CMMC 2.0 on Google Workspace: what Assured Controls gives you, and what you still need to protect CUI

Right now, somewhere in your company, Controlled Unclassified Information (CUI) is sitting in a Google Doc with broad access. A program manager pasted a spec into a draft RFP response and left it open to the working group. A sub-contractor shared a slide deck with a prime's team to make a deadline. A defense consultant sent a planning timeline over Gmail to a customer team. In each of those cases, your CMMC 2.0 compliance, your ITAR posture, and your contract eligibility depend on something most defense teams on Workspace have not actually solved: protecting the sensitive data inside the document without preventing cleared collaborators from doing their work.

If you are a Defense Industrial Base (DIB) prime, sub, or defense-adjacent firm running on Google Workspace, the gap between "we use Assured Controls" and "our CUI handling is actually compliant when an auditor walks in" is wider than most security and compliance leads realize. This article walks through where the gap opens, what it costs you, and what closing it looks like with the tools that exist today.

The CUI exposure most defense teams on Workspace don't see

Most DIB contractors who chose Google Workspace know they need to protect CUI. They just have not connected the requirement to specific Workspace behavior, because Assured Controls on paper looks like a complete answer.

The pattern looks like this. Your team handles CUI: technical specs, ITAR-controlled engineering data, program timelines, source selection information, financial details on cost-reimbursable contracts. That data flows through Gmail, sits in Drive, gets drafted in Docs, presented in Slides. Your IT setup checks the boxes: Assured Controls in transit and at rest, Assured Controls Plus, the right Workspace tier, geographic restrictions on data residency. Compliance signed off. Auditors flagged geographic and identity controls, not data handling within documents.

Then the real work happens. A draft proposal contains three paragraphs of CUI and twelve paragraphs of unclassified content. The doc gets shared with the proposal team, most of whom should not see those three paragraphs. A briefing deck contains one ITAR-controlled slide and forty unrestricted ones. It gets sent to a customer's contracting team, including foreign nationals who should not see the controlled slide. A CUI-marked email forwards externally to a vendor whose email client strips Workspace labels.

Each of these creates a CMMC 2.0 control failure that does not show up in your Workspace logs as a breach. It shows up as normal business. And under CMMC 2.0 Level 2 assessment, "normal business" is what the auditor is actually testing.

Why your Workspace setup creates this gap

Assured Controls is a strong perimeter. It is the wrong layer for the threat.

Here is what Assured Controls and Workspace's defaults actually give you, and where they end.

Geographic and infrastructure controls (Assured Controls). Data residency in US data centers, US persons-only support, FedRAMP High lineage. This protects the infrastructure boundary. It does not protect what happens to specific text inside a document once an authorized user opens it.

Encryption in transit (TLS) and at rest (AES-256). Standard Workspace encryption, with Google-managed keys by default. For higher-control deployments, Customer-Managed Encryption Keys (CMEK) and Client-Side Encryption are available. Useful, with the same limitation: encryption decrypts when an authorized user opens the file. Your CUI is unencrypted from the moment the right credentials touch it.

Identity-based access controls. Workspace groups, Drive permissions, Gmail controls. These work at the document or file level. They do not give you paragraph-level or text-span-level distinctions inside a document. So either you over-restrict, locking down whole docs that only contain partial CUI and slowing the proposal team, or you under-restrict, leaving whole docs open because most of the content is unclassified, and the CUI parts get seen by collaborators without clearance for that specific data.

Workspace classification labels. Visible only within Workspace. The moment an email containing a "CUI" label is sent to a recipient on Outlook, Apple Mail, or any other client, the label is gone. The recipient does not see the classification. Their email client does not enforce anything based on it. Under NIST SP 800-171 Rev. 3 and the CMMC 2.0 assessment guide, missing or invisible markings on transmitted CUI is a control failure.

So what threats do the defaults protect against? Geographic data sprawl. Disk theft. Casual unauthorized access at the file boundary.

What they do not protect against, all of which are how data exposure actually happens in real DIB workflows:

• Cleared collaborators seeing data beyond their permissions. Workspace's unit of access is the document. CUI's unit of classification is the data element. The mismatch creates exposure on every proposal, every joint review, every working group.
• Markings stripped on outbound email. Workspace labels do not survive in Outlook, Apple Mail, or any non-Workspace recipient client. Per CMMC 2.0 and DFARS 252.204-7012, your marking obligation does not end when the email leaves your tenant.
• Quantum risk for long-lived defense data. Harvest-now-decrypt-later is operationally relevant for defense data that will still be classified or sensitive in 10 to 20 years. NIST finalized its post-quantum cryptography standards (FIPS 203, 204, 205) on August 13, 2024.

The gap is between "data-at-rest" protection, which Assured Controls gives you, and "specific-text-in-document classification and access control," which CMMC 2.0 requires you to enforce. That gap is where CUI exposure lives, and Assured Controls alone does not close it.

What closing the gap looks like

You need two things on top of Assured Controls that the platform does not provide natively: precision classification at the text level inside documents, classification markings that survive when content leaves Workspace, client-side encryption, and hosted S/MIME. All exist as Google Workspace Marketplace add-ons.

Precision inline encryption inside Docs and Slides. A classification system that protects specific text spans, not whole files. Cleared users with the right classification level see the decrypted text. Users without proper authorization and access see a placeholder. Multiple classification (authorization) levels can coexist in the same document. Editing, suggesting, and viewing modes all work normally for users with appropriate access. The Qanapi Live Redaction Add-On for Google Docs is the only encryption service authorized to run in Google Docs on Assured Controls, with FIPS validated and quantum-resistant cryptography. ITAR and CMMC 2.0 compliance built-in.

Persistent classification markers on outbound email. Plain-text markers embedded in the subject and body of Gmail messages, so the classification is visible to any recipient regardless of email client. CUI, CDI, Confidential, and other markers configurable for your organization. The Qanapi Email Classification Add-On for Gmail covers this layer.

Client-side encryption that gives you total key control. Deploy post-quantum cryptography and encrypt files before they even reach Google's servers, ensuring your cloud-service providers aren’t holding your security in their hands. Create, manage, rotate, and retire encryption keys with ease.

S/MIME across Gmail to unlock the full potential of your enterprise, securely. Protect email content before sending to ensure only authorized recipients can decrypt and receive messages. Verify sender identities with digital signatures to safeguard
recipients from phishing and malicious threats.

Together, these capabilities make up the Qanapi Zero Trust Bundle: verified and CMMC 2.0-compliance across your Google Workspace in minutes at a fraction of the standard cybersecurity cost.

Your proposal team keeps working in Google Docs. Your sub-contractor relationships keep flowing through Gmail. Nothing changes about how people work. What changes is what happens to the data underneath: every sensitive text span is classification-bound, every outbound email carries persistent markers, and the encryption uses FIPS validated, quantum-resistant cryptography backed by a patented architecture (1 issued, 3 pending). When an auditor walks in, you have actual data-handling controls to point to, not just policy paperwork.

Why this has been hard to fix (until now)

If this gap is so well known to CMMC assessors, why have most DIB contractors on Workspace been living with it?

Two reasons. First, the historical options were unattractive. Either move sensitive workflows to Microsoft 365 GCC High, which is expensive, painful to migrate to, and forces a Workspace-to-Microsoft transition most teams resist. Or accept that classification-by-process (training, DLP, manual review) is sufficient, which CMMC 2.0 Level 2 assessments are increasingly proving it is not. Second, the available tooling for Workspace-native CUI protection assumed enterprise security stacks that smaller DIB subs and defense-adjacent firms do not have.

Qanapi’s Zero Trust Bundle is secure by design, simple by choice. Sign up for the trial, activate the add-ons from the Google Workspace Marketplace. No browser extensions, no plugins, included native mobile browser support. Secure your first piece of information within minutes of completing admin setup. A 25-person DIB sub can deploy this end-to-end in a single afternoon. $15 per user per month after a 30-day free trial, a fraction of the typical M365 GCC High migration cost..

The economics changed when information protection became Workspace-native, deployable in hours instead of quarters, and aligned with the Marketplace billing model your organization already understands.

5. What this looks like in practice

• DIB Subcontractor Team handling CUI in proposal drafts
  
  • Live Redaction Add-On installed via Marketplace (no browser extensions)
  • Tailored classification groups mapped to internal need-to-know levels
  • Email Classification deployed for outbound proposal team comms. 
  • Time to deploy: same afternoon. Cost: $375/month for a 25-person team
• Defense consultant working across multiple primes with mixed CUI and ITAR-controlled data
  
  • Live Redaction protecting controlled text spans inside customer-shared decks,
  • Email Classification ensures outbound CUI emails carry persistent markings regardless of customer email client. 
  • Time to deploy: same day. Time to first audit-ready protected document: minutes.

6. The shape of the next 24 months for DIB on Workspace

Three patterns are converging, and they all push toward data-level controls rather than process and perimeter controls:

1. CMMC 2.0 assessment is moving from policy to practice. DoD's CMMC 2.0 framework and the accompanying DFARS clauses make clear that data handling is the assessment target. C3PAOs are testing whether your CUI is actually protected in the workflow, not whether you have a policy that says it should be.
2. The DIB is consolidating on data-level controls. As primes flow CMMC requirements down to subs, the architectural answer that scales (one control, many frameworks) is data-bound classification and encryption rather than separate point tools per regulation.
3. Post-quantum migration is operationally urgent for defense data. Defense data has the longest "still matters" horizon of any data class. NIST's finalized PQC standards mean migration timing is the question. Architectures that put algorithm decisions behind a stable policy surface migrate fastest.

The DIB contractors that win this curve are the ones who treat data-level protection as a property of their architecture, not a policy they keep reissuing.

Secure Your Workspace Today

Stop relying on the boiler plate protections that don’t meet your CMMC 2.0 needs. The Qanapi Zero Trust Bundle installs from the Google Workspace Marketplace with a 30-day free trial. CMMC 2.0 and ITAR compliant when paired with Google Assured Controls Plus on Assured Controls. FIPS validated, quantum resistant.