A

All right, folks, it is January of 2026. Happy New Year. The Department of Defense has updated the CMMC Frequently Asked Questions twice since November of 2025. The FAQs are becoming the center of gravity for guidance updates in lieu of major rulemaking nowadays, ironically, there are seven new answers for people to chew on. We had nothing to do with that. And that's what we're going to talk about today.

B

Yeah. So, you know, there were gifts that were left under the tree by the Department of Defense prior to Christmas with some FAQs that we got in the holiday season. Right. I guess these were lost in the mail. You know, maybe they went DHL or whatever it may be. But now they're here and some questions that I've been getting just since they've dropped, you know, in, in the couple days since that they've dropped, it has been. So they're making changes to the program itself itself because these FAQs are dropping, which is a huge misconception. These aren't changes to the program. These are points of clarification offered from an authoritative stance. Right, Jacob?

A

That's right, Yeah. A lot of people will say, oh, the guidance is always changing and there's a lot of turn around the program. The department doesn't see it that way. They say that this is what we meant all along is more so how it goes. I think people will kind of see how that works out as we go through the answers that they provided. If you haven't checked out the FAQs, the that really does seem to be the best place for new guidance until we get to updated rulemaking in the future. As everybody knows, it's a process that takes a really long time. You can get to the official FAQs from the DoD CAO's website. We'll put a link below so you can check those out very quickly. Just the organization of the FAQs document, it's not very long. It's only about a dozen pages. It's split up into sections A through E. They talk about general questions about cmmc, questions about the CMMC model, questions about assessments and how those run, questions about specific implementations, although that's a little squishy sometimes, and then questions about external service providers. Then I'm sure this document is going to expand over time. But that's currently the structure of the FAQ document online.

B

As a very studious participant of the Jacob Horn school of government rulemaking reading, would you recommend reading these like you recommend reading like NIST publications from the back up? Or is there Any surprises in the back or it's just straightforward from top to bottom?

A

It's pretty straightforward from top to bottom. Everybody should be reading it at a minimum, I would say, because this is the closest that you're going to get for specific guidance from the folks in the CIO office, because that's who's putting out the updates in the faq. So this is, this is as close to the reactor as we can get currently, and that's. That's what everybody should be paying attention to. So on November 17th of 2025, they updated four of the answers in the FAQ document. The first one, section B, question 8, is encrypted CUI still considered CUI according to the DoD? Yes, encrypted CUI is still considered CUI because encryption is not considered to be a method of decontrolling controlled unclassified information, per 32 CFR 2002. That's the official federal CUI regulation. They have guidelines about what constitutes proper decontrol. Taking something from CUI to no longer being cui, and encrypting data is not a method of decontrol, therefore, encrypted CUI is still considered to be CUI even though it is encrypted.

B

Yeah. One of those heavy points of debate, I guess, within the ecosystem over the past couple of months has been this exact topic. Right. And so this standpoint coming out, saying that this isn't what we think, this is what it says in whatever text that's used to support this program. Here's the clarification. This is where we stand.

A

Yeah. And then this will. They'll build on this answer and a couple of questions coming up about what happens in the cloud and what happens with certain implementations and things like that. But encrypt CUI is still considered to be cui. CUI is considered to be CUI until it is properly decontrolled. All right, the question number two here, section C, question eight. What is the difference between an operational plan of action and a plan of action and milestones, referred to often as a poam. So according to the dod, CMMC poems and regular poems is how I would divide what they're talking about here. Right. So CMMC poams, if you will, are the open items that you need to close within 180 days of your CMMC assessment, per the guidance in 32 CFR 170.21. So the subset of 1 point requirements that are allowed to be open findings at the end of your CMMC assessment must be closed out within 180 days. You would get a conditional status by having open items at the end of your assessment. In order to have a final status, you have to close out those items and you track those things on an official CMMC poam. What the DoD just refers to as a POAM or a plan of action milestones. In Contrast, a regular poam, which is a requirement in NIST SP 800 171, has been a control in NIST 853 since they wrote the thing are just measures implemented to manage risks or vulnerabilities, such as applying patches, addressing temporary deficiencies, or performing routine system maintenance. This is not how NIST defines poams. There are not two different kinds of poems. According to nist, poams are created as a result of security assessments. Poams are created. Poem items are created as a result of continuous monitoring. There is no distinction in the NIST world between certification poems and operational poems. This is a construct that the DoD has created, but that matters to defense contractors. So think of it as a CMMC assessment set of items you need to close out. And then your traditional idea of a POAM that you would have per the requirements in 800 171.

B

Yeah. The only way that I would steer away from how you described this particular question is to say it's situational poems, right? Like, what situation are you in? Are you in the situation where you're just continuously operating your environment? That's a plan of action and milestone as defined by nist. If it's a situation where you thought you had an assessment, you thought you had a 110, still a little bit more left for you to get across the line. Those are the CMMC poems or the operational poems.

A

This feels a little convoluted to me. I'm not sure that they actually needed to strike a difference, but they did, and that's the answer that they give in the faq. So if you're curious, make sure you give that section a read. Okay, Question three, section E, question two. Can a non fedramp moderate cloud service offering store encrypted CUI data? Remember, encrypted CUI is still considered to be cui. So can you put it in a non fedramp moderate cloud service offering? The answer should be coming to you before you ever read what the DoD has to say. No. No. According to the DoD, it must meet the security requirements equivalent to fedramp moderate baseline. So that can be Fedramp authorized services. That can be Fedramp equivalent services. But the requirements for CUI in The cloud are fedramp moderate. Just because it's encrypted does not remove that obligation.

B

Yeah, it's just one of those questions that like you said with question number one, it just backpacks on that encryption discussion that is a continuous theme throughout the FAQs. Obviously there's no carve outs for the encryption requirements for 7012.

A

Right, right. All right, moving on. Question four. Big win for everybody. That was a surprise in the 32 CFR CMMC final rule. This is section E, question 7. Is the endpoint used to access a VDI required to be in scope for NIST SP800 171 when implementing its controls to protect CUI? Or can the endpoint be considered out of scope if CUI remains entirely in the VDI instance? The duties answer yes, the endpoint is considered out of scope. Scoping is your main driver for cost, it's main driver for complexity, it's the main driver for assessment time and assessment cost. So the more that we can minimize and reduce scope, the cheaper and faster things will be, the lower your risk will be. And so this is a great official answer from DoD about how to reduce scope for very common architecture solutions like.

B

Vdis and the way that you control data flow. Right. Data flow control allows you to limit the scope. And at this point there's a logical boundary that's created by the VDI doesn't transcend to the endpoint. So you don't necessarily have to protect it from their perspective.

A

Absolutely. All right, so on January 5th of 2026, the DoD updated three more of their questions. So we're on question five of seven now. Section C, question 10. Everybody's favorite, everybody's favorite are CMMC assessments required for organizations that handle only hard copy CUI according to the DoD. No, no, hard copy organizations should not be required to complete CMMC assessment because According to the DoD, CMMC assessment requirements address cybersecurity related risk to CUI and apply only when the CUI is processed order transmitted on a contractor owned information technology system. I'm going to save my thoughts on this one until the end of the show. That's what the FAQ says and you can read it for yourself. Jason, you got any thoughts here?

B

Yeah, so I, I won't save my thoughts for the end of the show. I'll just get my less studious thoughts than yours out out of the way now. Right. First and foremost, there is a physical protection family, control family within the CMMC requirements. Right. In addition to that, I'm going to.

A

Do my best deity impression while you give your explanation.

B

Okay, cool. That's basically what's, what's happening here. But the next thing that I really have to harp on, right, is that this hard CUI can still be viewed by people, can still be taken by people in the physical presence, can still be copied, pictures taken of it and everything like that. So you have to control that physical environment. And we know that's extremely important because this is the month of January and any good organization with cyber security background has cybersecurity awareness going on right now. And that CyberSecurity Awareness harps 75% on physical and not being allowing people to follow you and not being socially engineered and not allowing access to people to CUI and things like that. But I guess if you print it out, it's not important, right? Jacob?

A

Okay, so question 6, section C, question 11. Can encryption alone create logical separation for a network within a CMMC assessment scope? Back to building off of the encryption answer they gave us earlier. No. According to the DoD, properly implemented encryption provides necessary confidentiality protection, but it does not by itself prevent data transfer or enforce the security boundary of a network because that encrypted CUI is still considered to be cui. This is relevant because there are some solution providers and some service offerings out there that rely heavily on encryption solutions to basically do everything for what you're looking for. So familiarize yourself with this question and answer when you're vetting different solutions out there that hang their hat on encryption as the end all be all for satisfying your requirements in NIST SP 800171 and getting you through a CMMC assessment.

B

Yeah, I'm not going to mention to the audience now that I wake up every morning, look in the mirror and say encryption is not a logical boundary and then get on about my day.

A

Right?

B

That's basically the theme of these FAQs, right? Like it's not enough. It's according to the risk appetite of the DoD. It is not enough for us, right?

A

Yeah, absolutely. All right, last but not least, question 7 of the updated questions that we've had so far. This is section C, question 12. It's situational. Are enterprise networking components part of an enclaves assessment scope when that enclave does not have a direct Internet connection? According to the DoD, no. As the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC assessment scope to include the enterprise networking components. If this is relevant in Your situation. This is another big W for you because it limits scope. So as we've always recommended, sometimes these questions are a little more, sometimes their answers are a little more open ended than what people would like. I encourage everybody to try to leverage that open endedness, the nebulousness in the answer, to try to save yourself money by limiting scope. If we continue to ask for more details, chances are they're going to give us details that don't always help us limit scope and that costs money. So I don't know. Do you like this answer, Jason?

B

I'm okay with it. I'm going to say prove without a reasonable doubt that the CUI doesn't transcend the areas that don't, that you don't want to have to protect.

A

Right.

B

That's the, that's the best solution here. And the only reason I'm going to be quick and brief about it is because I'm still waiting for your question answers at the question previously. So yeah, so I just want to get to it right there.

A

We, you know, there we go. So there's seven questions that they've updated since November. Maybe we could pick questions. Maybe we can pick out the one that, you know, speaks to you the most. Because these, these range in topics and answers. I mean they talk about from encryption to assessment procedures and everything in between. You know, the document's not very long, but the number of topics that they cover is quite large. Personally, out of this set of answers that they updated, the one that I've been wrestling with the most, the one that people have been fighting about and debating about on LinkedIn the most, is the hard copy CUI answer. So they say that for now, Personally, listen, the DoD is my view of it. The DoD grants exceptions for CUI protection in all kinds of situations. For instance, if you are a COTS procurement, commercial, off the shelf procurement and you handle cui, none of this stuff applies to you. Should the CUI be protected? Sure. But the DoD has granted a concession that says in that situation we don't care. Right. It's a concession to industry. It's their risk to accept. Totally fine. Right. Another example, poam able items. There are controls that ought to be implemented, but the DUD is willing to allow some of those controls to go unimplemented for six months. Should they be implemented entirely, all upfront? Yes. Dud's willing to accept the risk on those items. Totally fine. It's their risk to accept. Right. Which items from 800, 172 are included in the CMMC Level 3 baseline or not? Should they all be included? Sure. Are they all included? No. Because the DoD's risk tolerance says we are willing to forego these requirements, but not these requirements. In this situation. It's a huge opportunity for the DoD to leverage their risk acceptance to save everybody a bunch of time and money. Right. If they say that hard copy CUI doesn't require a CMMC assessment, that's totally fine. My problem is they're saying that you don't require a CMMC assessment when there's no IT system handling cui, you're only hard copy. But when you do have an IT system handling cui, we're going to check your physical and media protection requirements. You don't care about the hard copy requirements in one situation, but because there's a digital system, you now suddenly are going to make people go through the third party assessment. If you don't care about the hard copy requirements, then don't care about the hard copy requirements. Just let people self attest to them, take them out of assessment scope, makes the assessments shorter, makes the assessments cheaper and then we're all going to be happy about it. So that's what I would like to see the DoD clarify. I don't care if you're not going to assess against hard copy, just make sure that nobody has to assess against hard copy. Instead of making it this like weird, well, it's over here it matters and over here it doesn't matter. Even though it's the same information. That's really my only gripe with it. I think it's a big opportunity for the deity to do the right thing and save everybody some money. I don't know if they're going to get around to updating that part of the answer anytime soon, but that's my take on it.

B

Yeah, like how come the CUI is more important if it's on a digital system? Right, like that. That doesn't make sense. The whole point of the program is to pitch back, see.

A

Well, you know, I could see them be like, well we care about it on digital systems, but let's say I print out a ream of CUI and it's sitting on the table and there's no CUI on a computer anywhere. They don't care about it. They're just going to take the self attestation now, take that same ream of paper and put it on a different desk. There's other CUI on a digital system they now care about. That ream of paper doesn't make Any sense. Right. You, you didn't care about it over here. You do care about it over there. The digital system has nothing to do with it. If we're just going to kind of ignore legal definitions of information system, if we're just going to forego 30 years of NIST guidance around physical security because we're willing to accept the risk, accept the risk, save everybody the time and money and let's all move on with our lives.

B

Yeah. So it puts that possibility out there that somebody could make physical only cui environment and be okay. Right. Like, but part of it at one point felt like it was just one of those cases of the, you know, the bifurcation at that one point where we have it just to say we have it.

A

Right.

B

We have this ability for you to only assess a view at Hard Copy knowingly. In their mind, maybe they're moving to digital transformation. Everything's going to be digitally from there for. So there's a lot of like those other aspects into it. It doesn't make sense to me. I, I agree with you. Like why all of a sudden the.

A

Odds, the odds that, you know, the number of companies that are.

B

If I put on these glasses with the cool nose and the mustache, I'm no longer needed to be protected.

A

Right. Like, yeah, the number of companies that are going to be hard copy only is very small. It's going to be a lot of Army Corps suppliers and things like that. Totally fine. There aren't a lot of assessment resources. Totally makes sense that they don't want to use them on hard copy only environments. Not a big deal. However, since you have this edge case, we can extrapolate it and say then everybody doesn't have to have their physical security requirements assessed. We can just self attest to them and then that will allow us to use the limited assessment resources that we have more efficiently. So I think it's an opportunity for the DoD to do the right thing and hopefully they do if they're watching this far into the episode. But if you guys want to participate in that debate, it is raging on LinkedIn as of the time of this conversation in early 2026. So we'll see what happens. I this will not be the last FAQ update of the year, maybe not even of this quarter. I would imagine that we're going to get some other FAQs around, external service providers, probably significant change. That's still a big open question about what's going on with what they mean there. I don't know. What do you guys think in the comments. Do you think that we're going to get another FAQ update? Do you like this FAQ update? Which question do you want them to clarify? Are there missing questions from the FAQ? Let us know in the comments and we'll harass DoD about it on social media and we'll talk about it whenever the next update comes out. And we'll see you next week.

B

See you next week.