Summary5 min read

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: DoD Updated the CMMC FAQs Again
Host: Summit 7
Date: May 21, 2026

Episode Overview

This episode focuses on the Department of Defense’s (DoD) recent, largely unannounced update to the Cybersecurity Maturity Model Certification (CMMC) Frequently Asked Questions (FAQ) document—the third such revision since November 2025. The hosts break down changes, clarify points of persistent confusion, and provide practical insight for contractors navigating evolving requirements. Highlighted themes include the definition and implications of “significant change,” annual affirmation obligations, CMMC requirements for joint ventures, and the treatment of hard copy Controlled Unclassified Information (CUI).

Key Discussion Points & Insights

1. The Nature of CMMC FAQ Updates

The DoD has quietly updated the CMMC FAQ document multiple times (11 changes across 3 versions in 6 months).
FAQ updates are now the primary method of communicating CMMC guidance. There’s little fanfare—no press releases, social posts, or notifications.
- Quote: “...you don't know that anything has changed unless you subscribe to this channel.” (A, 00:52)
Recommendation: Check the FAQ regularly; even the revision history doesn’t note every change.

2. Defining “Significant Change” (Section C, Question 12)

The big question: What counts as a “significant change” requiring a new CMMC assessment?
- The DoD’s guidance is intentionally broad and open to interpretation.
- Host’s Rule of Thumb: If you modify the scope of your environment, that triggers a reassessment.
  - Quote: “If you have a change to the scope of your environment, that would be considered a significant change.” (A, 02:39)
Another Viewpoint: If a change “sounds sus”—feels like it would affect the certified boundary—it probably is significant.
- Quote: “If it sounds sus...then more than likely it is sus and you need a reassessment.” (B, 03:19)

Hard Example Given:

If requirements or assessment objectives previously marked “not applicable” (N/A) become applicable (e.g., installing Wi-Fi after certification), it must trigger a new assessment.
- Quote: “If you don't have any Wi-Fi in the system...and then you install a Wi-Fi system afterwards...those [N/A] requirements...are now inside of your system and very, very applicable, hence significant change.” (A, 04:35)

What does not count as significant change:

Routine maintenance, updates, patching, and upgrades.

Gray Areas:

Major functionality changes.
Changes requiring a new security approach not in the original SSP.
Changes that reduce or remove requirements.

Ultimate Decision Maker:
Deciding if a change is significant (in gray areas) falls to the company’s affirming official, not the IT or MSP team.

For most smaller orgs, this will be the CEO, President, or owner, not technical staff.
- Quote: “You can't just delegate that kind of decision to the IT guy.” (A, 09:38)

3. Annual Affirmation and Legal Risks

Annual affirmations assert continued compliance and that no significant changes have occurred.
Incorrectly claiming compliance can increase False Claims Act liability—especially if there’s documentation suggesting changes were downplayed to avoid reassessment.
- Quote: “...having the CMMC certification is not going to insulate people from False Claims act liability.” (A, 09:52)
Critical for teams to align internally—the affirming official assumes significant legal risk.
- Many organizations do not even know who their affirming official is!
  - Quote: “...I'll ask organizations, do you know who your affirming official is? And I don't know.” (B, 10:52)

4. CMMC for Joint Ventures (Section C, Question 6)

For joint ventures (JV):
- Either the JV itself or each partner can have CMMC status, provided the relevant CMMC unique identifiers (UIDs) match the systems being used during contract performance.
- The critical element is that CMMC UIDs for systems processing CUI must be provided in the proposal.
The UID responsibility passes up the chain (from subcontractor to prime).
- Quote: “The UIDs have to be collected by the prime contractor... It's a bubble umbrella report that goes up.” (B, 13:01)
Discussion: Over time, there will likely be more CMMC UIDs than contractors due to multiple systems per company.

5. Paper-Based CUI and CMMC (Section C, Question 11)

No CMMC assessment is required for organizations handling only hard copy CUI.
- But: DFARS clause 252-204-7012 still applies.
Host criticism: There’s an inconsistency—no third-party assessment needed for paper alone, but if any digital system enters the mix, suddenly paper controls are assessed too.
- Quote: “...when I operate a digital system, I have to have that third party evaluate my paper security controls.” (A, 15:12)
- Recommendation: If so, why not skip redundant paper checks when digital systems are present?
Discussion of potential strategy shifts—some may try to “game” the system by handling CUI only on paper to avoid digital assessments.
- Quote: “...the whole strategy now is shifting to...tell my prime contractor to print it out, send it to me FedEx so...I don't have to get assessed.” (B, 17:11)
- Joking reference to “Big Paper” conspiracy.

Notable Quotes & Memorable Moments

On the opacity of updates:
- “There isn't even an indicator on the CMMC page...unless you click on the link and open the PDF every day, you don't know that anything has changed.” (A, 00:36)
On practical scoping:
- “Nothing more terribly efficient than paying for two assessments instead of one, am I right?” (A, 05:47)
On affirming official responsibility:
- “Y'all better be on the same page...because you're the one that's submitting the annual affirmation each year.” (A, 09:52)
On strategy shifts to paper CUI:
- “If that's conspiracy, it's a conspiracy by the lumber industry and Big Paper. I know it.” (A, 17:21)

Timestamps for Important Segments

[00:00-01:25] — Introduction, frequency and lack of communication surrounding FAQ updates
[01:53-08:44] — Deep dive into “significant change,” with practical examples and host interpretations
[08:44-11:06] — Annual affirmation process and pitfalls for companies, legal ramifications
[11:06-13:30] — Joint ventures, responsibility for CMMC UIDs, and supply chain reporting
[14:19-17:27] — Handling of hard copy-only CUI and potential for inconsistent assessment requirements

Takeaways & Practical Advice

Check the CMMC FAQ yourself regularly. Updates are frequent and rarely announced.
“Significant change” remains purposefully vague—err on the side of caution. If in doubt, reassess.
Annual affirmations represent a major liability point. Know who your affirming official is and ensure all responsible parties are aligned.
For joint ventures, either entity may hold CMMC as long as the relevant system UIDs are properly listed.
Digital systems invoke stricter assessment—even for paper-based CUI; expect and prepare for possible review of physical controls.
Avoid strategy “gimmicks” (such as moving to all-paper CUI) to sidestep compliance—it’s risky and may not last under scrutiny.

If you’re a DoD contractor (prime or otherwise), staying proactive and informed is your best defense against compliance missteps—especially as the CMMC regime continues to evolve via these unannounced FAQ updates.

Loading summary

Transcript28 lines

[00:00]
A
All right folks, it is May of 2026 and if you're like most people, you probably didn't know that the DoD has updated their CMMC Frequently Asked Questions document for the third time since November of 2025. At this point, FAQ updates are the primary way that the Department is communicating guidance to defense contractors. And there's definitely some things that you need to know in the newest update and that's what we're going to talk about today. Jason, we covered CMMC FAQ version 4 back in January and just like that update, the DoD didn't tell anyone that there was actually an update. There are no press releases, there are no social media posts, there isn't even an indicator on the CMMC page where the FAQ document is located that any change has happened unless you click on the link and open the PDF every day. You don't know that anything has changed unless you subscribe to this channel. Thanks for doing that, by the way. So depending on what you actually consider to be a revision inside of these documents, the Department has updated 11 different questions across three different versions of this document in less than six months. What the heck is going on here?
[01:25]
B
I think what's going on is that I think everyone needs to realize that this document for the perpetuity of the CMMC program is going to be a living document. Anytime there's some speculation that needs to be clarified. Instead of pomp and circumstance happening, a grand parade happening, us popping off whatever poppers in the air, it's just hey, here's an update and it would be who you to stay on top of it or watch the show constantly whenever changes happen. Right Jacob?
[01:54]
A
Yeah, yeah, absolutely. And we'll put the link below so you guys can read the document yourself. You definitely should because we're not going to be able to cover all the details here, but let's get right into them. So there is a growing landmine with significant change and annual affirmation and I can already see it coming. So let's talk about it, this whole significant change idea. So section C, question 12, what qualifies as a significant change that would require an organization seeking assessment to undergo a new evaluation under the CMMC program? The Department keeps saying this, that if you experience a significant change in your environment, you need to go get a new CMMC assessment. So of course everybody says what the heck does significant change mean? And all the answers are quite nebulous, they're quite open ended. So it's up for interpretation. More on that in a minute. But they did Give us a little bit of information. My rule of thumb, you know, sort of like default bright line before any other interpretation, is if you have a change to the scope of your environment, that would be considered a significant change. Now details beyond that are, you know, their own debate. But if you change the scope of what was assessed, that's a, that's a significant change and there needs to be a new assessment because the scope is different. It's, it's not the same anymore.
[03:16]
B
I mean, I'd like to go by a rule of thumb also, but my rule of thumb is if it sounds sus, as the kids like to say nowadays, then more than likely it is sus and you need a reassessment. Let me explain myself. If you look at this and you say that this change that I'm about to make dramatically affects the boundary in which was certified by a C3PAO, I think that that would be a suspect change that you need to suspect is a significant change and needs a reassessment. That's just me. It's a general rule of thumb. It takes a lot for me to be like, hey, that seems sus, that seems sus. You need to make a change.
[03:52]
A
There you go, There you go. You know, in, in tune with the youth today with, with all the, the vocabulary and, and the, the brain rot vernacular. Anyways, so yeah, we think SCOPE is like a good rule of thumb, but they don't talk about scope in this update. They do give us one hard example here and they say requirements that are not applicable, that become applicable, are now considered to be a significant change because According to the DoD, since that security requirement or assessment objective had never been assessed in the first place. So if you have security requirements or individual assessment objectives that are marked N A not applicable during your assessment, and then after your assessment, suddenly those things are now applicable, the DoD considers those to be significant enough changes that that would trigger a requirement for a new assessment. So one example that they give is WI fi. If you don't have any WI FI in the system, when you're assessed originally and then you install a WI FI system afterwards, a bunch of requirements that weren't applicable and not evaluated whatsoever are now inside of your system and very, very applicable, hence significant change.
[05:06]
B
Jacob, I can tell you that the amount of organizations I speak to where their plans include things like WI FI endpoints or mobile devices being marked not applicable to save money on scope and then after certification they just want to creep them back in. Oh, we'll add them after the fact. Those Endpoints are on layaway, whatever you want to say. The amount of organizations I speak to is significant. The plans for the organizations, for some reason, I don't know where it came from, have now shifted to, okay, we need to do this quickly and we need to do it cost efficiently. Right? And so the way that we're going to do it is to cut out all these things and just bring them back in after we pay for that assessment.
[05:48]
A
Nothing more terrible efficient than paying for two assessments instead of one, am I right? I mean, that's what you're going to end up with or you're going to take a big risk based off of the decision that you make that say that these aren't significant. But we're going to talk about that in a second. So the FAQ under this entry says changes that are not significant. So they say routine updates, routine maintenance, patching, upgrades, things like that, not considered significant change. I think that's probably pretty obvious. But then you get into the gray area here and this is where the debate really starts to happen. They give an example or they give examples of changes that quote, require additional consideration. So not applicable requirements become applicable. Significant change, changes to the scope of your original assessment boundary, significant change, routine maintenance, patching, things like that. Not a significant change. What about major functionality changes? What about changes that require a new security approach or a new security design that wasn't present in your original ssp? What about changes that reduce or remove support for requirements, applicable requirements that are now suddenly not applicable? Does that count as a significant change in the other direction? Not applicable requirements becoming applicable counted as changes? They don't say. They don't say if these are significant changes. They say that this requires additional consideration. So additional consideration by whom? Right? Well, by the affirming official. Because after your original CMMC assessment, the process is not over. This is a continuous process every year and the affirming official at your company every year has to submit an annual affirmation that says we are continuously compliant with the thing that you saw we were compliant with back when we got our original assessment. There haven't been any significant changes. Everything is still good to go and we'll see you again next year. And then after that period is over, then you get a new formal third party assessment and then you move on with your life. So did you make the decision when you submitted that affirmation during that year? If one of those things happens, you had a major functionality change, is it significant? That's your call. It's up to you.
[08:11]
B
Yeah, it Depends times two. Right. So is the change significant? Well, it depends. You have to evaluate it and how it affects your boundary.
[08:18]
A
Right.
[08:18]
B
And then make that decision. It depends. And then it depends times too. The second part is did you make the right decision? And it depends. It depends when it all comes out in the wash. If something were to happen, if somebody finds out about it and reports it, whatever it may be, it depends again. So you have to evaluate it and you have to have a very, very solid defense as to whether you made the decision, whether it was significant or it was not.
[08:44]
A
And boy, oh boy, I can tell you if there is a documented paper trail anywhere that says we're going to say this wasn't significant because we didn't want to pay for it, that is not going to hold up. If that gets out into, you know, into the hands of the right people, I'll say. So more on this, like who's making this decision? Right. IT Security, your third party managed service provider might own security responsibilities, security functionality assessment, evidence and documentation system, lifecycle maintenance and upgrades, all that stuff, but somebody that's not those people owns the responsibility to attest on behalf of the company that compliance is still happening after the original assessment. That ain't going to be your msp. It's probably not going to be your IT guy. Almost certainly not going to hold up. Right. You can't just delegate that kind of decision to the IT guy. Right? So for small and medium sized companies, that affirming official is probably going to be the CEO, it's probably going to be the owner, it's probably going to be the President, who typically is not all that in tune with what's going on with those other teams because they outsourced it for a reason. Y' all better be on the same page when it comes to which decisions were made about what was significant and what wasn't. Because you're the one that's submitting the annual affirmation each year. And this is just an example of just having the CMMC certification is not going to insulate people from False Claims act liability. Because if you submit an affirmation a year later and it says, yeah, we are still doing the same thing we were doing a year ago and you're not then. Now they have a baseline to compare to with your affirmation. So it actually makes that liability even easier to go after somebody. So just make sure you all are on the same page because you're not gonna be able to blame the IT guy or your MSP for that one
[10:38]
B
yeah, in a lot of situations I hear input from the legal team, you know, like some feedback from that in larger organizations. But you're right, for the smaller organizations it comes down to the people that do the everyday jobs of either implementing the CMMC program or actually carrying out the business operations that require cmc. Right. And a lot of times, Jacob, I'll ask organizations, I'll be like, do you know who your affirming official is? And I don't know. Yeah, don't know who that person is.
[11:07]
A
It's definitely going to be, it's definitely gonna be a big topic moving forward for sure. I think everybody's focused on their initial assessment and you know, that's the first bridge people have to cross obviously. But you know, that's definitely going to be 2/3 of people's experience under CMC. Because most of the time you're not dealing with a third party assessment, you're dealing with annual affirmation. And that's all done in house. So, you know, we'll, we'll cross that bridge when we get to it, but just make sure you guys are on the same page. Okay. A couple more things that were interesting in this FAQ document still in section C, question 6. If a company is a joint venture, does the joint venture need its own CMMC status or can the CMMC status of each joint venture partner suffice? Basically, the DoD says that either of those will work as long as the CMMC unique identifiers represent the scope used during contract performance. So the CMMC unique identifiers for the systems that will house, process, store, transmit CUI during contract performance, it could belong to the jv, it could belong to the members of the jv. They don't care. What they care about is that the CMMC UIDs are provided during the proposal and that's where the CUI goes. This also matches what they talk about elsewhere in the faq. So be sure to read the whole thing when they talk about CAGE codes. Basically, if a system is not represented by the CMMC UID provided in the proposal, then the DoD says it can't be used to process, store or transmit either FCI or CUI during contract performance. And that's going to apply to primes, that's going to apply to subs, that applies to joint ventures, that applies to enclaves, business units. Doesn't really matter. It all sort of revolves around which systems are represented by these UIDs, what those UIDs are being deployed in, you know what, whatever arrangement or agreement, it doesn't really Matter.
[13:02]
B
Yeah, it's just deflecting the responsibility for policing the program. Right. So like the UIDs have to be collected by the prime contractor in whatever scenario. And then that prime contractor, contractor, contractor reports to another prime or whatever, however the supply chain works, but that reports up. It's a bubble umbrella report that goes up. And as long as the company that is passing the information down as contractually obligated is assuring that the protections exist and they're all listed, we're in good shape. That's how the joint venture is going to work.
[13:31]
A
I think it'll be interesting moving forward. And I don't know if the DoD is ever going to put this information out, but there's going to be more UIDs than there will be contractors out there in the ecosystem. So I wonder, you know, two, three years from now, you know, how many more CUI systems there are than defense contractors. It's probably going to be quite a big difference. But I think that's probably the more interesting number is how many systems are processing CUI out there rather than just the number of contractors that that CUI passes through.
[13:58]
B
Another interesting thing would be like a contract award. Jason's company contracts with Jacob's company. I give you my UID at that present time. Obviously things change. I update my UID as you're performing, forming, I don't know, the renewal or the rebate or whatever for the contract. You utilize that old information, which is my old uid, which is no longer valid. Right. Because we forgot to update the new one that I got. Yeah, I can get it.
[14:20]
A
Yeah, yeah, for sure. Okay, last one here that people should check out. If for nothing else, then just to let your hair fall out. Section C, question 11. Are CMMC assessments required for organizations that only handle hard copy controlled, unclassified information?
[14:37]
B
Breathe.
[14:38]
A
So much fun. We did an episode on this a little while back. The short answer is no. If you only handle a paper CUI system, you don't need a third party CMMC assessment. But the requirements to safeguard that controlled Information pursuant to DFARS clause 252-204-7012 still apply to you. I don't have a problem. I've said this many times. I know this annoys the people inside the DoD because I know you watch the show. I don't have a problem with you saying that you don't need a third party assessment for a paper CUI system. I have a problem with saying that when I operate a digital system, I have to have that third party evaluate my Paper security controls. Because you said I don't need a third party to evaluate my paper controls when there are no digital systems involved. But when I do have a digital system now, suddenly a third party needs to check my paper controls. Why does the presence of a computer processing CUI make the paper relevant to a third party assessment when the lack of a computer processing CUI made the paper not require a third party assessment? This is a clear. If that's the logic, I have no problem with it. Then just save everybody the time and money where we don't have to check the paper based hard copy physical media protection requirements during an assessment. It would cut off some time from the assessment. It would cut off some money from the assessment. It would save. It would make assessments go faster. We get more assessments done. Like just be consistent across the two of them if that's what you guys want to do. That's my big problem with the whole situation. So if you operate a paper based system, good for you. If you're the dodge, help me help you here. You guys can make the assessments shorter and faster and cheaper.
[16:31]
B
In addition to echoing the sentiments that you have with regards to. This needs to make sense all the way across the board. Right. To kind of keep it simple. It also needs to make it so it makes sense to people that are trying to interpret this. And the reason why I say that is because the strategy shift that will exist based off of this kind of information coming out from the people misinterpreting it can be very, very damaging to the ecosystem.
[16:56]
A
Hey, I mean, if I print out a bunch of CUI that would require CMMC level three. Now it's suddenly in hard copy. It doesn't need to. It doesn't matter. Right? Nobody cares. Yeah.
[17:06]
B
There's people whose entire strategy is shifted to.
[17:08]
A
I'm just going to tell my magic trick. Look at that.
[17:12]
B
The whole strategy now is shifting to. I'm going to tell my prime contractor to print it out, send it to me FedEx so that we can have that trail there. I don't have to get assessed and I can just read the 200 pages of whatever I need to.
[17:22]
A
If that's conspiracy, it's a conspiracy by the lumber industry and Big Paper. I know it.
[17:27]
B
Big Paper. Blame them.
[17:28]
A
Yep. Anyways. Anyways. All right, folks, FAQ updates came out. They don't tell you when the FAQ updates come out, so make sure that you like and subscribe. We are tantalizingly close to 100,000 YouTube subscribers. We're getting very close. If you haven't subscribed. I I never tell people to do this so we're going to take the opportunity. If you haven't subscribed yet, please do so. Send this to your friends, ask them to like and subscribe. It would go a long way. The FAQs read them closely because the revision history at the bottom of the document doesn't capture all of the details and changes throughout the document. Definitely make sure you're on the same page if you're an affirming official or if you don't know who your affirming official is because significant change, it's definitely going to bite some people. CMMC UIDs are the common denominator across joint ventures, prime subs, so on and so forth. And if you're only dealing with paper, lucky you dod Come on. Come on man. Anyways, it's a holiday weekend so we guys, we'll see you next week. Happy Memorial Day everybody.
[18:31]
B
Yeah, see you next week. It.