• Home
  • Solutions
    • Movers & Moving Services
    • Relocation & Mobility Network
    • Software Development & Consulting
    • Software Creation & AI Tools
    • EasyDPS
    • EasyGOVLINK
    • EasyTariff
    • EDC-AgentLink
    • EDC Mobile
    • EDC MoveStar
    • GOgistiX
    • MERCED
    • TrakGX
    • TSPContact
    • WYNPIPE
    • Digital Inventories
    • Software development & consulting
  • Trust Center
    • CMMC
  • Resources
    • Blog
  • EDC
    • About us
    • Letter from the President & CEO
    • Leadership Team
    • Board of Advisors
    • News
    • Our History
    • Testimonials
    • Membership & Support
  • Login hub
    • Customer Portal
    • EDC-MoveStar
    • WYNPIPE
    • EasyTariff
    • TrakGX
    • EDC-AgentLink
  • Let’s Talk
No Result
View All Result
  • Home
  • Solutions
    • Movers & Moving Services
    • Relocation & Mobility Network
    • Software Development & Consulting
    • Software Creation & AI Tools
    • EasyDPS
    • EasyGOVLINK
    • EasyTariff
    • EDC-AgentLink
    • EDC Mobile
    • EDC MoveStar
    • GOgistiX
    • MERCED
    • TrakGX
    • TSPContact
    • WYNPIPE
    • Digital Inventories
    • Software development & consulting
  • Trust Center
    • CMMC
  • Resources
    • Blog
  • EDC
    • About us
    • Letter from the President & CEO
    • Leadership Team
    • Board of Advisors
    • News
    • Our History
    • Testimonials
    • Membership & Support
  • Login hub
    • Customer Portal
    • EDC-MoveStar
    • WYNPIPE
    • EasyTariff
    • TrakGX
    • EDC-AgentLink
  • Let’s Talk
No Result
View All Result
No Result
View All Result
Back

CMMC says lock it down. AI says open it up. Here’s how to do both.

Diana Coronaby Diana Corona
July 3, 2026
in Business, Leadership, Technology
CMMC says lock it down. AI says open it up. Here’s how to do both.
Share on Facebook

From the Trenches of AI — Vol. 9

At EDC®, we are currently deep in the work of CMMC compliance to support DP3 — the Department of War’s Defense Personal Property Program that governs how household goods shipments are managed for military service members, civilian employees, and their families. It is rigorous work. It is necessary work. And it has put a tension front and center for us that I think the entire industry needs to talk about: the relationship between cybersecurity compliance and AI adoption.

These two forces are not natural enemies. But right now, for many companies in our space, they are pulling in different directions. Here is what is happening, and how we are thinking about it.

What CMMC actually requires for DP3

For anyone in the household goods moving industry who has not yet felt the full weight of this, here is the reality. If your company receives, stores, processes, or transmits Federal Contract Information or Controlled Unclassified Information during the management or delivery of DP3 household goods shipments, you must comply with CMMC Level 2 by March 1, 2027. This applies to all transportation service providers, domestic and international agents, storage facilities, hauling agents, crating companies, IT vendors, subcontracted labor, freight forwarders, claims service providers, and any entity with access to FCI and CUI data in support of DP3. These requirements apply to HHG, NTS, PPM, and DPM jobs.

That is a sweeping scope. And the requirements behind it are substantive. Level 2 compliance for DP3 is achieved through self-assessment — meaning your organization is responsible for evaluating its own implementation of the required security controls, documenting that assessment, and posting results in the Supplier Performance Risk System. This is not a lesser standard. A self-assessment still requires demonstrating genuine compliance with 110 security controls across 14 control families — it simply places the assessment responsibility with your organization rather than an external certifier.

EDC® is already registered in SPRS as CMMC Level 1 self-certified. We share that not as a boast, but as an encouragement — the process, while demanding, is navigable, and we are committed to helping our customers understand and work through it alongside us.

Contracting officers use the Supplier Performance Risk System to verify a contractor’s CMMC compliance status before awarding contracts and before executing contract extensions. If your SPRS score does not reflect your required CMMC level when a contracting officer looks, the contract conversation is over before it begins.

The compliance timeline is not forgiving. Budget six to twelve months for the preparation work alone — mapping your systems, identifying where FCI and CUI live, implementing controls, and building the documentation record that a credible self-assessment requires. Companies that treat the March 2027 deadline as something to address in early 2027 will find themselves in a difficult position. The time to start is now.

The tension nobody is talking about

Here is where it gets complicated. At the exact moment our industry is being asked to lock down system boundaries, restrict data flows, and tightly control every point where sensitive information touches a network, the broader business world is racing in the opposite direction — toward AI adoption, cloud-based automation, and tools that thrive on broad data access and rapid integration.

CMMC asks: where exactly does this data live, who exactly can touch it, and can you prove it? AI tools, as typically deployed, ask: can we connect to your data, route it through our platform, and use it to make our model smarter? Those two questions do not resolve themselves easily.

Most third-party AI tools were not built with CMMC’s control families in mind. Many cloud-based AI assistants route data through infrastructure that has not been assessed against NIST SP 800-171. Some retain data in ways that conflict directly with the access control and data flow restrictions CMMC requires. A company racing to adopt the latest AI capability without carefully scoping its CUI boundary risks accidentally pulling regulated data into a system that has no business touching it — and discovering that fact during a self-assessment, at significant cost and risk to its program eligibility.

Defining your assessment scope precisely and mapping all in-scope assets, security protection assets, and external service providers that process, store, or transmit FCI or CUI is one of the most critical early steps in CMMC preparation. Poor scoping inflates costs or causes failures when unassessed systems are identified during the evaluation process. An ungoverned AI tool sitting inside your operational workflow is exactly the kind of unassessed system that can derail an otherwise solid compliance posture.

Why this tension is resolvable — and why it matters that it is

We do not believe the answer is to avoid AI in order to stay safely compliant. We have written extensively in this series about why that posture is a losing strategy — the companies that sit out the AI transition will fall behind the ones that adopt it thoughtfully.

The answer is architectural. AI and CMMC compliance are not in conflict when the AI in question is built with the same security discipline that CMMC demands. The conflict only emerges when a company bolts a general-purpose, cloud-routed AI tool onto a system that handles CUI without first asking the scoping question: does this tool’s data path meet the same standard the rest of my environment is held to?

This is precisely why we built MERCED™ independently, on our own architecture, rather than relying on third-party AI integrations whose data handling practices we do not fully control. When your AI platform is built in-house, you can answer the CMMC scoping questions with precision — because you designed the data flow yourself. You know exactly where information lives, who can access it, and how it moves, because those were deliberate architectural decisions, not unknowns inherited from a vendor’s infrastructure choices.

That is not a small advantage in the current environment. It is, in our case, directly enabling our CMMC compliance work rather than complicating it.

What every TSP and DP3 partner should be asking right now

If your company touches DP3 shipment data in any capacity, the CMMC clock is running. A few questions worth asking immediately:

  • Does every AI tool currently in use across your operation know the boundary of where CUI and FCI live in your systems — and does it respect that boundary, or does it sit outside your self-assessment scope entirely, undocumented and unaccounted for?
  • If you were required to map every system that touches FCI or CUI for your SPRS submission, would an AI tool you adopted recently for operational convenience show up on that map — or would it be a surprise?
  • Is your AI vendor able to answer, in detail, how your data is processed, where it is stored, and whether their infrastructure has been evaluated against the standards your CMMC self-assessment depends on?

These are not rhetorical questions. The False Claims Act does not follow the CMMC phase schedule — it applies today. If you are claiming compliance you do not have, whether through a self-assessment score in SPRS or a misrepresented certification status, the legal exposure is real and immediate.

Our commitment

We are in the middle of this work ourselves, and we are not going to pretend it is simple. CMMC compliance is demanding and time-consuming — and reconciling it with an AI strategy adds a layer of complexity that did not exist a few years ago.

But we believe the two are reconcilable, and we believe doing the work to reconcile them properly is exactly what our industry’s partnership with the Department of War and the families it serves requires. Military household goods shipments carry information that matters — personnel data, location details, family information — and the trust placed in TSPs, agents, and technology partners to protect that information is not abstract. It is earned, continuously, through exactly the kind of rigorous work CMMC demands.

We are here to help navigate this alongside our customers, every step of the way. We will keep sharing what we learn as we move through this process — from the trenches.

“From the Trenches of AI” is an ongoing EDC® LinkedIn series exploring artificial intelligence through the lens of an industry that moves people, not just data.

About the Author

Diana Corona

Co-Founder, President & CEO — Enterprise Database Corporation (EDC®)

Diana Corona co-founded EDC® over 25 years ago and has spent her career building software purpose-built for the moving and storage industry. Under her leadership, EDC® has grown into one of the most trusted technology partners in the space — serving moving companies of all sizes across residential, commercial, military, government, international, and specialty move types. She writes on topics at the intersection of technology, operations, and the future of the moving industry.

Related Posts

You cannot automate judgment. Corporate America just proved it at scale.

You cannot automate judgment. Corporate America just proved it at scale.

From the Trenches of AI — Vol. 10 True leadership has never been about moving first. It has been about...

Read moreDetails

The government just grounded two of the world’s most advanced AI models. The industry should pay attention.

The government just grounded two of the world’s most advanced AI models. The industry should pay attention.

On June 12, 2026, Anthropic published a statement confirming that the United States government issued an export control directive requiring...

Read moreDetails

AI will reshape everything. Mo Gawdat says what survives is our humanity.

AI will reshape everything. Mo Gawdat says what survives is our humanity.

Last week I watched something I cannot stop thinking about. Mo Gawdat — former Chief Business Officer of Google X,...

Read moreDetails

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Home
  • Solutions
  • Trust Center
  • Resources
  • EDC
  • Login hub
  • Let’s Talk

COPYRIGHT © 1997-2025 Enterprise Database Corporation.
All rights reserved. EDC®, Enterprise Database Corporation, EDC Mobile™, EDC-MoveStar®, EasyGOVLINK™, WYNPIPE®, MERCED™, EasyTariff ®, EDC-AgentLink®, EasyDPS®, GOgistiX®, TrakGX®, TSP Contact™ and all associated logos and designs are trademarks or registered trademarks of Enterprise Database Corporation.

No Result
View All Result
  • Home
  • Solutions
    • Movers & Moving Services
    • Relocation & Mobility Network
    • Software Development & Consulting
    • Software Creation & AI Tools
    • EasyDPS
    • EasyGOVLINK
    • EasyTariff
    • EDC-AgentLink
    • EDC Mobile
    • EDC MoveStar
    • GOgistiX
    • MERCED
    • TrakGX
    • TSPContact
    • WYNPIPE
    • Digital Inventories
    • Software development & consulting
  • Trust Center
    • CMMC
  • Resources
    • Blog
  • EDC
    • About us
    • Letter from the President & CEO
    • Leadership Team
    • Board of Advisors
    • News
    • Our History
    • Testimonials
    • Membership & Support
  • Login hub
    • Customer Portal
    • EDC-MoveStar
    • WYNPIPE
    • EasyTariff
    • TrakGX
    • EDC-AgentLink
  • Let’s Talk

COPYRIGHT © 1997-2025 Enterprise Database Corporation.
All rights reserved. EDC®, Enterprise Database Corporation, EDC Mobile™, EDC-MoveStar®, EasyGOVLINK™, WYNPIPE®, MERCED™, EasyTariff ®, EDC-AgentLink®, EasyDPS®, GOgistiX®, TrakGX®, TSP Contact™ and all associated logos and designs are trademarks or registered trademarks of Enterprise Database Corporation.