The CMMC 2.0-Compliant AI Tools Checklist for Defense Contractors in 2026

The defense industrial base has spent the last three years rewiring itself around CMMC 2.0. By 2026, the rule is not new and the audits are real. The question I get asked most often by defense-contractor clients is simple: which AI tools can my team actually use, and on what kind of data? This article is the working answer I give them.

I am going to walk through the rule, the deciding factor (it is CUI), the AI tools that hold the right authorizations, the ones that are fine for non-CUI work but will fail an audit if you put CUI in them, and the ones to keep entirely out of any defense-contract workflow. The checklist at the end is the one I use myself.

Important disclaimer up front: this article is general information, not legal or compliance advice for your specific contract. Every contract has its own DD-254, its own SCG, and its own DCMA expectations. Confirm with your CISO and your prime before you change anything.

Why this checklist exists

The CMMC 2.0 final rule (32 CFR Part 170) is in effect. The DFARS clause (252.204-7021) flow-down is now standard in DoD contracts. Primes are pushing CMMC compliance attestations down to subs. Auditors are walking into facilities. The penalty for a wrong AI-tool choice is no longer theoretical — it is a failed audit, a lost contract, or a False Claims Act exposure.

At the same time, AI tools are now genuinely useful in defense workflows — for proposal writing, technical drafting, code generation, log analysis, and dozens of other tasks. The contractors that can use AI safely are pulling ahead. The ones still confused about which tools are safe are leaving productivity on the table or, worse, putting their compliance posture at risk.

CMMC 2.0 in plain English

CMMC 2.0 has three levels:

• Level 1 (Foundational): for handling Federal Contract Information (FCI). Self-attestation. 17 controls based on FAR 52.204-21.
• Level 2 (Advanced): for handling Controlled Unclassified Information (CUI). Third-party assessment by a C3PAO for most contracts. 110 controls based on NIST SP 800-171 Rev 2 (and Rev 3 transition).
• Level 3 (Expert): for the most sensitive CUI on the highest-priority programs. Government-led assessment. NIST SP 800-171 plus a subset of SP 800-172.

Most defense contractors will be at Level 1 or Level 2. The AI-tool decision turns on Level 2, because Level 2 is where CUI lives. Level 1 contractors have more flexibility but should still avoid putting any flowed-down sensitive content into an unauthorized AI tool.

The CUI rule that decides everything

Here is the deciding question: does this AI tool process, store, or transmit CUI?

If yes, the cloud service must be FedRAMP Moderate (or higher) authorized, and the contractor must demonstrate that the configuration meets all 110 NIST SP 800-171 Rev 2 controls (transitioning to Rev 3) for that environment. The contract terms must support DFARS 252.204-7012 incident reporting and the related flow-downs.

If no — if the AI tool will only ever see public, non-export-controlled, non-CUI business information — you can use commercial AI services like normal, with reasonable enterprise data-handling controls. The risk is that someone, someday, pastes CUI into a tool that was never authorized for it. That is the single most common compliance incident I see in 2026.

Approved AI tools for CUI workloads (FedRAMP Moderate or higher)

This list is the realistic shortlist as of April 2026. Confirm current authorization status on the FedRAMP Marketplace (marketplace.fedramp.gov) and your specific tenant configuration before you treat any tool as authorized for your CUI.

• Microsoft 365 GCC High with Microsoft 365 Copilot deployed in the GCC High tenant. This is the most common CMMC 2.0 Level 2 stack in the defense industrial base. Copilot inherits the GCC High boundary; documents in OneDrive/SharePoint GCC High and email in Exchange Online GCC High can be reasoned over by Copilot without leaving the boundary.
• Azure Government with Azure OpenAI Service in Government. The IL5-eligible Azure OpenAI Service environments host GPT-class models for CUI workloads. Verify the specific region and IL designation for your contract.
• AWS GovCloud (US) with Amazon Bedrock. Bedrock in GovCloud hosts a curated set of models authorized for CUI. The Anthropic models offered through Bedrock GovCloud are usable for CUI under the appropriate configuration.
• Google Cloud Assured Workloads with Vertex AI. The Assured Workloads environment provides FedRAMP-authorized boundaries for Vertex AI workloads.
• Palantir Foundry on FedRAMP-authorized deployments. Palantir's federal deployments include AIP capabilities authorized at FedRAMP High and IL5 in many cases.
• PreVeil for end-to-end encrypted email and file storage with CUI compatibility — not an AI tool itself, but commonly the secure transit layer beneath an authorized AI workflow.

Your specific authorization to use these tools depends on (a) your contract's DFARS clauses, (b) the cloud service's current ATO and FedRAMP package, and (c) your own SSP and System Security Plan covering how you configured the tenant.

Commercial-only AI tools (use only on non-CUI)

These tools are excellent for general business use. They are not authorized for CUI as of April 2026 and putting CUI in them would create a compliance incident.

• ChatGPT (commercial), ChatGPT Team, ChatGPT Enterprise on the standard openai.com infrastructure. Excellent tools — but FedRAMP authorization on the commercial OpenAI tenant is not available. Note: OpenAI's separate "ChatGPT Enterprise for U.S. Government" offering on Azure Government is the FedRAMP-authorized path; that is a different product.
• Claude.ai (commercial) on Anthropic's commercial infrastructure. Use the AWS GovCloud Bedrock path for CUI; the commercial product is for unclassified business work.
• Gemini (commercial), Google AI Studio. Use Vertex AI on Assured Workloads for CUI; the commercial product is unclassified-only.
• Cursor, Windsurf, Replit, GitHub Copilot (commercial tier). Phenomenal coding tools — but the standard tiers are not authorized for CUI source code. GitHub Copilot Enterprise on GitHub Enterprise Cloud (US) and the GCC High path are the relevant authorized configurations to investigate.
• Notion AI, Slack AI, Jasper, Copy.ai, Writesonic. Useful productivity tools. Not for CUI.
• Perplexity, You.com, Phind. Search tools. Useful for unclassified research. Not for CUI.

Tools to keep CUI far away from

Some tools have data-handling models that are inherently incompatible with CUI no matter what tier you buy. The patterns to recognize:

• Free or unauthenticated public chat interfaces. Anything where you cannot prove which tenant your data went to.
• Browser-extension AI tools that send page content to a third party. If the extension reads any page that might contain CUI, you have a problem.
• Chrome / Edge "Summarize this page" features running on commercial accounts. Same issue.
• AI meeting-recording tools (Otter, Fireflies, Read AI, etc.) on standard tiers. If a meeting touches CUI, the recording must live in an authorized environment. Many of these vendors do not offer one.
• Personal AI assistants on personal devices. If a personal phone is used to discuss CUI, you are already outside compliance regardless of the AI tool.

The working checklist

Use this when evaluating a new AI tool for use in your defense business.

1. Will this tool ever process CUI? If yes, continue. If no and you can guarantee that with controls, you have flexibility.
2. Is the tool listed on the FedRAMP Marketplace at Moderate or higher? Verify directly. "Coming soon" and "in process" are not authorized.
3. Does my specific tenant configuration inherit that authorization? Many cloud services have both commercial and FedRAMP tenants. You must be in the right one.
4. Does the contract with the vendor flow down DFARS 252.204-7012? If not, you cannot use it for DoD CUI.
5. Has my SSP been updated to include this tool? The system security plan must reflect every system that touches CUI.
6. Have my users been trained? A CMMC audit will ask. Training records matter.
7. Is there an incident-response plan for this tool? If a user pastes CUI into the wrong tool, who do they tell, and how fast?
8. Is the data flow logged? SIEM coverage of AI tool usage is becoming a routine audit expectation in 2026.
9. Has DCMA, the prime, or the program office approved this tool by name? Some contracts go further than CMMC and name specific tools or prohibit specific tools.
10. Are the AI tool's training-data and retention policies acceptable? If the vendor uses your data to train its models without an opt-out, that is a problem regardless of FedRAMP status.

Deployment patterns that pass audit

From the contractors I have seen pass Level 2 cleanly, three deployment patterns repeat.

Pattern 1: GCC High everything. All employees work in Microsoft 365 GCC High. Copilot is licensed in GCC High. CUI never leaves the boundary because there is no commercial tenant to leak into. This is the simplest model and the most common in primes.

Pattern 2: Two-tenant with technical controls. The contractor maintains a commercial tenant for general business use and a GCC High tenant for CUI. Conditional access policies, DLP rules, and clear user training keep CUI in the right tenant. This is more complex but cheaper.

Pattern 3: Cloud-native CUI enclave. The contractor runs CUI workloads in AWS GovCloud or Azure Government with a tightly scoped enclave. Commercial AI tools are blocked at the network layer for users who handle CUI. This is common at smaller contractors who want to keep costs down.

Audit watch-outs

One, "AI" is the word auditors are looking for in 2026. Expect specific questions about AI tool use, AI tool authorization, and user training on AI tools. If you have not already mapped your AI usage, do it now.

Two, browser extensions are the #1 leakage vector I see. A user installs a writing assistant or a meeting-summarizer that quietly sends content to a commercial cloud. The user does not realize CUI is in the content. This is preventable with managed-browser policies.

Three, "but it's just a draft" is not a defense. Drafts of CUI documents are CUI. Drafts in commercial AI tools are CUI in commercial AI tools. The audit will not care about your intent.

Four, DFARS flow-downs are real. Subcontractors often think compliance is the prime's problem. It is not. If you sign a flowed-down clause, you are responsible for it.

Where to go from here

The CMMC 2.0 era is here. The good news is that AI tools authorized for CUI work do exist, the deployment patterns are well-understood, and the productivity wins are real. The bad news is that the wrong tool choice is a failed audit, and ignorance is not a defense.

If you take one action this week, audit which AI tools your team currently uses. Match each one to a category: authorized for CUI, fine for non-CUI only, or to be removed from the network. Then update your SSP and your user training. That single sweep prevents most of the incidents I see.