We have plenty of program contracts that require IL5. I think you only need ATO to go to IL6 and above (which would be Secret and would require working in a SIPRNet connected network isolated from our corporate network). For just CUI data, I thought you didn't need special authorization.
What I really need is someone I can trust who can come in and tell me what we should be doing, because whatever our IT Security team is telling me sounds ludicrous. There are a whole host of problems with our IT systems that indicate to me that they don't really know what they are doing.
Edit: note, I'm not talking about certifying our own software for use with CUI. That's a ball of wax that our leadership has told us to defer until next year, since for this particular project we don't have any clients yet. I'm talking about our IT dept won't let us send CUI through existing, should-be-approved services in Azure GCC High right now, even from our laptops inside our CUI-approved corp network.