← Back to Blog
CMMCDefenseComplianceAuditData Security

Defense Industrial Base Audit Failure Patterns Point to the Same Data Controls

Lattix branded cover for Defense Industrial Base Audit Failure Patterns. /31 section number, 110 NIST 800-171 practices statistic, three recurring NOT MET findings highlighted, IBM Plex Mono on dark grid background, surgical yellow accent on the architectural pattern in a practice family strip.

The Cybersecurity Maturity Model Certification Phase 1 assessment data published through DoD CIO reports, the Defense Contract Management Agency audit summaries published through 2025 and into 2026, and the Government Accountability Office supply chain reports on Defense Industrial Base cyber posture converge on a consistent pattern. The same three to five control families produce the majority of NOT MET findings across contractor populations. The pattern is consistent because the failure is architectural, not procedural.

Three control families dominate the findings. SC.L2-3.13.11 on the use of FIPS-validated cryptography. MP.L2-3.8.9 on cryptographic protection of backup Controlled Unclassified Information. AC.L2-3.1.20 on controlling connections between external information systems and the contractor's internal systems. Adjacent findings against AU.L2-3.3.1 on the creation and retention of audit records and CM.L2-3.4.5 on access restrictions for change management round out the pattern. The five families cover roughly thirty percent of the assessable practices under NIST SP 800-171 and account for a disproportionate share of total findings.

Why the pattern is architectural

A NOT MET finding against SC.L2-3.13.11 occurs when the contractor cannot demonstrate that FIPS-validated cryptography is applied to CUI in motion and at rest across the in-scope environment. Contractors typically meet the standard for major repositories and miss against CUI in less-managed locations: file shares with informal access, email archives, backup storage, developer environments, third-party SaaS instances. The finding is not that the contractor lacks cryptographic capability. The finding is that the contractor cannot prove cryptographic enforcement across the CUI footprint.

A NOT MET finding against MP.L2-3.8.9 has the same shape. Backups are encrypted somewhere. Backups are not encrypted under FIPS-validated modules in every replication target. Backup key management is not unified across the backup population. The finding is the gap between the policy and the architectural coverage.

A NOT MET finding against AC.L2-3.1.20 reflects the difficulty of producing evidence for every external system connection in scope. Cloud SaaS instances that receive CUI. Subcontractor environments that touch CUI. Customer environments that exchange CUI with the contractor. The contractor produces contract clauses and shared responsibility documentation. The assessor asks for technical evidence of the access control between the contractor's systems and each external system. The evidence is fragmented across the systems involved.

The pattern across all three families is the same. The cryptographic and access control posture is correct in the abstract. The architectural footprint cannot produce evidence on demand across the CUI surface.

What data-centric architecture changes about the findings

A data-centric architecture in which CUI is wrapped as a policy-bound data object produces architectural evidence against each family simultaneously. The wrapped key on the object is the FIPS-validated cryptographic protection. The wrapped key persists across replication, so backup encryption is the same encryption as production encryption. The policy decision point that evaluates access claims is the same PEP whether the requesting principal is internal or external, so external system connections are governed under the same evidence chain as internal connections.

Lattix Technologies implements this pattern through attribute-based access control (ABAC) at the policy enforcement point under FIPS 140-3 validated cryptographic modules, post-quantum key encapsulation through ML-KEM-768 and ML-KEM-1024, and Merkle-tree lineage in tamper-evident audit storage. Each CUI data object carries its own encryption and policy. The architecture produces direct evidence against SC.L2-3.13.11, MP.L2-3.8.9, AC.L2-3.1.20, AU.L2-3.3.1, and CM.L2-3.4.5 from the same architectural primitives.

The change for the contractor is that the assessor's evidence request stops being a search across the CUI footprint and starts being a query against the lineage chain. The assessor asks for evidence of cryptographic protection of CUI in scope. The contractor produces the wrapping records over the CUI object set. The assessor asks for evidence of access decisions over CUI. The contractor produces the lineage chain over release events. The assessor asks for evidence of external system access. The contractor filters the lineage chain by external attribute claims.

Where Phase 2 enforcement applies the pattern

CMMC Phase 2 begins November 10, 2026, with C3PAO certification becoming the contract gate for any solicitation involving CUI at Level 2. Phase 1 self-attestation ends. The assessor population grows. The audit cadence accelerates. The same five control families that dominated Phase 1 findings will dominate early Phase 2 findings.

Contractors that approach Phase 2 with the same architectural posture they had in Phase 1 will produce the same audit findings. Contractors that move to data-centric architecture between now and the November 10 enforcement date will arrive at Phase 2 assessments with evidence that the architecture produces by construction, not evidence that the contractor compiled for the audit.

The decision window is narrowing. Architectural change to data-centric protection of CUI takes longer than the 169 days between this post's publish date and November 10 for most contractors. The work that finishes by Q3 2026 produces clean Phase 2 outcomes. The work that does not finish produces the same findings against the same five families.

What contractors should be doing in the next 90 days

Three operational priorities matter for contractors holding active or near-term CUI obligations.

The first is the CUI footprint inventory. Where is CUI stored. Where is CUI replicated. Where does CUI flow to external systems. Which subcontractors handle CUI. The inventory deliverable bounds the architectural scope and is the input to every other compliance activity.

The second is the architectural decision against the five recurring control families. Contractors operating with cryptography distributed across systems face migration cost proportional to the system population. Contractors operating with centralized policy-bound data architecture face migration cost proportional to the policy enforcement point infrastructure. The decision in 2026 determines the Phase 2 assessment outcome.

The third is the lineage and audit instrumentation. Logs scattered across application servers, database engines, and network appliances do not meet AU.L2-3.3.1's evidence expectations under Phase 2 scrutiny. A consolidated, cryptographically anchored lineage chain does.

How the architecture aligns with the broader policy direction

NIST SP 800-171 and the underlying NIST SP 800-53 control catalog, the DoD CMMC framework, the Federal Acquisition Regulation cybersecurity clauses under DFARS, and the broader supply chain security direction articulated through CISA all converge on the same architectural pattern. Data-centric enforcement produces evidence against the controls those frameworks share. Identity- and network-centric enforcement produces process evidence that audits increasingly do not accept as architectural proof.

The investment in data-centric architecture for CMMC Phase 2 compounds across the DIB compliance portfolio. The architectural decision in 2026 is one decision against multiple regulatory regimes.

References

← Back to Blog