Sum IT Up: CMMC News Roundup

Episode: New CMMC FAQs (January 2026)
Host: Summit 7
Date: January 8, 2026

Episode Overview

This episode of "Sum IT Up" dives into the newest updates from the Department of Defense (DoD) regarding the CMMC (Cybersecurity Maturity Model Certification) Frequently Asked Questions (FAQs). With two major FAQ updates since November 2025, the hosts break down the seven latest clarifications, explain their implications for defense contractors, and discuss how these answers shape compliance and assessment requirements. The tone is direct, informative, and at times, irreverent, capturing the frustration and confusion that many feel navigating CMMC changes.

Key Discussion Points & Insights

1. Purpose and Organization of CMMC FAQs

[00:02–02:13]

Main Point: FAQs have become the "center of gravity for guidance updates" as major rulemaking slows down.
Host Commentary: The FAQ updates are clarifications, not actual changes to the CMMC program.
Quote:
- "The FAQs are becoming the center of gravity for guidance updates in lieu of major rulemaking nowadays..." (A, 00:02)
Structure: Document is short, organized into sections A–E (general, model, assessment, implementation, external service providers).
Advice: Read the document top-to-bottom for up-to-date guidance.

2. Encrypted CUI is Still CUI

[02:29–04:03]

FAQ: Is encrypted CUI still considered CUI?
Answer: Yes. Encryption does not decontrol CUI under federal regulations (32 CFR 2002).
Quote:
- "Encrypted CUI is still considered CUI because encryption is not considered to be a method of decontrolling controlled unclassified information..." (A, 02:29)
Context: This has been a point of heavy debate; the DoD's clarification is significant for compliance planning.

3. PoAMs: CMMC vs. Traditional

[04:03–06:48]

FAQ: What's the difference between "operational" Plans of Action (PoAMs) and standard PoAMs?
Answer:
- CMMC PoAMs: Are open items post-assessment—must be closed within 180 days (conditional status until closed).
- Traditional PoAMs: Documented per NIST SP 800-171, used for continuous monitoring, risk management.
- NIST's Position: There's no difference, this distinction is DoD-specific and only matters to defense contractors.
Memorable moment:
- "This feels a little convoluted to me. I'm not sure that they actually needed to strike a difference, but they did..." (A, 06:48)

4. Cloud Storage: Non-FedRAMP Moderate CSOs

[06:48–07:56]

FAQ: Can non-FedRAMP Moderate cloud offerings store encrypted CUI?
Answer: No. CUI in the cloud must be stored on offerings that meet FedRAMP Moderate or equivalent security standards—even if the data is encrypted.
Reinforcing Point: Encryption does not remove the FedRAMP requirement.

5. Scope of Assessments: Endpoint Devices and VDIs

[07:56–09:09]

FAQ: Is an endpoint used to access a VDI (Virtual Desktop Infrastructure) instance in scope for NIST SP800-171 if CUI stays within the VDI?
Answer: No. Endpoints are considered out of scope as long as CUI remains within the VDI.
Impact: Minimizes scope—reduces cost, complexity, and assessment time.
Quote:
- "The endpoint is considered out of scope. Scoping is your main driver for cost, it's main driver for complexity, it's the main driver for assessment time and assessment cost..." (A, 07:56)
Clarification: Dataflow control via VDI helps keep endpoints out of scope.

6. Hard Copy CUI: Assessment Requirements

[09:09–11:10; 13:58–18:50]

FAQ: Are CMMC assessments required for organizations that only handle hard copy CUI?
Answer: No. Assessments target cybersecurity risk for CUI processed, stored, or transmitted on IT systems.
Debate: The hosts strongly challenge this, noting the importance of physical security and the inconsistency in treating physical vs. electronic CUI.
Notable Quotes:
- "I'm going to save my thoughts on this one until the end of the show. That's what the FAQ says and you can read it for yourself." (A, 09:09)
- "I guess if you print it out, it's not important, right, Jacob?" (B, 10:27)
In-depth Analysis:
- The hosts argue that physical protection is a core part of CMMC/NIST controls, and the distinction doesn't make sense from a risk perspective.
- "If you don't care about the hard copy requirements, then don't care about the hard copy requirements. Just let people self attest to them, take them out of assessment scope, makes the assessments shorter, makes the assessments cheaper and then we're all going to be happy about it." (A, 16:28)

7. Encryption is Not a Logical Boundary

[11:10–12:28]

FAQ: Can encryption alone create logical separation within assessment scope?
Answer: No. Encryption protects confidentiality but doesn't enforce a network security boundary.
Takeaway: Some vendors overstate what encryption can do for meeting CMMC/NIST requirements.
Memorable moment:
- "I wake up every morning, look in the mirror and say encryption is not a logical boundary..." (B, 12:10)

8. Enterprise Networking Components & Assessment Scope

[12:28–13:58]

FAQ: Are enterprise networking components in-scope for enclaves without direct internet connections?
Answer: No. As long as the enclave is logically separated, encrypted CUI transmission does not bring the wider enterprise network into scope.
Implication: Another win for limiting assessment scope and cost.
Caution: Must prove that CUI does not cross unwanted boundaries.

9. Host Reactions & Final Thoughts

[13:58–20:11]

Hosts reflect on which FAQ update has had the biggest impact and where there is still confusion or policy inconsistency (notably hard copy CUI).
"My problem is they're saying that you don't require a CMMC assessment when there's no IT system handling CUI, you're only hard copy. But when you do have an IT system handling cui, we're going to check your physical and media protection requirements... It doesn't make any sense." (A, 16:40)
"How come the CUI is more important if it's on a digital system?" (B, 17:16)

Notable Quotes & Memorable Moments

On encryption and CUI:
"Encrypted CUI is still considered CUI because encryption is not considered to be a method of decontrolling controlled unclassified information..." (A, 02:29)
On assessment scoping and cost control:
"Scoping is your main driver for cost, it's main driver for complexity, it's the main driver for assessment time and assessment cost. So the more that we can minimize and reduce scope, the cheaper and faster things will be, the lower your risk will be." (A, 07:56)
On hard copy CUI vs. digital:
"If you don't care about the hard copy requirements, then don't care about the hard copy requirements. Just let people self attest to them, take them out of assessment scope, makes the assessments shorter, makes the assessments cheaper..." (A, 16:28)

Timestamps for Key Segments

FAQ updates context & purpose: 00:02–02:13
Encrypted CUI clarification: 02:29–04:03
PoAM types explained: 04:03–06:48
Cloud storage and FedRAMP: 06:48–07:56
VDI and endpoint scope: 07:56–09:09
Hard copy CUI assessment debate: 09:09–11:10; 13:58–18:50
Encryption/logical separation: 11:10–12:28
Enterprise networking components & scope: 12:28–13:58
Host reflections & closing thoughts: 13:58–20:11

Summary

This episode offers a granular yet accessible walkthrough of the latest CMMC FAQ updates, including critical guidance on encrypted CUI, hard copy CUI, PoAM requirements, VDI scoping, and more. While many recent clarifications help organizations limit scope and control costs, the hosts express ongoing frustration about inconsistent approaches to physical versus digital CUI. The episode is essential listening for defense contractors and IT professionals navigating CMMC, blending expert commentary, practical advice, and healthy skepticism of regulatory logic—plus a dose of dry industry humor.

Sum IT Up: CMMC News Roundup

Episode: New CMMC FAQs (January 2026)
Host: Summit 7
Date: January 8, 2026

Episode Overview

Key Discussion Points & Insights

1. Purpose and Organization of CMMC FAQs

[00:02–02:13]

Main Point: FAQs have become the "center of gravity for guidance updates" as major rulemaking slows down.
Host Commentary: The FAQ updates are clarifications, not actual changes to the CMMC program.
Quote:
- "The FAQs are becoming the center of gravity for guidance updates in lieu of major rulemaking nowadays..." (A, 00:02)
Structure: Document is short, organized into sections A–E (general, model, assessment, implementation, external service providers).
Advice: Read the document top-to-bottom for up-to-date guidance.

2. Encrypted CUI is Still CUI

[02:29–04:03]

FAQ: Is encrypted CUI still considered CUI?
Answer: Yes. Encryption does not decontrol CUI under federal regulations (32 CFR 2002).
Quote:
- "Encrypted CUI is still considered CUI because encryption is not considered to be a method of decontrolling controlled unclassified information..." (A, 02:29)
Context: This has been a point of heavy debate; the DoD's clarification is significant for compliance planning.

3. PoAMs: CMMC vs. Traditional

[04:03–06:48]

FAQ: What's the difference between "operational" Plans of Action (PoAMs) and standard PoAMs?
Answer:
- CMMC PoAMs: Are open items post-assessment—must be closed within 180 days (conditional status until closed).
- Traditional PoAMs: Documented per NIST SP 800-171, used for continuous monitoring, risk management.
- NIST's Position: There's no difference, this distinction is DoD-specific and only matters to defense contractors.
Memorable moment:
- "This feels a little convoluted to me. I'm not sure that they actually needed to strike a difference, but they did..." (A, 06:48)

4. Cloud Storage: Non-FedRAMP Moderate CSOs

[06:48–07:56]

FAQ: Can non-FedRAMP Moderate cloud offerings store encrypted CUI?
Answer: No. CUI in the cloud must be stored on offerings that meet FedRAMP Moderate or equivalent security standards—even if the data is encrypted.
Reinforcing Point: Encryption does not remove the FedRAMP requirement.

5. Scope of Assessments: Endpoint Devices and VDIs

[07:56–09:09]

FAQ: Is an endpoint used to access a VDI (Virtual Desktop Infrastructure) instance in scope for NIST SP800-171 if CUI stays within the VDI?
Answer: No. Endpoints are considered out of scope as long as CUI remains within the VDI.
Impact: Minimizes scope—reduces cost, complexity, and assessment time.
Quote:
- "The endpoint is considered out of scope. Scoping is your main driver for cost, it's main driver for complexity, it's the main driver for assessment time and assessment cost..." (A, 07:56)
Clarification: Dataflow control via VDI helps keep endpoints out of scope.

6. Hard Copy CUI: Assessment Requirements

[09:09–11:10; 13:58–18:50]

FAQ: Are CMMC assessments required for organizations that only handle hard copy CUI?
Answer: No. Assessments target cybersecurity risk for CUI processed, stored, or transmitted on IT systems.
Debate: The hosts strongly challenge this, noting the importance of physical security and the inconsistency in treating physical vs. electronic CUI.
Notable Quotes:
- "I'm going to save my thoughts on this one until the end of the show. That's what the FAQ says and you can read it for yourself." (A, 09:09)
- "I guess if you print it out, it's not important, right, Jacob?" (B, 10:27)
In-depth Analysis:
- The hosts argue that physical protection is a core part of CMMC/NIST controls, and the distinction doesn't make sense from a risk perspective.
- "If you don't care about the hard copy requirements, then don't care about the hard copy requirements. Just let people self attest to them, take them out of assessment scope, makes the assessments shorter, makes the assessments cheaper and then we're all going to be happy about it." (A, 16:28)

7. Encryption is Not a Logical Boundary

[11:10–12:28]

FAQ: Can encryption alone create logical separation within assessment scope?
Answer: No. Encryption protects confidentiality but doesn't enforce a network security boundary.
Takeaway: Some vendors overstate what encryption can do for meeting CMMC/NIST requirements.
Memorable moment:
- "I wake up every morning, look in the mirror and say encryption is not a logical boundary..." (B, 12:10)

8. Enterprise Networking Components & Assessment Scope

[12:28–13:58]

FAQ: Are enterprise networking components in-scope for enclaves without direct internet connections?
Answer: No. As long as the enclave is logically separated, encrypted CUI transmission does not bring the wider enterprise network into scope.
Implication: Another win for limiting assessment scope and cost.
Caution: Must prove that CUI does not cross unwanted boundaries.

9. Host Reactions & Final Thoughts

[13:58–20:11]

Hosts reflect on which FAQ update has had the biggest impact and where there is still confusion or policy inconsistency (notably hard copy CUI).
"My problem is they're saying that you don't require a CMMC assessment when there's no IT system handling CUI, you're only hard copy. But when you do have an IT system handling cui, we're going to check your physical and media protection requirements... It doesn't make any sense." (A, 16:40)
"How come the CUI is more important if it's on a digital system?" (B, 17:16)

Notable Quotes & Memorable Moments

On encryption and CUI:
"Encrypted CUI is still considered CUI because encryption is not considered to be a method of decontrolling controlled unclassified information..." (A, 02:29)
On assessment scoping and cost control:
"Scoping is your main driver for cost, it's main driver for complexity, it's the main driver for assessment time and assessment cost. So the more that we can minimize and reduce scope, the cheaper and faster things will be, the lower your risk will be." (A, 07:56)
On hard copy CUI vs. digital:
"If you don't care about the hard copy requirements, then don't care about the hard copy requirements. Just let people self attest to them, take them out of assessment scope, makes the assessments shorter, makes the assessments cheaper..." (A, 16:28)

Timestamps for Key Segments

FAQ updates context & purpose: 00:02–02:13
Encrypted CUI clarification: 02:29–04:03
PoAM types explained: 04:03–06:48
Cloud storage and FedRAMP: 06:48–07:56
VDI and endpoint scope: 07:56–09:09
Hard copy CUI assessment debate: 09:09–11:10; 13:58–18:50
Encryption/logical separation: 11:10–12:28
Enterprise networking components & scope: 12:28–13:58
Host reflections & closing thoughts: 13:58–20:11

wavePod

New CMMC FAQs (January 2026)

Powered by Wave AI

Summary

Sum IT Up: CMMC News Roundup

Episode Overview

Key Discussion Points & Insights

1. Purpose and Organization of CMMC FAQs

2. Encrypted CUI is Still CUI

3. PoAMs: CMMC vs. Traditional

4. Cloud Storage: Non-FedRAMP Moderate CSOs

5. Scope of Assessments: Endpoint Devices and VDIs

6. Hard Copy CUI: Assessment Requirements

7. Encryption is Not a Logical Boundary

8. Enterprise Networking Components & Assessment Scope

9. Host Reactions & Final Thoughts

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Summary

Summary

Sum IT Up: CMMC News Roundup

Episode Overview

Key Discussion Points & Insights

1. Purpose and Organization of CMMC FAQs

2. Encrypted CUI is Still CUI

3. PoAMs: CMMC vs. Traditional

4. Cloud Storage: Non-FedRAMP Moderate CSOs

5. Scope of Assessments: Endpoint Devices and VDIs

6. Hard Copy CUI: Assessment Requirements

7. Encryption is Not a Logical Boundary

8. Enterprise Networking Components & Assessment Scope

9. Host Reactions & Final Thoughts

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Summary