CMMC Compliance
CMMC 2.0 Compliant AI for Defense Contractors
Stepfault maps the exact boundary where Controlled Unclassified Information touches a model, then isolates that boundary so the CMMC 2.0 assessment scope does not expand to the entire enterprise. This containment is the single largest cost lever in a NIST SP 800-171 audit.
1. The scoping problem
Under the CMMC 2.0 final rule, any contractor handling CUI must implement all 110 controls in NIST SP 800-171 Rev 2 and pass a triennial C3PAO assessment. Letting AI tooling touch CUI without isolation can drag the entire enterprise into scope, adding hundreds of thousands of dollars in audit overhead.
2. How we contain scope
- Identify every point where CUI enters a model, prompt, retrieval index, or log
- Isolate inference and retrieval into a dedicated enclave inside the client VPC
- Block egress so CUI cannot transit to non-US-person-accessible systems (ITAR)
- Generate audit-ready evidence per handoff for the relevant 800-171 controls
3. Controls the architecture addresses
- Access Control (AC) — zero-trust agent and tool boundaries
- Audit & Accountability (AU) — OpenTelemetry handoff spans for replay
- System & Communications Protection (SC) — air-gapped network policy
- Configuration Management (CM) — pinned, signed container images