How are you all actually handling AI tool usage in your CMMC environment?
F500 cyber guy here (CISSP, not defense though so apologies if I'm late to the party). Been helping a couple buddies who run small defense subs prep for L2 and I can't find a clean answer on this from anyone.
Their people use AI for everything now. Copilot, ChatGPT, some are messing with agents. But the CMMC docs don't really address it. DFARS doesn't mention AI. 800-171 r3 has some adjacent stuff but nothing direct. NIST AI RMF exists but try handing that to a C3PAO and see how that goes.
Are you guys treating sanctioned AI tools as ESPs and doing the full categorization, or just bolting on AUP language and calling it good?
What about the analyst who pastes a CUI spec sheet into ChatGPT to summarize it because they're behind on a deliverable? You can't realistically watch every keyboard.
Has a C3PAO actually asked about AI tool usage in an assessment for any of you, or is it still flying under?
And for the workflows where you do let some AI tool touch CUI, how are you proving it's not training on your data beyond what the EULA says?
Feeling like a lot of folks are just kinda hoping it doesn't come up. Would love to know if I'm wrong about that.