Learn about AI Tools and CMMC Compliance, security requirements for AI, cloud-based AI Tools, NDAA FY2026 Section 1513 AI framework and more, through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.
Table of Contents
Does CMMC prohibit OSCs from using AI tools?
CMMC Level 2, governed by 32 CFR Part 170 and grounded in the 110 security requirements of NIST SP 800-171 Rev 2, does not prohibit AI tools, it requires that any system processing, storing, or transmitting Controlled Unclassified Information (CUI) meets all applicable controls regardless of what type of technology it is. AI tools are subject to the same access control, audit logging, encryption, and boundary requirements as any other system in scope. An AI tool that never touches CUI sits outside the assessment boundary and requires no special treatment. An AI tool that does touch CUI must comply fully.
Can an OSC submit CUI to a commercial AI platform such as ChatGPT, Microsoft Copilot outside GCC High, or similar tools?
Submitting CUI to a commercial AI platform that processes data on third-party infrastructure outside the OSC’s assessment boundary is a violation of DFARS clause 252.204-7012 and directly compromises CMMC Level 2 certification. Under NIST SP 800-171 Rev 2, controls including 3.1.1 (authorized access), 3.3.1 (audit logging), 3.13.1 (boundary protection), and 3.13.8 (encryption in transit) must be demonstrably met for any system handling CUI. A commercial AI platform operated by a third-party vendor does not satisfy these controls from the OSC’s compliance position. Loss of certification eligibility, contract suspension, and civil liability under the False Claims Act are all potential consequences of this exposure.
Where can OSCs use commercial AI tools without triggering CMMC compliance obligations?
Commercial AI tools can be used freely in CMMC compliance workflows that do not involve CUI, including drafting SSP language from scratch, mapping NIST SP 800-171 Rev 2 controls, building POA&M templates, writing security policies, and preparing evidence structures before populating them with actual system data. None of this activity introduces CUI into the AI system, so no CMMC boundary controls apply. Many OSCs use commercial AI tools in exactly this way to reduce documentation burden and accelerate assessment readiness. The test is simple: if CUI is not in the prompt, the input, or the output, the tool is outside the assessment scope.
What requirements must an AI tool meet if it is deployed within an OSC’s CUI boundary?
An AI tool operating inside an OSC’s CUI boundary must satisfy all applicable NIST SP 800-171 Rev 2 controls as part of the assessment scope, including access control (control family 3.1), audit and accountability (control family 3.3), configuration management (control family 3.4), identification and authentication (control family 3.5), and system and communications protection (control family 3.13). The tool must be documented in the OSC’s System Security Plan (SSP) as an internal system component, with defined access rights, logging capabilities, and network segmentation. A private large language model deployed on the OSC’s own infrastructure within the existing compliant boundary inherits all implemented controls automatically, no separate vendor assessment, FedRAMP authorization, or additional Customer Responsibility Matrix is required, provided the deployment is fully within the OSC’s controlled environment.
What is required if an OSC uses a cloud-based AI tool that processes CUI?
A cloud-based AI tool that processes CUI must hold a FedRAMP Moderate authorization at minimum, and the OSC must obtain and review the tool’s Customer Responsibility Matrix (CRM) to confirm that the OSC-side controls required under NIST SP 800-171 Rev 2 are implemented and evidenced. The cloud service provider’s system must appear in the OSC’s SSP, with data flow diagrams showing how CUI enters, is processed, and exits the system. Under 32 CFR Part 170, External Service Providers, including cloud AI vendors, whose services fall within the CUI boundary are part of the assessment scope. An assessor will examine whether the OSC can demonstrate control inheritance, identify what the provider is responsible for, and verify that the OSC has not assumed compliance without validating it.
How must an OSC document AI tools in its System Security Plan?
Every AI tool that operates within or adjacent to the CUI boundary must be inventoried and documented in the OSC’s System Security Plan (SSP) as required under NIST SP 800-171 Rev 2 control 3.12.4, which mandates a current, accurate description of the system boundary and all components. For each AI tool, the SSP must describe the tool’s function, the data it processes, applicable access controls, logging configuration, and whether it is an internal deployment or an external service. If the tool is external, the SSP must reference the provider’s authorization status and the CRM. A C3PAO conducting a Level 2 certification assessment under the CMMC Assessment Process (CAP) will examine the SSP for completeness, an AI tool in active use that does not appear in the SSP is a gap that can affect assessment outcomes.
What is the NDAA FY2026 Section 1513 AI framework, and what should OSCs do now?
Section 1513 of the National Defense Authorization Act for Fiscal Year 2026 directs the Department of Defense to develop a cybersecurity and physical security framework specifically for AI and machine learning technologies acquired by the Pentagon and to incorporate that framework into DFARS and the CMMC program. The framework will apply to covered AI/ML, defined as AI systems acquired by DoD including source code, model weights, training data, algorithms, and software, and will focus on systems of highest interest to cyber threat actors. DoD is required to submit an implementation plan and status update to Congress by June 16, 2026. No compliance deadline has been set yet. OSCs developing, deploying, or hosting AI systems for DoD programs should monitor DFARS rulemaking activity closely, as the original CMMC program followed a similar trajectory from NDAA directive to hard contractual requirement over several years.
What practical steps should an OSC take today to manage AI tool risk under CMMC?
An OSC’s immediate obligation under CMMC Level 2 is to ensure no CUI enters a non-compliant system, and AI tools represent one of the fastest-growing sources of unmanaged data flow. The practical starting point is an AI inventory: catalog every AI tool in use across the organization including embedded features such as Microsoft Copilot, browser-based tools, and third-party SaaS assistants. For each tool, determine whether it is used in any workflow involving CUI. Remove or technically block non-compliant tools from CUI workflows, implement policy and training to prevent ad hoc use, and update the SSP to reflect the organization’s current AI posture. Access control, audit logging, and boundary protection controls under NIST SP 800-171 Rev 2 must extend to any AI system that remains in scope. An assessor conducting a CMMC Level 2 certification assessment will treat undocumented or uncontrolled AI tool usage as a compliance gap.
Explore Blogs, Webinars and other Resources
Trusted by Reputed Companies
What Our Clients Say
We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center
Our Growing List of Credentials
0
+
Assessments
0
+
Clients
0
+
Assessment Libraries
0
+
Years of Experience
0
+
No. of Staff Trained
0
+
HIPAA
0
+
SOC 2 Readiness
0
+
Pen Testing
0
+
ISO 27001 Certifications
0
+
Dollars Saved in Compliance Penalties