CMMC file sharing for small DoD subcontractors

You run a 15-person machine shop in Dayton or a 40-person engineering firm in Huntsville. You sub to a prime on a program that touches Controlled Unclassified Information, and your prime's contracts officer just sent you the email: by the time your DoD contract renews, you need CMMC Level 2 assessed (and annually affirmed by your authorizing official). You priced Kiteworks. You priced PreVeil. You priced Sharetru. The quotes ran into the tens of thousands per year at the low end and nudged six figures at the high end, and you have eleven file-sharing transactions a month with the prime.

This post is for you. We'll walk control-by-control through where a $49/seat-per-month tool fits CMMC Level 2 file sharing and where it genuinely does not — because pretending CIPH4 covers everything would waste your time, and pretending the primes' tools are the only valid answer would waste your money.

The honest scope question first

CMMC Level 2 has 110 controls inherited from NIST SP 800-171. File sharing typically intersects roughly a quarter to a third of them — most vendor mappings put the count between 25 and 35 depending on how the boundary is drawn. The other 75-or-so are about endpoint hardening, identity, network segmentation, incident response, configuration management, and a dozen other practice areas that no file-sharing tool — not Kiteworks, not PreVeil, not us — solves on its own.

What the Kiteworks-class platforms sell you is a bundle: a file-sharing surface plus a dedicated GCC High tenant plus FedRAMP Moderate inheritance plus a vendor-provided System Security Plan template that maps their bundle to ~60-70 of the 110 controls. That's worth real money to a 500-person prime that needs procurement to sign one PO and inherit a fat block of controls.

For a 15-person sub that already runs Microsoft 365 GCC (or has decided not to), is on a tight budget, and has a narrow CUI flow — a contract drawing here, a spec revision there, a vendor questionnaire monthly — that bundle is over-scoped. You're paying $30K-$100K/year to inherit controls you don't need bundled, on top of the controls you'd still need to implement yourself anyway.

The honest framing: you need a file-sharing tool that holds up against the specific CMMC file-sharing controls, and you need to handle the rest of your CMMC posture through the rest of your stack. Let's go through which controls a tool like ours covers cleanly, which it covers partially, and which it doesn't touch at all.

What a $49/seat tool covers cleanly

These are the CMMC Level 2 / 800-171 controls where the architecture of a zero-knowledge link-sharing tool is genuinely strong, often stronger than the heavyweight platforms.

3.1.3 — Control the flow of CUI in accordance with approved authorizations. A link that expires after one view, or after the recipient downloads it twice, or after 72 hours — whichever happens first — is a textbook implementation of authorized flow control. Your assessor wants to see that CUI can't sit in a recipient's inbox indefinitely. View caps and download caps deliver that.

3.8.3 — Sanitize or destroy system media containing CUI before disposal or release for reuse. This is where deletion gets interesting. Most file-sharing platforms can show you a "deleted" status; few can prove it. The signed deletion receipts we issue on Enterprise are cryptographic artifacts you can hand to an auditor — every receipt names the share, the destruction time, and the audit-chain anchor it ties back to. That's a stronger media-sanitization artifact than "trust our admin console."

3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. The payload is encrypted client-side before it leaves the sender's browser. The decryption key lives in the URL fragment and never reaches our servers. That's stronger than the standard TLS-in-transit story most platforms tell, because even a full breach of our infrastructure leaves the attacker with ciphertext and no key.

3.13.11 — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. This is the one assessors ask about most often, and it's the one to be honest about. CIPH4 uses AES-256-GCM via the browser's Web Crypto API. Important caveat: FIPS-validation status of browser crypto modules varies by browser and configuration, and the Web Crypto API as called from a web app does not generally operate within a CMVP-validated boundary. Consult your assessor on whether your specific CUI flow requires a CMVP-validated module at the file-sharing layer. If it does, a browser-based zero-knowledge tool may not be the right fit for that specific flow, and a server-side FedRAMP-Moderate platform is the safer call for that piece. Many CMMC scopes don't require module-level FIPS validation at the file-sharing layer — but the answer depends on your specific contract language and assessor judgment.

3.14.6 — Monitor organizational systems, including inbound and outbound communications traffic. Our hash-chained audit log records every send, view, download, modify, and burn. Each row references the row before it via cryptographic hash, so tampering breaks the chain. The audit-chain export includes prev-hash values, so your assessor can re-compute the SHA-256 chain offline and confirm integrity without contacting us. Enterprise customers additionally get signed Proof-of-Deletion Receipts that can be verified at our public verifier endpoint.

3.1.20 — Verify and control/limit connections to and use of external systems. Recipient identity binding (Teams and Enterprise) — email-bound magic links that tie the recipient to the share before any bytes flow — gives you an authoritative answer to "who actually opened this file." Not just "someone with the link" but "someone who proved control of jane.doe@subprime.com."

What it covers partially

These controls are where you'd use our tool plus other systems and a written procedure.

3.1.1 / 3.1.2 — Limit system access to authorized users. Our tool authenticates senders via SSO (Enterprise) or password + MFA on all tiers. That covers the sender side. The recipient side is handled via identity-bound links plus passphrase challenge, which is fit-for-purpose for external counterparties who don't have accounts in your tenant. Document this in your SSP as "external recipient access is gated by single-use magic link plus optional passphrase, with all access logged in the hash-chained audit trail."

3.3.1 / 3.3.2 — Create and retain audit logs. Our audit log is tamper-evident, retained per your plan's retention window, and exportable as CSV (Teams and Enterprise) with the chain proof attached. Where it's partial: it covers file-sharing events, not endpoint events, not network events, not identity events outside our surface. You need a SIEM (or at minimum a structured log aggregator) for the rest. Wazuh, Splunk, Sentinel — your call.

3.6.1 / 3.6.2 — Incident response capability. When a recipient reports "I accidentally forwarded this," you can revoke a share in one click and the deletion receipt anchors the timestamp to the audit chain. Your IR procedure should reference our incident-response playbook for the specific revoke + receipt-pull + report-export sequence. The capability is here; the procedure is yours to write.

3.12.1 / 3.12.3 — Assessments and continuous monitoring. Our audit-chain verification gives you an objective continuous-monitoring signal for the file-sharing control surface. You'd still need a broader continuous-monitoring program covering vulnerability management, configuration drift, and access reviews — that's a GRC tool's job, not a file-sharing tool's.

What it doesn't touch

Let's be direct, because this is where the Kiteworks-class platforms try to scare you, and where you should be ready with a clear answer.

FedRAMP Moderate inheritance. We're not FedRAMP-authorized. The DFARS 252.204-7012 flowdown matters here in a specific way: clause (b)(2) requires that any cloud service provider that processes, stores, or transmits CUI on the contractor's behalf must meet the FedRAMP Moderate baseline or equivalent. If your CUI flow uses CIPH4 as the cloud service touching CUI, that requirement applies — read your specific flowdown carefully and consult your contracts officer. Some scopes carve the file-sharing layer out of the CUI boundary entirely (e.g., the CUI is on the recipient's endpoint, not stored in the sharing tool); others don't. Your contracts officer is the right person to confirm which applies to your program.

ITAR / export-controlled boundary. If your CUI is also ITAR-controlled, you have a separate set of requirements about U.S.-person handling and data residency. Our infrastructure runs in U.S. Azure regions, but ITAR compliance is a posture decision that involves your whole stack, not just file sharing. Talk to your export-control officer before assuming any tool fits.

Endpoint controls (3.4, 3.5, 3.7, parts of 3.13). Configuration management, identification + authentication of devices, system maintenance, network segmentation — none of these are file-sharing problems. You need endpoint management (Intune, Jamf, or equivalent), identity (Entra ID, Okta), and probably a managed-services provider if you don't have an in-house IT team.

Physical and personnel controls (3.10, 3.9). Self-explanatory. Your file-sharing tool doesn't background-check your employees or lock your server closet.

Where the math actually lands

A realistic stack for a 15-person sub looks like this:

• Microsoft 365 Business Premium or GCC for email, identity, endpoint baseline, and Office documents — covers a large block of the 110 controls when configured to the CMMC-aligned baseline.
• Intune or equivalent for endpoint management — covers the 3.4 / 3.5 cluster.
• A SIEM or log aggregator — covers the 3.3 monitoring controls beyond what your file-sharing tool produces.
• A file-sharing tool with strong CUI flow-control and audit posture — this is where we fit, at $49/seat/month for Teams or a custom Enterprise quote.
• A written System Security Plan and Plan of Action & Milestones — done by you or a CMMC-focused consultancy, not by any vendor.

Eleven file-sharing transactions a month at $49/seat for the three people who do them is $147/month — $1,764/year. That's two orders of magnitude cheaper than the Kiteworks bundle, and it leaves you budget for the consultancy you actually need to write your SSP.

The right framing for your prime's contracts officer isn't "we're using a cheap tool to skirt CMMC" — it's "we use a fit-for-purpose file-sharing service that implements the specific 800-171 controls touching our CUI flow, with cryptographic proof of deletion and tamper-evident audit logs, and we cover the remaining ~75–85 controls through our broader stack."

What to bring to your CMMC assessor

When the C3PAO asks about your file-sharing posture, hand them three artifacts:

1. The SSP section mapping our controls to 800-171 controls 3.1.3, 3.1.20, 3.8.3, 3.13.8, 3.13.11, 3.14.6, with citations to our security architecture page for the cryptographic module documentation.
2. A sample audit-chain export for a recent CUI transmission, showing the send → view → download → expire (or burn) timeline, with the chain hashes intact.
3. A sample deletion receipt for a destroyed share, with the public verifier link so they can independently confirm the signature.

Assessors prefer evidence they can verify themselves over vendor-attested claims. The verifier-friendly artifacts are the reason we built them.

If your prime asks specifically about the bundle question — "why aren't you using our tenant?" — the answer is straightforward: their tenant works for primes processing CUI at high volume across many programs. Your CUI flow is narrower, your headcount is smaller, and your budget reality is different. A focused tool plus a documented control mapping is a defensible posture under DFARS 252.204-7012.

What to do next

If you're at the stage where you're sizing tools, pricing will tell you whether Teams or Enterprise fits — most subs land on Teams plus a quarterly compliance review. If you're further along and need control-mapping help, the government contractors industry page lists the specific 800-171 controls our architecture addresses, with the language your SSP can borrow.

The short version: a $49/seat tool covers the file-sharing slice of CMMC Level 2 honestly, not entirely. Buy the slice that fits, write the SSP around what you actually do, and don't let a prime sell you a bundle priced for an organization ten times your size.