DoD and CMMC: What Attorneys Representing Defense Contractors Need to Know About AI Compliance

The Most Dangerous AI Compliance Gap in Legal Practice

There is a compliance gap in legal AI that is broader than FedRAMP, more technically demanding than StateRAMP, and carries consequences that extend far beyond a data breach notification.

It exists in defense contractor legal work — and almost no one in the legal profession is talking about it.

Attorneys representing prime contractors, subcontractors, and defense suppliers operate in an environment governed by the Cybersecurity Maturity Model Certification (CMMC) framework — a Department of Defense mandate that formally extends cybersecurity obligations to every organization in the defense industrial base supply chain.

That supply chain includes outside counsel.

If you are a lawyer who handles matters for any company that does business with the Department of Defense, and you are using an AI tool that has not been assessed against NIST SP 800-171 controls, you may already be in violation of your client's contractual obligations — and potentially your own.

What CMMC Is — And Why It Matters for Outside Counsel

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, finalized in late 2024 and now actively enforced in DoD contracting, establishes three certification tiers for organizations handling Department of Defense information:

CMMC Level 1 — Foundational: 17 basic cybersecurity practices aligned with FAR 52.204-21. Applies to organizations handling Federal Contract Information (FCI) only. Self-attestation is sufficient at Level 1.

CMMC Level 2 — Advanced: 110 security practices aligned with NIST SP 800-171. Applies to organizations handling Controlled Unclassified Information (CUI) — the category of information flowing through most defense contracts involving technical data, export-controlled information, and operational details. Level 2 requires either self-attestation or third-party certification by a C3PAO (CMMC Third Party Assessment Organization).

CMMC Level 3 — Expert: More than 110 practices, including additional requirements from NIST SP 800-172. Applies to organizations handling CUI on the DoD's highest-priority programs. Level 3 requires government-led assessment.

Understanding CUI in Defense Contractor Legal Work

Controlled Unclassified Information is not classified — it does not require a security clearance to handle. But it is strictly regulated under 32 CFR Part 2002 and the CUI Registry maintained by the National Archives.

The CUI categories most commonly encountered in defense contractor legal matters:

• Export Controlled — Technical data subject to ITAR and EAR. Inputting ITAR-controlled technical data into any non-authorized AI tool is a potential export control violation with criminal exposure — not just a compliance issue.

• Defense Acquisition — Information related to defense acquisition programs, procurement strategies, source selection, and contract negotiations. Standard in outside counsel work supporting defense procurement.

• Legal — Attorney-client privileged communications, legal memoranda, and case strategy documents prepared in connection with government contracts or agency matters.

• Procurement and Acquisition — Pre-award procurement information, bid and proposal data, source selection documentation. Governed by DFARS Part 204 and routinely processed by outside counsel in bidding and protest work.

• Privacy — Personal information about DoD personnel, contractors, and beneficiaries. Common in employment, benefits, and personnel security matters.

DFARS and the Legal Obligation That Already Exists

Before CMMC was finalized, DFARS Clause 252.204-7012 already imposed CUI handling requirements on defense contractors and their subcontractors.

DFARS 252.204-7012 requires:

• Adequate security on all covered defense information systems

• Rapid reporting of cyber incidents within 72 hours

• Preservation of images of compromised systems for 90 days

• Compliance with NIST SP 800-171 for all systems processing covered defense information

This clause flows down to subcontractors — and has been interpreted broadly to include service providers who process covered defense information on behalf of prime contractors. Outside counsel who process covered defense information using AI tools are operating systems that, under DFARS 252.204-7012, should be meeting NIST SP 800-171 standards.

Most are not. And most do not know it.

The CMMC framework reinforces and formalizes what DFARS 252.204-7012 already required. Defense contractors are now scrutinizing their entire supply chain — including their law firms — for compliance.

ITAR: The Highest-Stakes Compliance Obligation in Defense Legal Work

The International Traffic in Arms Regulations deserve separate treatment because the consequences of non-compliance are uniquely severe.

ITAR controls the export of defense articles, defense services, and related technical data listed on the United States Munitions List (USML). ITAR violations carry criminal penalties — up to 20 years imprisonment and $1 million per violation — in addition to civil and administrative consequences.

When an attorney inputs ITAR-controlled technical data into an AI tool, that input may constitute an export of controlled technical data to the extent the tool's underlying model, API, or infrastructure routes data through non-U.S. systems, foreign-owned data centers, or foreign-accessible systems.

This is not a theoretical reading. The State Department's Directorate of Defense Trade Controls (DDTC) has issued guidance indicating that ITAR-controlled data processed by cloud services must remain under U.S. jurisdiction with appropriate access controls. Commercial AI APIs — GPT, Claude, Gemini — do not satisfy this requirement.

A defense-ready legal AI platform must, at minimum:

• Process data exclusively within U.S. jurisdiction

• Implement access controls that prevent non-U.S. personnel access

• Maintain immutable audit logs of all data inputs and outputs

• Support ITAR-specific data handling protocols

The CMMC Compliance Status of Major Legal AI Tools in 2026

• Standard commercial AI tools (ChatGPT, Claude, Gemini) — No CMMC assessment. No NIST SP 800-171 compliance documentation. Processing defense CUI through these tools is not an appropriate practice. Full stop.

• Microsoft 365 GCC High — Designed to support ITAR and CUI requirements. FedRAMP High authorized. Requires GCC High specifically — not standard Microsoft 365 or standard GCC. Copilot features within GCC High have specific availability and compliance terms.

• Google Workspace for Government — FedRAMP High authorized. ITAR compliance support available with specific configurations. Requires the government-specific tier with appropriate data residency controls.

• Most legal AI startups — No CMMC assessment. No documented NIST SP 800-171 compliance. Not appropriate for defense contractor legal work.

• SavvyLex — CMMC Level 2 compliance readiness pathway in planning, consistent with FedRAMP Moderate and StateRAMP Moderate trajectory. Private deployment architecture, immutable audit logging, and U.S.-only data processing designed to satisfy NIST SP 800-171 substantive requirements. No third-party API routing — eliminating the ITAR export risk inherent in API-based tools.

Practical Steps: What Attorneys Handling Defense Contractor Matters Should Do Now

Step 1 — Identify Your CUI Touch Points. Before your next matter, map every category of client information you will handle. If any of it is defense CUI — ITAR-controlled, acquisition-sensitive, export-controlled — apply the same controls your client applies to that information. That means no commercial AI tools.

Step 2 — Read Your Engagement Terms for DFARS Flow-Down Language. Prime contractors governed by CMMC Level 2 are increasingly inserting DFARS flow-down language into outside counsel engagement terms. Check your current defense contractor client engagements now. If you see DFARS 252.204-7012 or CMMC compliance language, your AI tool selection is contractually constrained.

Step 3 — Separate Your Tool Environments. The practical near-term solution is environmental separation: a certified or compliant tool environment for defense CUI work, and a standard commercial tool environment for everything else. Operationally inconvenient. Legally necessary.

Step 4 — Build a Defense AI Policy. If your firm regularly handles defense contractor matters, you need a written policy: approved tools for defense CUI work, mandatory matter classification before AI tool selection, staff training on ITAR and CMMC obligations, and documentation standards that support your clients' CMMC attestations.

Step 5 — Get Ahead of Client Audits. Defense contractors undergoing C3PAO assessment are increasingly asked about their supply chain — including outside counsel. Be ready to document your AI tool compliance before your client's auditor asks.

Step 6 — For ITAR Matters, No Commercial AI. Period. ITAR-controlled technical data does not belong in any commercial AI tool. The only defensible position is a U.S.-only, access-controlled, audit-logged private deployment.

What SavvyLex Is Building for Defense-Ready Legal AI

SavvyLex's government-ready architecture was designed from inception to support the most demanding compliance environment in legal AI — and that includes defense.

Vera-sLLM's defense-readiness design principles:

• U.S.-only data processing — Private deployment architecture ensures data never leaves U.S. jurisdiction

• Immutable audit logging — Every input, output, and retrieval is logged and tamper-evident, supporting NIST SP 800-171 audit requirements

• Access control architecture — Role-based access with mandatory human review checkpoints, supporting CMMC Level 2 access control requirements

• No third-party API routing — Vera-sLLM does not route data through external commercial AI APIs, eliminating the ITAR export risk inherent in API-based tools

• FIPS 140-3 encryption pathway — Encryption standards consistent with NIST requirements for CUI protection

The Bottom Line for Defense Contractor Attorneys

FedRAMP covers federal civilian agencies. StateRAMP covers state and local government. CMMC and DFARS cover the defense industrial base — and the obligations flow to outside counsel whether or not you have read the flow-down clause in your engagement letter.

This is Part 3 of SavvyLex's four-part Government-Ready Legal AI series. Part 1: FedRAMP and Legal AI — The Complete Guide for Attorneys (https://www.savvylex.com/post/fedramp-legal-ai-attorneys-government-guide). Part 2: StateRAMP and GovRAMP — What Attorneys Working With State and Local Government Need to Know (https://www.savvylex.com/post/stateramp-and-govramp-what-attorneys-working-with-state-and-local-government-need-to-know). Part 4: The Government-Ready Legal AI Roadmap — coming soon.

About SavvyLex: SavvyLex delivers Trust-Zero Legal AI — governed, verifiable, and accountable AI systems for regulated legal organizations. Vera-sLLM is the governed legal AI assistant built for attorneys who cannot afford to guess about compliance. Learn more at savvylex.com.