Why Professional Services Firms Need CMMC
A staffing firm that places engineers at DoD facilities. A management consulting firm that helps a prime with program management. An advisory firm that supports acquisition strategy. At first glance, these don't look like the typical "defense contractor." But if they receive, produce, or work with sensitive procurement data, performance reports, proposal content, or personnel records in connection with a DoD contract — they're handling CUI.
CMMC follows the data, not the industry. The question isn't "are we a services firm?" The question is "do we receive or create CUI in the course of our defense work?" For a significant portion of professional services firms working in defense, the answer is yes.
Does your work product involve sensitive procurement data, personnel performance information, proposal content for defense programs, or security-sensitive advisory deliverables? If yes, you're likely handling CUI — regardless of whether you think of yourself as a "typical" defense contractor.
What CUI Looks Like in Professional Services
Procurement Sensitive Data
If your advisory or consulting work involves source selection, procurement strategy, or cost estimation for defense programs, you almost certainly have access to sensitive procurement information (SPI). SPI is explicitly listed as a CUI category. This includes: independent government cost estimates, acquisition strategy documents, source selection plans, pre-decisional budget data, and contractor performance assessments used in source selection.
Performance Reports and CPARS Data
Contractor Performance Assessment Reporting System (CPARS) data — the official performance ratings that follow defense contractors — is sensitive. If your firm helps primes track, analyze, or respond to CPARS entries, you're working with controlled data. Similarly, internal performance reports for defense programs that contain information about program status, cost performance indices, and schedule variances can be CUI.
Proposal Content
Proposals for defense contracts contain CUI when they describe controlled technical approaches, reference controlled specifications, or include proprietary technical data. Staffing firms that help prepare technical proposals are handling CUI. Consulting firms that develop program management plans referencing controlled program data are handling CUI. The fact that the deliverable is a document rather than a hardware part doesn't change the CUI designation.
Personnel Data and Security-Relevant HR Information
Staffing firms placing cleared or sensitive personnel on defense programs often handle personnel security information — clearance levels, investigation dates, sensitive positions. This information is controlled. Your applicant tracking system and personnel files for defense placements may contain CUI.
For professional services firms, CUI almost always lives in email and shared documents — not in a dedicated system. That diffuse environment is harder to scope and harder to control than a manufacturing floor where drawings go into one file server.
The Email and Shared Docs Challenge
The defining challenge for professional services is that CUI doesn't flow through a dedicated system with clear boundaries. It flows through email. It lives in Word documents and PowerPoint decks on shared drives. It gets forwarded, copied, and saved in multiple locations as part of normal collaborative work.
This diffuse CUI environment is harder to scope and harder to control than a manufacturing operation where all engineering data goes into one controlled file server. For professional services, the scoping question isn't just "which systems process CUI?" It's "where does CUI end up across all of our collaboration tools?"
The practical implications:
- Your entire email system is likely in scope if you receive or discuss CUI in email
- Your document collaboration platform (SharePoint, Box, Google Drive, Confluence) is in scope if CUI files are stored there
- Personal devices used for work email need to be managed if they access CUI through mobile email apps
- Video conferencing platforms where CUI is discussed or shared need to be assessed
Remote Workforce Complications
Professional services firms often have distributed, remote workforces — consultants working from home, traveling consultants accessing systems from hotels, staff at client sites. Each remote access scenario creates CUI handling challenges:
- Home offices need to meet physical security requirements (visitor controls, secure storage, clean-desk policies)
- Public WiFi cannot be used to access CUI without VPN protection
- Client site access from client systems needs careful documentation — are you using your company's compliant devices, or client-provided systems?
- Printed CUI documents at client sites need handling and destruction procedures
Cost Estimates for 10–50 Person Professional Services Firms
| Cost Component | Typical Range | Notes |
|---|---|---|
| Gap assessment | $7,000–$16,000 | Email-heavy CUI environments can be complex to scope |
| Email/collaboration platform migration | $8,000–$25,000 | Moving to M365 GCC High or equivalent |
| MDM for remote worker devices | $4,000–$12,000 | Intune deployment across remote workforce |
| Policy documentation | $7,000–$15,000 | Remote work policies add complexity |
| Security tools (EDR, SIEM, MFA) | $5,000–$14,000/year | Annual recurring cost |
| C3PAO assessment | $18,000–$45,000 | Varies with team size and scope |
| Total first-year estimate | $49,000–$127,000 | Remote workforce complexity drives higher end |
Our free readiness check asks about the types of information your work involves and tells you whether you have a CMMC obligation.
Take the Free Readiness Check →Frequently Asked Questions
It depends on what data you work with. If your management consulting involves access to sensitive procurement data, performance data, source selection information, or budget data for defense programs, you likely have CUI. If you're providing purely organizational advice that doesn't touch program-specific sensitive data, you may not. The key is to audit what information you actually receive and use in connection with defense contracts — not what your service is called.
It depends on what data the staffing firm itself processes. If your firm only provides the staffing function (matching candidates to positions, handling employment paperwork) and the engineers work on the client's systems with the client's data, the staffing firm may not be handling CUI itself. But if you receive sensitive personnel data (clearance levels, security investigation dates, sensitive roles), that data is likely CUI. And if your firm participates in the actual work (your staff use your firm's systems to do defense work), those systems are in scope.
Standard Microsoft 365 (the commercial version) is not CMMC compliant for CUI. Microsoft 365 GCC High is. The difference is significant: GCC High runs in a separate, US-government-only cloud environment, has FedRAMP High authorization, and has data residency and access controls that the commercial version lacks. If you're currently storing CUI in standard M365 — SharePoint, Teams, Exchange — you need to migrate to GCC High or a comparable compliant platform.
This is a genuinely complex situation. If you're using client-provided systems on their networks, you're working within their CUI environment — their CMMC compliance covers that specific scenario if they're certified. But any CUI you take back to your own systems (files copied to your laptop, emails forwarded to your company account) comes under your CMMC obligation. Establish clear protocols: what data can you take off-site, in what form, and to what systems?
CMMC applies to the systems and locations where CUI is processed, regardless of where the work is physically done. International consultants accessing CUI through your company systems need to do so over approved encrypted connections (VPN), from company-managed devices, and their access needs to be authorized and logged. Additionally, ITAR and EAR export control regulations may restrict access to certain types of CUI by foreign nationals — even if they're employees — which is a separate compliance requirement from CMMC itself.
Understand your CUI obligations before your prime asks.
Our free readiness check identifies whether your professional services work involves CUI and what CMMC compliance looks like for your firm.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →