A bounded evidence-operations model designed to avoid CUI intake
How Gridex structures CMMC evidence operations around client-controlled repositories, least-privilege access, metadata, and explicit CUI intake boundaries.
Client-controlled source repository
Minimum necessary metadata and access
Explicit CUI rejection and escalation procedure
No use of client data to train models
Keep the artifact where it belongs
Evidence may include sensitive security information and, in some cases, CUI. The preferred operating design leaves files in the client’s approved tenant, repository, console, or enclave. Gridex maintains the operating index and performs approved work in that environment rather than building a shadow evidence store.
Define the intake protocol before live work
The engagement must document what Gridex may receive, what must never be sent through email or Gridex-controlled systems, how an accidental submission is contained, and who decides whether a questionable item is CUI.
- Named client security owner and escalation contact
- Approved repositories and communication channels
- Least-privilege accounts with logging and review
- Data-retention and access-removal procedure
- Incident and accidental-intake response
A design goal is not a legal conclusion
Avoiding custody of CUI is an architectural goal, not a self-issued determination that Gridex is outside every contractual requirement. The client, counsel, qualified CMMC advisor, and relevant providers must confirm the final model.
Concrete, client-owned operating records
Facts, not verdicts
This page describes the intended operating architecture and is not legal advice or a CMMC scoping determination.
Frequently asked questions
Does metadata automatically stay outside CMMC scope?
No blanket conclusion is possible. Metadata sensitivity depends on its content and context. The engagement must minimize fields and obtain a qualified scope review.
Can Gridex work entirely through email?
Email can coordinate requests, but evidence should be returned to approved client systems. The permitted channels depend on the client’s data-handling requirements.
Source context
Bring the evidence state you actually have.
Gridex will map the operating work, the human judgment boundary, and the safest next step.