Cybersecurity
Threat Brief

CMMC 2.0 Phase 2: What San Diego Defense Contractors Must Do Before the Deadline

The Department of Defense's Cybersecurity Maturity Model Certification program is no longer optional guidance — it is now a hard contract requirement. Phase 2 enforcement means that any company bidding on DOD contracts that involve Controlled Unclassified Information (CUI) must demonstrate certified compliance at Level 2 or risk losing contract eligibility entirely. If you are a San Diego-area defense contractor and you are not already in an active CMMC preparation program, the window to act is closing fast.

What CMMC Level 2 Actually Requires

Level 2 aligns to NIST SP 800-171 Rev 2 — 110 security practices across 14 domains. The areas where most San Diego defense contractors fall short:

• Access Control (AC): Multi-factor authentication on all systems that touch CUI, role-based access enforcement, and privileged account controls.
• Audit & Accountability (AU): Logging must be comprehensive, tamper-resistant, and retained for at least 3 years. Most SMBs have no centralized logging at all.
• Configuration Management (CM): Baseline configurations documented and enforced. Unauthorized software blocked. Most organizations have no formal baseline.
• Incident Response (IR): A written, tested IR plan. DCSA notification within 72 hours of a confirmed incident involving CUI.
• System & Communications Protection (SC): Encryption in transit and at rest for all CUI. FIPS 140-2 validated encryption is required.

The SPRS Score Trap

Many contractors have self-assessed and submitted a score to the Supplier Performance Risk System. If that score is inflated or unsupported by documentation, you are now exposed to False Claims Act liability — not just contract loss. The DOJ has actively pursued FCA cases against contractors with inaccurate SPRS scores. A score submitted in good faith with proper documentation and a Plan of Action & Milestones (POA&M) is defensible. A score that does not reflect reality is not.

What to Do Right Now

• Identify which of your contracts involve CUI — check DD-254 forms and contract language for CUI markings and DFARS 252.204-7012.
• Conduct a formal NIST 800-171 gap assessment against your current environment. Not a checklist — a documented, evidence-based assessment.
• Build or update your System Security Plan (SSP). This is the foundational document C3PAO assessors will examine.
• Remediate highest-gap areas first: MFA, logging, encryption, and access control tend to score worst and require the most lead time.
• Select a C3PAO early — their calendars are filling up as Phase 2 enforcement accelerates.

DoD Cyber Consulting specializes in CMMC readiness for San Diego and Southern California defense contractors. We conduct gap assessments, build SSPs, and guide clients through the full remediation-to-certification process.

Why Cloud AI Is a Compliance Risk for DOD Contractors Handling CUI

Every week another AI tool promises to streamline government contracting workflows — proposal writing, contract review, engineering documentation, program reporting. The productivity gains are real. So is the compliance exposure. If your organization handles Controlled Unclassified Information and your team is pasting that data into ChatGPT, Copilot, or any other cloud-based AI service, you likely have a DFARS 252.204-7012 problem — and possibly a CUI Program violation.

Why Cloud AI and CUI Don't Mix

CUI is information the government requires to be safeguarded under the CUI Program (32 CFR Part 2002). The safeguarding requirements include controlling who has access, how it is stored, how it is transmitted, and where it goes. When you input CUI into a commercial cloud AI service:

• Data leaves your boundary. Your CMMC System Security Plan describes your CUI boundary. Cloud AI is not in it.
• You cannot control retention. Most cloud AI providers retain prompts and outputs for model training or abuse monitoring. NIST 800-171 Control 3.13.10 requires you to control where CUI is stored.
• Third-party processing isn't automatically authorized. DFARS 252.204-7012 requires cloud storage of CUI to meet FedRAMP Moderate equivalency at minimum. Consumer AI products do not.
• Your cyber incident reporting obligation is triggered. If CUI is potentially exposed to an unauthorized party, you may have a reportable incident within 72 hours under DFARS.

The On-Premises AI Alternative

The solution is not to ban AI — it is to deploy AI within your CUI boundary. On-premises large language models running on local hardware give your team the same productivity capabilities without the data-exfiltration risk. The technology stack has matured significantly in the last 18 months:

• Ollama — runs production-quality open-source models (Llama 3, Mistral, Phi-3) locally with a simple API interface.
• Open WebUI — a ChatGPT-style interface that connects to Ollama; users get a familiar experience entirely air-gapped from the internet.
• n8n — workflow automation that integrates AI capabilities into existing business processes without any data leaving your network.
• Docker — containerized deployment means the entire stack can be stood up on a single hardened server and managed like any other internal service.

Hardware requirements for a small team (under 25 users) are modest — a workstation-class machine with a modern NVIDIA GPU (RTX 3090 or better) can serve a team effectively with 7B to 13B parameter models. Larger organizations can scale with a multi-GPU server.

What to Do If Your Team Is Already Using Cloud AI

• Audit what data is being inputted. Pull Copilot or ChatGPT usage logs if available. Determine whether CUI has been processed.
• Assess whether a reportable incident occurred. This is fact-specific — get legal and cybersecurity counsel involved quickly if CUI was processed by an unauthorized cloud service.
• Implement a written AI use policy that explicitly defines what data may and may not be used with cloud AI tools.
• Begin planning on-premises AI deployment as a compliant alternative for CUI-adjacent workflows.

5 AI Use Cases for San Diego Biotech Companies That Don't Have a Full IT Team

San Diego is the third-largest biotech hub in the world. Most of the companies in Torrey Pines, Sorrento Valley, and UTC are not large enterprises — they are 20-to-200 person organizations running on lean IT resources, often with one part-time IT contractor and an MSP. These companies are simultaneously under growing regulatory pressure (FDA 21 CFR Part 11, GxP, SOC 2, HIPAA) and competing for talent against Pfizer and Illumina. AI changes that equation — but only if it is deployed securely and in compliance with your regulatory environment.

Here are five AI use cases that deliver real productivity gains for small-to-mid biotech teams, along with the security and compliance considerations your MSP probably hasn't told you about.

1. Regulatory Document Drafting and Review

Writing SOPs, batch records, validation protocols, and IND sections is time-intensive and requires specialized knowledge. An on-premises AI model trained or prompted with your existing document library can generate first drafts of routine regulatory documents in minutes — reducing SME time from hours to editorial review. For 21 CFR Part 11-regulated documents, the AI output must go through your existing review-and-approval workflow. The AI is a drafting tool, not a signer. Deployed on-premises, this keeps proprietary research data entirely within your facility.

2. Contract and Vendor Agreement Review

Legal review costs $400–$800/hour at outside counsel. A well-prompted LLM can flag non-standard terms, missing indemnification clauses, IP ownership issues, and confidentiality gaps in CRO and supplier agreements before they go to counsel. This is not a replacement for legal review — it is a first pass that makes counsel time more efficient. Cloud AI is fine for this use case if the contracts do not contain trade secrets or proprietary compound information. For those that do, on-prem is the answer.

3. Internal Knowledge Management and Onboarding

Small biotech companies have institutional knowledge locked in the heads of three people. When those people leave, the knowledge goes with them. An AI system connected to your internal document repository (lab notebooks, SOPs, historical batch records, validation reports) becomes a queryable knowledge base that new scientists can ask questions in plain language. Retrieval-augmented generation (RAG) architecture keeps the data on your servers while making it searchable by the AI. Setup takes days, not months.

4. IT Security Monitoring Summarization

If you have an EDR tool or SIEM (even a basic one), it is generating alerts your lean IT team cannot realistically triage. An AI layer can summarize alert clusters, identify patterns, and escalate only the genuinely suspicious events. For companies with a SOC 2 audit coming up, this creates the audit evidence trail — logged alert handling — without requiring a full-time security analyst. This is one of the highest ROI applications for small biotech IT teams.

5. Grant and SBIR Proposal Assistance

SBIR Phase I and Phase II proposals require significant writing effort for a format that is highly standardized. An AI model prompted with your company's prior successful proposals, your scientific background documents, and the specific FOA requirements can generate competitive first drafts of the commercialization section, market analysis, and technical narrative outline. This is a legitimate and widely-used application — NIH and NSF have not prohibited AI-assisted writing, only AI-generated submissions without human review and disclosure. Check your specific program's guidance.

DoD Cyber Consulting works with San Diego biotech companies to assess AI security posture, design compliant on-premises AI stacks, and integrate automation into regulated workflows without creating compliance exposure. If your team is already using or evaluating AI tools, a 30-minute consultation is the right first step.