Summary6 min read

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: No CMMC for Hard Copy CUI?

Host: Summit 7
Date: December 11, 2025

Episode Overview

This episode addresses a controversial statement made by the U.S. Army Corps of Engineers regarding whether contractors handling only hard copy (paper-based) Controlled Unclassified Information (CUI) are exempt from Cybersecurity Maturity Model Certification (CMMC) requirements. The hosts analyze what was communicated during a recent Army Corps webinar, the wider industry's reaction, and the implications for policy, compliance, and practical risk management.

Key Discussion Points & Insights

1. The Army Corps Webinar & the "Paper-Only" CUI Interpretation

The Incident: The U.S. Army Corps of Engineers held a webinar where they reportedly stated that if a contractor only handles hard copy CUI and never digitizes it, CMMC requirements do not apply to them.
Host Reaction: Both hosts missed the webinar but were immediately contacted by industry members seeking clarifications due to widespread confusion.
Direct Clarification: According to a shared email from the Army Corps, if "the contractor/subcontractor receives paper only, the CUI is never digitized, never entered into any IT system, no electronic reproduction, backup or transcription occurs," then "there is no CMMC assessment scope because there's no CUI in a contractor information system."
- Quote [02:34]: “If all, if and only if these conditions are met, then there is no CMMC assessment scope because there's no CUI in a contractor information system. So that'll be important here in just a second. The subcontractor would not be required to hold a CMMC level.” – B

2. Industry Response & Community Debate

Social Media Blowback: A LinkedIn post about this guidance caused a strong reaction from the compliance community, leading to intense debate and confusion.
- Quote [03:50]: “The LinkedIn community blew the freak up because they were like, wait, wait, wait, wait, wait... if it's CUI, it's CUI. And I think that's what the community is wrestling with.” – B
Underlying Frustration: The industry is frustrated by seemingly arbitrary distinctions between digital and paper CUI protection requirements.

3. Practicality & Real-World Applications

Host Skepticism: The hosts questioned the practicality of a "paper only" exemption, noting that in practice, hard copy CUI often gets digitized — intentionally or not.
- Quote [04:49]: “We all know that the minute you slide a piece of paper over to your subcontractor with CUI, ... the first thing they're going to do is take a picture of it, put it in their system.” – B
Prime Contractor Reluctance: Primes likely won’t rely on paper-only CUI due to liability risks and the near inevitability of digitization by subs.

4. Legal & Regulatory Perspectives

Information Systems Definition:
- The hosts note that FISMA and OMB A-130 definitions do not restrict "information systems" to digital only; they explicitly cover both paper and electronic records.
- Quote [06:20]: “There is nothing in the definition of information system in FISMA itself, the legislative definition, that says that an information system is only a digital system.” – A
Risk vs. Definition: Hosts argue that the Army Corps’ decision appears to be a risk-based, not definition-based, determination—an approach likely not consistent with existing legal definitions nor the intent of overarching DoD policy.
- Quote [14:24]: “I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.” – A

5. Philosophical and Policy Implications

Edge Case, But Significant: While this affects relatively few contractors, the philosophical issue—how paper-based CUI is handled versus electronic—matters for future rulemaking and consistent policy.
Regulatory Inconsistency: This situation illustrates the problems with varying interpretations across DoD agencies and the need for clearer, centralized guidance.
- Quote [13:28]: “The Army Corps could say this, Air Force could go say something else and say paper's not allowed. And so it's like you start looking at this and you're like, well, who do I believe... who has the ultimate source of truth here?” – B
Industry Concessions: There is precedent for the DoD making pragmatic concessions to industry for implementation challenges, but those should be clearly stated and properly governed.

6. Recommendations and Future Clarification

Call for Oversight: The hosts urge for more involvement from the DoD CIO’s office in reviewing agency communications and updating CMMC FAQs to ensure alignment.
Physical Requirements Still Apply: The Army Corps asserted that while CMMC doesn’t apply to hard copy CUI, NIST 800-171’s physical protection requirements (and DFARS 7012) still do.
- Quote [14:44]: “...when you're only dealing with paper based CUI, there's only a handful of physical protection requirements in 800-171 and we're willing to accept the risk as to not tie up the need for C3PAOs...” – A
Awaiting Formal DoD Guidance: Expect guidance to evolve, and potential clarification via updated FAQs or revisions to DFARS/CMMC rules.

Notable Quotes & Memorable Moments

On the confusion and backlash:

“Encrypted CUI is now CUI based on the latest CMMC FAQs. But we don't care about paper now. Like if it's CUI, it's CUI.”
— B [03:56]
On practicality of paper-only workflows:

“We all know that the minute you slide a piece of paper over ... the first thing they're going to do is take a picture of it, put it in their system.”
— B [04:51]
On Army Corps’ decision as a temporary loophole:

“If you're a contractor, that's paper only downstream from the U.S. army Corps of Engineer. Live it up While you can ... I don't think it will stick around, but it's a big advantage in the interim.”
— A [10:38], [11:49]
On inconsistent agency stances and governance:

“Who do I believe, right? ... who has the ultimate source of truth here?”
— B [13:38]
On risk-based versus definition-based decisions:

“I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.”
— A [14:24]
On policy clarity & the importance of centralized communication:

“If this is a collective stance of the CIO's office or is this just the Army Corps?”
— B [17:20]

Important Segment Timestamps

Army Corps interpretation recap and direct quote: [02:34]
LinkedIn community reaction: [03:50]
Discussion on digital vs. paper CUI practicality: [04:49], [10:38]
Legal definitions & chain of standards: [06:20], [07:40]
Implications for contractors and agency consistency: [13:28]
Call for clarified policy and agency oversight: [14:24], [17:20]

Closing Thoughts

This episode captures the confusion and consequences stemming from the Army Corps’ interpretation that hard copy-only CUI is exempt from CMMC. While beneficial to certain contractors (for now), this stance hinges on inconsistent readings of policy and definitions, highlighting a need for clearer, department-wide guidance. The hosts encourage listeners to weigh in on whether information systems should encompass paper media and anticipate regulatory clarification in the near future.

What do you think? Should paper-based CUI be excluded from CMMC assessments? Is an "information system" always digital? The hosts encourage feedback and discussion as debate continues—look for follow-up episodes as this issue evolves.

Loading summary

Transcript16 lines

[00:03]
A
All right, folks, it is December of 2025 and we have no major rulemaking updates, we have no major publications coming out. Everything is nice and calm and not a creature was stirring. Except for the U.S. army Corps of Engineers and their recent interpretation of hard copy CUI and whether or not CMMC requirements will apply to contractors or only handling CUI in paper form. That's what we're going to talk about today. Daniel, you and I were going to tune into the rescheduled U.S. army Corps of Engineers webinar that happened last week prior to the CUI hotline that we do every Friday, like and subscribe. And we both missed it due to registration issues, scheduling conflicts, and as soon as the webinar was over, we were immediately flooded with people calling us, emailing us, pinging us, going, what the heck is going on? The Army Corps said that if we only handle hard copy cui, we don't have to worry about CMMC whatsoever. So what happened? What did they say? What is going on?
[01:16]
B
So on that Friday, I think it was, yeah, the Friday that it happened, about little in the afternoon after CUI hotline again, like, and subscribe, I get an email. It's like, hey, I sent this email to the Army Corps. Like they said something on the webinar that doesn't make sense. I'm like, okay, like, well, I wonder what they said. And I start looking and reading the email. It's a good, good friend of the show, good friend of Summit 7, good friend of mine, and this is what they actually said. And, and I, I was able to receive a screenshot of this and looking at the highlighted piece here, third tier sub is given paper only drawings appropriately marked as cui. So the normal contractual requirements help safeguard the paper. But since there'll be no electronic transmission of FCIC UI through the contractor system that never triggers cmmc. So this particular friend of the show responded back to the individual that ran the webinar and they were in conversation and basically the, the statement was made. It's like, if, if there's not electrons and digital transmission occurring, then the contractual CMMC requirement for the protection of that FCI or CUI is not applicable. So, Jeff Baldwin. So I posted this on LinkedIn and then I posted the clarification we got about, hey, when does this actually apply on the paper side of the house, which I'm sharing my screen again. And they're like, if the contractor subcontractor receives paper only, the CUI is never digitized, which we know will not not happen. You know, I mean, how many people are doing paper only stuff? The CUI is never entered into any IT system. No contractor system is used to process, store or transmit cui. No electronic reproduction, backup or transcription occurs. No mixed handling paper review, but the notes typed in later. If all, if and only if these conditions are met, then there is no CMMC assessment scope because there's no CUI in a contractor information system. So that'll be important here in just a second. The subcontractor would not be required to hold a CMMC level. So I post this on LinkedIn. I'm like, hey guys, great news, Merry Christmas. The Army Corps says if you're sending paper copies and they will never in a million years become digital versions of themselves, you do not have to flow CMMC contractual obligations downstream. The LinkedIn community blew the freak up because they were like, wait, wait, wait, wait, wait, wait, wait. Encrypted CUI is now CUI based on the latest CMMC FAQs. But we don't care about paper now. Like if it's cui, it's cui. And I think that's what the community is wrestling with. You either say something is sensitive because of what's in that information or you don't. And you know, there are contractual things here in play around. You know, what does an information system definition mean versus automated information system? Jeff Baldwin on my LinkedIn post, if you see his comment, he actually posted about that. It's a really good kind of follow up there. But at the same time the community's like, there's too much to keep up with here. Tell us to protect the data or tell us not to protect the data. So protect CUI or don't protect cui, but you can't have it in these weird situations where you just can or can't do it. Like it's confusing everybody. And side note, we all know, we all know I'm trying to be cool, be chill. We all know that the minute you slide a piece of paper over to your subcontractor with cui, you express mail it over to them that the first thing they're going to do is take a picture of it, but put it in their system, right? Their ERP system. Like the real kind of underlying question here is, number one, do you, do we think this precedent will stand? But number two, I don't think primes are going to want to take the risk of only sending paper copies of CUI for one of two reasons. One, they know what's going to end up happening to it. And they don't want to be liable if something does happen to it. And they don't have the right contractual flow down requirements stating you will not treat CUI like this. This. And then the second thing is, is like I don't think we live in a paper world. Somebody posts on the link on my LinkedIn as a comment like, oh great, we're back to handling things 20 years ago, right? We're going backwards if we're switching to paper only copies. Anyways, that is the update here. It's still confusing. I still would say it's unfolding even though we do have some clarification like you see here in this slide. Like, I just don't think it's going to stand, Jacob. I really don't.
[05:52]
A
Yeah. So my therapist says I need to be more mindful of my feelings as we talk about the definition of information systems and whether or not hard copy CUI applies. This comes up pretty often. Okay, long story short, the way that I view this, I see this as the US Army Corps of Engineers making a risk determination that I do not think the department will agree with overall. But there's a lot of lag between when individual components requiring activities, program managers make decisions and then overall department policy that catches up to it. Right. Obviously it's taken a long time to get CMMC off the ground because people were making individual decisions saying, well, we don't really care to find out whether anybody's doing anything. So I think that this is a decision by the US Army Corps that I don't think that the overall department will agree with over time. I'm pretty sure that we would see an update to the FAQs, some sort of memo and or language in upcoming rule revisions to 32 CFR 170 and or the D DFARS clause for the CMMC program. That's what I think of at a high level. The other takeaway here, like you said, there's just not a lot of people that this edge case is going to apply to or really help out. However, it is a very important philosophical line that they need to draw because I feel like this is a interpretation that I can understand how they would get themselves to this. I can, I can see the chain of logic that they could use to get to this conclusion. And it's basically a game of regulatory telephone. Right? Because there is nothing in the definition of information system in FISMA itself, the legislative definition, that says that an information system is only a digital system. There is nothing in the corresponding definition of an information system. In OMB a 130 that takes FISMA and implements it for the entire government. In fact, A130 says the requirements of this circular apply to management activities concerning all information resources in any medium, including paper and electronic information. For those that don't know FISMA, OMB A130 FIPS199 FIPS200 853 derive it down to 800171 in the CUI program. This is the hierarchy of where these protection philosophies come from. But those that specific wording isn't carried over from one document to the next all the way down. And so we get this loosey goosey game of telephone to the point where what I feel like happened and we're definitely going to follow up on this in the future, we'll circle back in the new year is I feel like this is the equivalent of when contractors and their leadership teams hear cybersecurity, they think this is an IT problem, which as we know it is not. I feel like the US Army Corps and some other people are hearing cyber security maturity model and they're equating information systems to only digital assets. And that clearly is not the case because 3.8.1 is a requirement in NIST SP 800 171. Right? 3.8.1 is protect system media containing CUI, both paper and digital. You can go back to 853 to read where they got that from and then on and on all the way back up to fsma. Right, because there's nothing in information system that says it only has to be digital. So Glenda Snodgrass, friend of the show, friend of the Reddit, friend of the Discord servers, follow her on LinkedIn. She puts out great information. She had a great like one liner for this where she said this is going to limit your paper based. CUI limits your exposure, it limits your scope to a tremendous degree. It greatly reduces the complexity of your environment, but it doesn't remove the obligation to protect the data. And so because of this thing where people see CMMC as its own deal out on its own rather than a, a part of the overall protection of CUI effort, we're, we're losing the plot in terms of the Army Corps position here. And I feel like it's just going to take time for the guidance to catch up because that's the way these things work. Long story short, at this point, if you're a contractor, that's paper only downstream from the U.S. army Corps of Engineer. Live it up While you can. I mean, enjoy it while you can, because until they get smacked around from the department or something changes or whatever, which could be a while, this is their position. So enjoy it. But it clearly doesn't make a lot of logical sense because what happens if a requiring activity or a duty component took level 3 CUI. Level 3, like for all intents and purposes, straight up level 3 CUI. But they printed it and gave it to Lockheed. Just nothing applies anymore. Like it just doesn't matter. Like how often do we have conversations with people around printers in their environment? It's a huge pain. There's. There's requirements for it. It takes a ton of thought, but.
[11:31]
B
One shredding requirements, like where it's going.
[11:35]
A
To go next, right? Once I print, I have to worry about the printers, but once I print the data out, I don't have to worry about it anymore. Suddenly, because the data is hard copy, the department just doesn't have any assurance concerns over whether you're still protecting it. That clearly doesn't make any sense. The idea that I've got the paper, but I don't have a computer to go with it and suddenly the department doesn't want assurance that it's protected is clearly not the intent of what's going on. But if that's not clearly spelled out and there's wiggle room for interpretation and stuff gets lost in translation and lost in time and so on and so forth, then this is what. So in this case, it's a good thing for contractors because they're getting a big break, right? In some situations, like Fedramp equivalency, it breaks the other way where they go over restrictive away from what maybe their original intent was, and then it takes time for them to pull it back. So if you're one of the contractors that this is a situation for which there probably aren't very many of you, enjoy it, Enjoy it while it's around. I don't know how long it will be around. I don't think it will stick around, but it's a big advantage in the interim.
[12:44]
B
And I mean, I'll say this, I don't want to bash anyone in in this podcast at all. There are a lot of incredible men and women in the DoD trying to do their very best. And they're reaching out to their own respective legal counsels inside the federal government, inside the DoD to make sure and validate some of these things. Right? This is not people saying things that started off the cuff. And so I do want to add a little Caveat to that. One thing I wish would happen is, is a couple things. One, I wish somebody from the DOD CIO's office would be present if at all possible and maybe be even proof the slides that are going to be presented about CMMC just so they can see if there's any clarifying points that they need to go update in the FAQ or inform somebody like the Army Corps, hey, that's not actually what we believe, right? And I wish there was a little bit maybe governance and oversight because if the FAQs would have been updated saying here's the stance of paper, here's it clearly spelled out, we're going to update the FAQs before your webinar. And I know, you know, time things take a lot of time to do, but like if there was some sort of regimented system like that where there's a proof and validation that yeah, what you're talking about, CMMC is accurate, or hey, that's a unique interpretation. Let's run it up to the CIO and validate that that is a stance that we're taking and is in line with the CMMC program. And then we'll collectively inform all agencies, sub agencies that hey, this is the way that we're interpreting this. Because yeah, the Army Corps could say this, Air Force could go say something else and say paper's not allowed. And so it's like you start looking at this and you're like, well, who do I believe, right? Do I believe the Air Force? Do I believe the DOD CIO's office? Like who, who has the ultimate source of truth here?
[14:24]
A
And I think that what I would like to see is, you know, because to the Army Corps credit in what, what they said in the webinar is not that nothing applies to the data, they said that CMMC doesn't apply, but that the information protection requirements still do. So 7012 would apply, but the need for verification of 7012 would not. So this doesn't feel like there is. The Army Corps is saying, hey listen, when you're only dealing with paper based CUI, there's only a handful of physical protection requirements in 800171 and we're willing to accept the risk as to not tie up the need for C3PAOs to show up and verify just your physical information requirements. That's very different from saying CMMC doesn't apply because we're misinterpreting what an information system is defined as legally. Right? So I, I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.
[15:38]
B
Yeah, I mean, that's a good call out. It's like, how are you coming to these conclusions? Right. The legal team say it's an acceptable risk or is the legal team somehow reading the definition of information system making a very different interpretation than what I would say the collective industry. And to your, to your point, Jacob, the founding source documents of what even got us here.
[15:57]
A
Right. I think that's, I think that's probably what happened. I'd like to see them clarify that. So as soon as we get some clarification, that'll be, you know, the follow up that we do for this. But for now, if you're a contractor way downstream from Army Corps activities and you're only dealing with paper, then, you know, you got, you got a big break here.
[16:16]
B
Yeah, yeah, congrats. Merry Christmas, you know, happy Hanukkah, the whole shebang, like. Yeah.
[16:21]
A
And if you're, you know, if you're Lockheed Martin, just print it out and you know, send it in the mail and then who cares? You don't have to do any more assessments.
[16:30]
B
I mean, I will say this. Construction companies especially, you know, they have people hauling gravel and concrete where they only will potentially issue paper copies because of this to allow those subs to not be fully in scope for CMMC requirements. Right. And so there are approaches and angles and justifications. I wouldn't say justifications, but there's a reason behind why the Army Corps is taking this risk is because construction has a lot of legacy subcontractors that honestly, paper copies might be acceptable for the work that they're doing on a daily basis. And so again, like, we're not here to say good judgment, bad judgment per se. We're here to say it's still confusing. We're here to say that we would like some clarification around how this conclusion was drawn. And I would even say I'd like, you know, the CIO's office to even state maybe an updated FAQs. If this is a collective stance of the CIO's office or is this just the Army Corps?
[17:26]
A
Right. Because you know, we've got, there's a whole list of concessions that the DoD has made to industry over the years. If you're only a COTS based procurement and, and you handle cui, the requirements don't apply to you. If you are below a specific size of acquisition and you deal with cui, the requirements don't apply to you. If you do have the requirements that apply to you and you're dealing with a cui, some of the controls can go unimplemented for six months because the department is willing to accept that risk. The department will allow people without certification to bid or on contracts and come right up to the point where they need to award that contract because they're willing to accept the risk that you'll be ready in time rather than just cutting you out of the bid process altogether. We've had extensions on implementation times for DFAR7012 for a really long time. There's been all kinds of concessions to industry. So this could easily be a concession to industry where they're like, if you're only paper, you still have these physical based requirements, but we're not going to tie up the C3PAO system because it's just not worth it in our determination. Just don't feel like that's how they reached that determination. So if, if it wasn't, you could just come out with your official statement in conjunction with the DOD CIO and say, that's what we meant all the time and we'll call it good. But if you come out and you say, well, a covered contractor information system as defined by DFAR7012 doesn't have to be digital, but the applicable system for CMMC is only digital systems, then you're misreading the relationship between these two regulations. And that's something that at the very least the rulemaking should clarify the next time around. But there you go, everybody. That's what's going on in terms of what's happening. Great news if you're paper only. And another fun philosophical debate that we'll be able to pull through into next year and then, you know, hopefully into public comments through the CMC revision and rulemaking as we get to that next year. Daniel, always good to see you. Thanks for the notes from the webinar. What do you guys think in the, in the comments? Do you think paper based CUI should have a CMMC assessment? Do you think it doesn't apply? Is an information system only a digital system? Does an information system include paper? Let us know because apparently this is an open debate like and subscribe and we'll see you next week.
[19:49]
B
See y'.
[19:50]
A
All.
[19:58]
B
Sam.