XQ Message Logo

How can we help?

Using SharePoint and XQ Vault Together for CMMC Project Data

There following article is guidance for one way to organize Sharepoint and use with XQ’s Vault, it is not a requirement. Always consult with your CMMC lead before implementing the below recommendations, there are many ways of organizing your data to meet CMMC requirements.

Audience and Purpose

This guidance is intended for IT administrators and project managers responsible for managing project data in Microsoft SharePoint while preparing to move from CMMC Level 1 to CMMC Level 2.

The goal is to provide a simple, repeatable way to organize project data so that:

  • Access to each project can be controlled independently
  • Controlled Unclassified Information (CUI) is clearly separated from non‑CUI data
  • CUI is protected using Vault, while non‑CUI data can remain in standard SharePoint storage

1. One SharePoint Site per Project

For CMMC‑relevant work, a common and effective pattern is:

  • Create one SharePoint site per project or contract
  • Grant access only to users who are authorized to work on that project

This approach simplifies access management and reduces the risk of data from different projects being mixed or over‑shared. While this is not a formal requirement, it is a practical way to align SharePoint usage with CMMC expectations around access control and data separation.

2. Separate CUI and Non‑CUI Data Within Each Project Site

Within each project SharePoint site, we recommend separating data into two logical areas:

  • Non‑CUI (Uncontrolled) data
  • CUI data (CMMC‑relevant)

At a minimum, this separation should be obvious and intentional. Many organizations do this using two top‑level folders or document libraries.

Example structure:

Project Alpha (SharePoint Site)

├── General Project Data (Non‑CUI)
│   ├── Meeting notes
│   ├── Project schedules
│   └── Administrative documents

└── CUI
    ├── Technical documents
    ├── Design artifacts
    └── Contract deliverables

This separation helps users make clear decisions about where data belongs and makes it easier to apply additional protections to CUI.

When to Use Vault

Vault is required for CUI data.

  • All data that qualifies as CUI under CMMC should be stored in the designated CUI area and protected using Vault
  • Non‑CUI data does not need to be encrypted or protected by Vault
  • Organizations may choose to use Vault more broadly, but only CUI data requires it

The key objective is consistency: users should know that anything placed in the CUI area is expected to be protected and handled accordingly.

Understanding What Counts as CUI (CMMC Level 2)

Many organizations transitioning from CMMC Level 1 underestimate how much of their project data qualifies as CUI. Below are practical examples to help teams decide how to separate data.

Common Examples of CUI

The following are typical examples of data that should be treated as CUI when related to a DoD contract:

  • Technical drawings, schematics, or system architectures
  • Engineering specifications or design documentation
  • Test plans, test results, or validation reports
  • Detailed system configurations or network diagrams
  • Contract deliverables that describe how a system is built, configured, or operated
  • Information that could reasonably be used to understand, replicate, or exploit a system

If the data supports how something is designed, built, tested, or operated for the government, it is very likely CUI.

Common Examples of Non‑CUI Data

The following are examples of data that are typically not CUI, even when related to a CMMC‑scoped project:

  • High‑level project schedules and timelines
  • Meeting agendas and general meeting notes (without technical detail)
  • Staffing plans and resourcing documents
  • General project status reports
  • Administrative or procedural documents that do not include sensitive technical content

These materials can usually remain in standard SharePoint folders without Vault protection.

Practical Guidance for Teams

When deciding where data belongs, a simple rule of thumb is:

  • If disclosure of the document could reasonably cause harm to the government or expose sensitive system details, treat it as CUI
  • If the document is primarily administrative or high‑level, it is likely non‑CUI

Encouraging teams to make this decision at the time data is created or uploaded is far easier than re‑classifying content later.

Summary

  • Use one SharePoint site per project to simplify access control
  • Clearly separate CUI and non‑CUI data within each project site
  • Use Vault for all CUI data; non‑CUI data does not require encryption
  • Provide teams with concrete examples so they can make consistent decisions

This structure provides a strong foundation for moving from CMMC Level 1 to Level 2 while minimizing disruption to existing SharePoint workflows.

Updated on February 12, 2026

Related Articles