If your company handles Controlled Unclassified Information (CUI) under a DoD contract, you already have a compliance deadline — Nov/26 for Level 2. A single misstep in how you store, process, or migrate your data can trigger a DFARS violation and put your contract at risk. The question is not if you should act. It is when and how you should act and which approach best fits your infrastructure, your team size, and your timeline.
There are five recognized paths to CUI compliance, and only one of them is right for your situation.
Enclave Model
This model requires two distinct ERP environments: one dedicated exclusively to CUI workflows, and one for commercial operations. Each environment maintains separate credentials and access controls, with no permitted data flow between the two — a hard boundary is required under CMMC Level 2 and Level 3 compliance.
Tokenization/Encryption
CUI data is tokenized before delivery to the commercial ERP. Heavy administration is required – expect to employ multiple design engineers to comply. (Netsuite has a tokenization/detokenization approach with Stratokey - Stratokey is also used by Plex, Service Now and SAP by Design).
In-House Hosted On-Prem Application
This option suits contractors who already maintain physical server infrastructure and a dedicated internal IT team. Hosting the application in-house keeps CUI entirely off the cloud, which removes cloud-specific CMMC controls from scope — however does not reduce your overall compliance obligation. You remain fully responsible for physical security, cyber-security, network boundary protection, endpoint controls, and continuous monitoring in accordance with NIST SP 800-171. For SMB contractors that do not have existing infrastructure, the operational cost of building and maintaining a compliant on-premises environment typically outweighs the benefit.
Using FedRAMP-Authorized ERP Platform
This option involves hosting your on-premises ERP application on a FedRAMP High-authorized platform — such as AWS GovCloud or Azure Government Cloud — rather than in a commercial cloud environment. The application itself remains single-tenant, meaning your data is fully isolated from other customers, and does not automatically upgrade, which satisfies CMMC boundary requirements.
Multi-tenant ERP versions cannot be used under this model. Shared infrastructure architecture does not meet FedRAMP High data isolation requirements, regardless of the platform it runs on. Epicor, Netsuite and Acumatica only offer multi-tenant deployment — neither holds FedRAMP authorization.
Private cloud deployment requires the on-premises version of your ERP. This is a critical consideration: Epicor announced in January 2026 that it is sunsetting the on-premises versions of Kinetic, Prophet21, and BisTrack. Contractors currently on those platforms should factor this directly into their compliance roadmap.
Lowest Risk Path: FedRAMP-Authorized ERP deployed on a FedRAMP-Authorized Platform
This option is fully compliant from day one. When both your ERP and your hosting platform carry FedRAMP High authorization, your CMMC controls are already built into the environment without transition period or interim risk exposure.
This matters most during data migration. Moving CUI into a cloud environment before your CMMC controls are in place constitutes an In-Transit CUI violation under DFARS — a breach that can result in contract termination or debarment. A FedRAMP-authorized ERP on a FedRAMP-authorized platform eliminates that window of exposure entirely.
ERPs that have achieved FedRAMP authorization include Infor CloudSuites (CSI & LN), Oracle Fusion, SAP S/4HANA, and Microsoft Dynamics 365 Finance & Supply Chain. Of these, Infor CSI is the only solution purpose-built for small and mid-size DoD contractors which is the desirable fully compliant option for SMB defense contractors.
