Your DSPM Told You Where Your CUI Lives. So Why Are You Still Failing CMMC?

Defense Industrial Base organizations are spending six and seven figures on Data Security Posture Management tools. And those tools are doing exactly what they promised: scanning file shares, cloud storage, databases, and SaaS apps to find Controlled Unclassified Information scattered across the enterprise.

The dashboards look great in board meetings. The gap reports are thorough. The risk scores are color-coded and properly alarming.

There’s just one problem. Discovery doesn’t protect anything.

5 Key Takeaways

1. DSPM Solves the Discovery Problem, Not the Protection Problem. DSPM platforms excel at scanning file shares, cloud storage, databases, and SaaS applications to locate Controlled Unclassified Information. They map where CUI lives, who can access it, and whether existing controls are adequate. But discovery is only the first half of CMMC 2.0 compliance. DSPM tools do not provide the secure enclave, FIPS 140-3 validated encryption, or governed communication channels that assessors require. Finding CUI and protecting CUI are two fundamentally different disciplines.
2. External Collaboration Is DSPM’s Blind Spot. DIB organizations share CUI with prime contractors, subcontractors, and government agencies every day. DSPM tools focus on internal repositories. They have no mechanism to govern how CUI moves between organizations — who receives it, through what channel, under what encryption, or with what audit trail. For companies whose business depends on controlled information exchange across supply chain boundaries, this is the most critical gap in their compliance posture.
3. Detection After the Fact Is Not Prevention. DSPM alerts you when CUI is mishandled — after the violation has already occurred. CMMC assessors want to see controls that prevent unauthorized access and transmission at the point of data exchange. A notification system that reports on violations is not the same as an enforcement platform that stops them.
4. The “Better Together” Model Is Gaining Traction. Leading DSPM providers and enforcement platforms are forming strategic partnerships that connect data discovery with automated policy enforcement. These integrations use classification labels to trigger real-time controls — encryption, access restrictions, time-limited sharing — whenever sensitive data moves externally. The organizations moving fastest toward CMMC certification are deploying both capabilities as parallel workstreams.
5. DSPM Is the Assessment Layer; You Still Need a Protection Layer. The complete CMMC technology stack includes assessment (DSPM), protection (secure CUI enclave and governed communications), infrastructure (EDR, firewalls, SIEM), identity (MFA, privileged access management), and governance (GRC platforms). DSPM occupies one layer. Achieving certification requires all of them.

The Uncomfortable Truth About DSPM and CMMC 2.0

DSPM platforms are good at what they do. They find CUI you didn’t know existed. They flag dormant accounts with access to sensitive data. They identify privilege creep that’s been building for years. They map data flows and highlight compliance gaps against CMMC Level 2 practices.

That matters. You cannot protect data you haven’t found. But here’s where the logic breaks down: finding the data and securing the data are two completely different disciplines.

A DSPM scan might reveal CUI sitting in an unapproved SharePoint folder, shared with an “Everyone” group, with zero encryption. Useful information. But the DSPM tool cannot move that data into a hardened environment, encrypt it with FIPS 140-3 validated cryptography, enforce least-privilege access, or generate the immutable audit trail a CMMC assessor will demand.

DSPM diagnoses. It does not treat.

That distinction matters more than most DIB organizations realize. CMMC 2.0 Level 2 requires demonstrable protection of CUI across 110 security practices derived from NIST SP 800-171. Discovery and classification address a handful of those practices. The majority — especially those in the Access Control, Audit and Accountability, and System and Communications Protection families — require active enforcement: encryption at rest and in transit, controlled data flows, immutable logging, and least-privilege access controls that operate at the point of data exchange.

No DSPM tool on the market provides that enforcement layer. And no amount of discovery sophistication changes that fundamental limitation.

What DSPM Actually Does Well

Before diving into the gaps, it’s worth being precise about what DSPM brings to the table. These capabilities are real, and they matter for CMMC preparation.

CUI Discovery and Classification. DSPM platforms scan on-premises file shares, cloud storage, databases, and SaaS applications to locate CUI. They map where it is stored, who has access, and whether existing protections meet baseline requirements. For organizations that have never inventoried their CUI — which is most of them — this is an essential first step.

Access Risk Assessment. These tools identify overexposed CUI: files shared with broad groups, dormant accounts retaining access, permissions that have accumulated over years without review. The output is a risk-prioritized view of who can reach sensitive data and whether they should be able to.

Compliance Gap Analysis. DSPM platforms map discovered data against CMMC 2.0 practices. They generate gap reports, prioritize remediation based on risk and compliance impact, and track progress toward readiness. These reports are genuinely useful during the early stages of CMMC preparation.

Continuous Monitoring. Once deployed, DSPM tools alert on new CUI repositories created outside approved systems, detect policy violations like CUI stored in unapproved cloud services, and monitor for configuration drift that could open compliance gaps.

All of this is valuable. None of it is sufficient.

Three Pain Points Driving the DSPM-Plus-Protection Conversation

Organizations pursuing CMMC 2.0 certification are hitting the same walls, and the pattern is predictable.

CUI is everywhere, and nobody owns the cleanup. DSPM scans reveal CUI in dozens — sometimes hundreds — of repositories across email, file shares, cloud storage, and collaboration platforms. Security teams now have a comprehensive problem inventory. What they lack is a governed destination: a secure enclave purpose-built for CUI storage and transmission. Without one, the gap reports just keep getting longer. Every quarterly scan surfaces more CUI in more unapproved locations, and the remediation backlog grows because there is no designated “correct” place to move it.

External collaboration is the blind spot. DIB organizations share CUI with prime contractors, subcontractors, and government agencies every day. DSPM tools focus on internal repositories. They have no mechanism to govern how CUI moves between organizations — who receives it, through what channel, under what encryption, with what audit trail. For companies whose business depends on controlled information exchange across supply chain boundaries, this is not a minor gap. It is the gap. And it is the gap most likely to draw scrutiny during a CMMC assessment, because assessors specifically evaluate how organizations protect CUI during external transmission.

Detection after the fact is not prevention. DSPM alerts you when someone stores CUI in an unapproved location — after the violation has already occurred. Assessors want to see controls that prevent unauthorized access and transmission at the point of exchange, not a notification system that reports on it later. Consider the scenario: an engineer emails a technical drawing containing CUI to a subcontractor using a personal Gmail account. A DSPM tool might flag this after the fact. But the data has already left the organization through an unencrypted, ungoverned channel with no audit trail. The compliance violation is complete. The damage is done. Prevention at the point of exchange is what CMMC requires, and that is a capability DSPM does not provide.

Where DSPM Stops and Protection Starts: A Requirements View

The clearest way to understand the division of responsibility is to map specific CMMC requirements to the tools designed to address them.

For Access Control practice AC.L2-3.1.1 — limiting system access to authorized users — DSPM discovers who currently has access to CUI repositories. A protection platform enforces least-privilege access to CUI within a secure enclave.

For AC.L2-3.1.20 — controlling CUI flow — DSPM maps current data flows. A protection platform enforces approved CUI flows through governed, encrypted channels.

For Audit and Accountability practice AU.L2-3.3.1 — creating and retaining audit logs — DSPM identifies systems lacking audit logging. A protection platform generates immutable audit trails for every CUI access, modification, and transmission.

For System and Communications Protection practice SC.L2-3.13.11 — employing FIPS-validated cryptography — DSPM identifies CUI stored without encryption. A protection platform provides FIPS 140-3 validated encryption for CUI at rest and in transit.

For SC.L2-3.13.16 — protecting CUI confidentiality — DSPM assesses the current protection posture. A protection platform implements a hardened enclave for CUI communications.

The pattern holds across the CMMC control families. DSPM tells you where compliance breaks down. The protection layer rebuilds it.

The DSPM Partnership Model: Discovery Meets Enforcement

The most effective approach to CMMC compliance treats DSPM and protection as complementary layers in a unified stack rather than competing solutions. This is not a theoretical argument. The market is moving in this direction through strategic partnerships between DSPM providers and enforcement platforms.

These integrations typically work through classification labels. When a DSPM platform classifies a document as “Confidential” or tags it with compliance labels like “CMMC” or “ITAR,” the enforcement platform automatically applies corresponding controls — encryption, access restrictions, time-limited sharing, possessionless editing — whenever that data moves externally. The classification drives the policy. The policy drives the enforcement. And the enforcement generates the audit trail.

This model eliminates the manual handoff that has historically plagued compliance programs. Instead of a security analyst reviewing a DSPM report, identifying a gap, filing a ticket, and waiting for someone to remediate it, the entire loop closes automatically: classify, enforce, log. That speed and consistency matter during CMMC assessments, where assessors evaluate not just whether controls exist but whether they operate continuously and reliably.

The Kiteworks Private Data Network is built around this integration model. It consumes Microsoft Information Protection labels applied by DSPM platforms and uses them to create and automatically enforce policies when data is shared externally. This includes whether files can be copied or downloaded, how long recipients have access, and what level of encryption is applied in transit and at rest. Every action generates an immutable audit record.

Kiteworks has been FedRAMP Moderate Authorized since 2017 and achieved FedRAMP High Ready designation in 2025. That authorization history matters during CMMC assessments because it demonstrates pre-validated security controls that map directly to Level 2 requirements. Combined with FIPS 140-3 validated cryptography and a hardened virtual appliance architecture, it provides the CUI protection infrastructure that DSPM tools identify as necessary but cannot themselves provide.

The Complete CMMC Technology Stack

DSPM and protection platforms do not operate in isolation. The full CMMC compliance architecture includes five layers, each serving a distinct purpose:

• Assessment: Discover CUI, identify gaps, prioritize remediation. This is the DSPM layer.
• Protection: Secure CUI storage and transmission through a governed enclave and encrypted communication channels.
• Infrastructure: Hardened endpoints, network segmentation, endpoint detection and response, firewalls, and SIEM.
• Identity: Multi-factor authentication, privileged access management, and identity governance.
• Governance: Policy management, compliance tracking, and GRC platforms that tie the other layers together.

Organizations that invest heavily in one layer while neglecting the others will find themselves with impressive capabilities in one area and glaring deficiencies in another. Assessors evaluate the entire stack, not individual components.

What This Means for DIB Organizations at Different Stages

If your organization already has DSPM deployed, you have answered the first question: where is our CUI, and who can reach it? The second question is harder: what are we doing about it? A comprehensive DSPM deployment with no enforcement platform is an expensive way to document your own noncompliance. The gap reports will be thorough. The assessor will still fail you. The next step is standing up the protection layer — a secure enclave with governed communication channels that can receive, store, and transmit CUI according to CMMC requirements.

If your organization is evaluating DSPM, plan for both discovery and protection from the start. Many DIB organizations make the mistake of treating DSPM as a standalone CMMC solution, only to realize months later that discovery without enforcement leaves them short of certification. Budget for both. Deploy in parallel or in sequence but recognize from day one that you need both layers.

If your organization has neither, you have two parallel needs: understanding where your CUI is today and building the secure environment where it should be. Some organizations start with DSPM to scope the problem, then deploy a protection platform to solve it. Others stand up the protection layer first, then use DSPM to find and migrate CUI into it. The sequence matters less than the recognition that both layers are non-negotiable.

When DSPM Vendors Overreach: How to Evaluate Claims

Some DSPM providers position their tools as comprehensive CMMC solutions. The claim typically sounds something like: “Our platform discovers, classifies, and monitors CUI, giving you continuous CMMC compliance.” Here is how to evaluate that claim against what CMMC actually requires.

Does it provide a secure enclave for CUI? CMMC requires CUI to be stored and transmitted in protected environments. DSPM scans existing systems. It does not create the hardened infrastructure CMMC demands. If the tool cannot provide FedRAMP-authorized, FIPS 140-3 validated infrastructure for CUI workflows, it is not a protection solution.

Does it govern external CUI sharing? DIB organizations must share CUI with external partners under controlled conditions. If the tool monitors internal repositories but cannot enforce encryption, access controls, and audit logging when CUI is transmitted to a prime contractor or government agency, it leaves the most scrutinized part of the CMMC assessment unaddressed.

Does it enforce controls in real time? Detection and alerting are valuable. But CMMC requires prevention — controls that operate at the point of data exchange, not after a violation has occurred. If the tool’s primary mechanism is post-incident alerting, it is a monitoring tool, not an enforcement tool.

Does it provide CMMC-ready audit trails? DSPM may log discovery scans and alert events. CMMC assessors require immutable audit trails of every CUI access, modification, and transmission. If the tool cannot produce those records for external data exchanges, it does not meet the audit and accountability requirements.

None of these limitations diminish the value of DSPM for its intended purpose. But they should inform how organizations evaluate vendor claims about CMMC readiness.

The Bottom Line

DSPM finds the problem. You still need something that solves it.

The organizations that will achieve CMMC 2.0 certification fastest are the ones that understand this distinction from the beginning. They deploy DSPM to discover and classify their CUI. They deploy a protection platform to build the secure enclave and govern external communications. They integrate the two so that classification labels drive enforcement automatically. And they generate the immutable audit trails that prove continuous compliance to assessors.

Discovery and protection. Assessment and enforcement. Diagnosis and treatment. CMMC requires both sides of the equation. The question is not whether to invest in DSPM — it is whether you have planned for what comes after DSPM tells you where your CUI is and how exposed it is.

Because that question is the one the assessor is going to ask. And “we have a really good dashboard” is not an answer that passes.

To learn how Kiteworks can help, schedule a custom demo today.

Additional Resources

• Brief Kiteworks + Data Security Posture Management (DSPM)
• Blog Post DSPM vs Traditional Data Security: Closing Critical Data Protection Gaps
  
• Blog Post DSPM ROI Calculator: Industry-Specific Cost Benefits
• Blog Post Why DSPM Falls Short and How Risk Leaders Can Mitigate Security Gaps
• Blog Post Essential Strategies for Protecting DSPM‑Classified Confidential Data in 2026