for modern logging, access control, or patching.

You’ll need to isolate them within the enclave, restrict network access, monitor their activity with external tools, and document any gaps along with how they’re mitigated.

Start with a narrow, scoped enclave that only includes systems and personnel who handle CUI. This allows you to protect critical data without overhauling your entire infrastructure. Summit 7 specializes in building these right-sized enclaves, often using Microsoft GCC High or Azure GovCloud environments to create isolated and compliant workspaces. Proper scoping prevents overinvestment and ensures clarity during assessments.

Yes, frequently. ITAR governs the control of defense-related technical data, and that data is almost always classified as CUI. If you handle ITAR-controlled content, you must comply with both ITAR personnel restrictions (U.S. persons only) and CMMC Level 2 requirements for handling CUI. ITAR violations carry severe penalties—including criminal charges—so your CMMC strategy must be aligned with export control compliance from day one.