Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: No CMMC for Hard Copy CUI?

Host: Summit 7
Date: December 11, 2025

Episode Overview

This episode addresses a controversial statement made by the U.S. Army Corps of Engineers regarding whether contractors handling only hard copy (paper-based) Controlled Unclassified Information (CUI) are exempt from Cybersecurity Maturity Model Certification (CMMC) requirements. The hosts analyze what was communicated during a recent Army Corps webinar, the wider industry's reaction, and the implications for policy, compliance, and practical risk management.

Key Discussion Points & Insights

1. The Army Corps Webinar & the "Paper-Only" CUI Interpretation

The Incident: The U.S. Army Corps of Engineers held a webinar where they reportedly stated that if a contractor only handles hard copy CUI and never digitizes it, CMMC requirements do not apply to them.
Host Reaction: Both hosts missed the webinar but were immediately contacted by industry members seeking clarifications due to widespread confusion.
Direct Clarification: According to a shared email from the Army Corps, if "the contractor/subcontractor receives paper only, the CUI is never digitized, never entered into any IT system, no electronic reproduction, backup or transcription occurs," then "there is no CMMC assessment scope because there's no CUI in a contractor information system."
- Quote [02:34]: “If all, if and only if these conditions are met, then there is no CMMC assessment scope because there's no CUI in a contractor information system. So that'll be important here in just a second. The subcontractor would not be required to hold a CMMC level.” – B

2. Industry Response & Community Debate

Social Media Blowback: A LinkedIn post about this guidance caused a strong reaction from the compliance community, leading to intense debate and confusion.
- Quote [03:50]: “The LinkedIn community blew the freak up because they were like, wait, wait, wait, wait, wait... if it's CUI, it's CUI. And I think that's what the community is wrestling with.” – B
Underlying Frustration: The industry is frustrated by seemingly arbitrary distinctions between digital and paper CUI protection requirements.

3. Practicality & Real-World Applications

Host Skepticism: The hosts questioned the practicality of a "paper only" exemption, noting that in practice, hard copy CUI often gets digitized — intentionally or not.
- Quote [04:49]: “We all know that the minute you slide a piece of paper over to your subcontractor with CUI, ... the first thing they're going to do is take a picture of it, put it in their system.” – B
Prime Contractor Reluctance: Primes likely won’t rely on paper-only CUI due to liability risks and the near inevitability of digitization by subs.

4. Legal & Regulatory Perspectives

Information Systems Definition:
- The hosts note that FISMA and OMB A-130 definitions do not restrict "information systems" to digital only; they explicitly cover both paper and electronic records.
- Quote [06:20]: “There is nothing in the definition of information system in FISMA itself, the legislative definition, that says that an information system is only a digital system.” – A
Risk vs. Definition: Hosts argue that the Army Corps’ decision appears to be a risk-based, not definition-based, determination—an approach likely not consistent with existing legal definitions nor the intent of overarching DoD policy.
- Quote [14:24]: “I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.” – A

5. Philosophical and Policy Implications

Edge Case, But Significant: While this affects relatively few contractors, the philosophical issue—how paper-based CUI is handled versus electronic—matters for future rulemaking and consistent policy.
Regulatory Inconsistency: This situation illustrates the problems with varying interpretations across DoD agencies and the need for clearer, centralized guidance.
- Quote [13:28]: “The Army Corps could say this, Air Force could go say something else and say paper's not allowed. And so it's like you start looking at this and you're like, well, who do I believe... who has the ultimate source of truth here?” – B
Industry Concessions: There is precedent for the DoD making pragmatic concessions to industry for implementation challenges, but those should be clearly stated and properly governed.

6. Recommendations and Future Clarification

Call for Oversight: The hosts urge for more involvement from the DoD CIO’s office in reviewing agency communications and updating CMMC FAQs to ensure alignment.
Physical Requirements Still Apply: The Army Corps asserted that while CMMC doesn’t apply to hard copy CUI, NIST 800-171’s physical protection requirements (and DFARS 7012) still do.
- Quote [14:44]: “...when you're only dealing with paper based CUI, there's only a handful of physical protection requirements in 800-171 and we're willing to accept the risk as to not tie up the need for C3PAOs...” – A
Awaiting Formal DoD Guidance: Expect guidance to evolve, and potential clarification via updated FAQs or revisions to DFARS/CMMC rules.

Notable Quotes & Memorable Moments

On the confusion and backlash:

“Encrypted CUI is now CUI based on the latest CMMC FAQs. But we don't care about paper now. Like if it's CUI, it's CUI.”
— B [03:56]
On practicality of paper-only workflows:

“We all know that the minute you slide a piece of paper over ... the first thing they're going to do is take a picture of it, put it in their system.”
— B [04:51]
On Army Corps’ decision as a temporary loophole:

“If you're a contractor, that's paper only downstream from the U.S. army Corps of Engineer. Live it up While you can ... I don't think it will stick around, but it's a big advantage in the interim.”
— A [10:38], [11:49]
On inconsistent agency stances and governance:

“Who do I believe, right? ... who has the ultimate source of truth here?”
— B [13:38]
On risk-based versus definition-based decisions:

“I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.”
— A [14:24]
On policy clarity & the importance of centralized communication:

“If this is a collective stance of the CIO's office or is this just the Army Corps?”
— B [17:20]

Important Segment Timestamps

Army Corps interpretation recap and direct quote: [02:34]
LinkedIn community reaction: [03:50]
Discussion on digital vs. paper CUI practicality: [04:49], [10:38]
Legal definitions & chain of standards: [06:20], [07:40]
Implications for contractors and agency consistency: [13:28]
Call for clarified policy and agency oversight: [14:24], [17:20]

Closing Thoughts

This episode captures the confusion and consequences stemming from the Army Corps’ interpretation that hard copy-only CUI is exempt from CMMC. While beneficial to certain contractors (for now), this stance hinges on inconsistent readings of policy and definitions, highlighting a need for clearer, department-wide guidance. The hosts encourage listeners to weigh in on whether information systems should encompass paper media and anticipate regulatory clarification in the near future.

What do you think? Should paper-based CUI be excluded from CMMC assessments? Is an "information system" always digital? The hosts encourage feedback and discussion as debate continues—look for follow-up episodes as this issue evolves.

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: No CMMC for Hard Copy CUI?

Host: Summit 7
Date: December 11, 2025

Episode Overview

Key Discussion Points & Insights

1. The Army Corps Webinar & the "Paper-Only" CUI Interpretation

The Incident: The U.S. Army Corps of Engineers held a webinar where they reportedly stated that if a contractor only handles hard copy CUI and never digitizes it, CMMC requirements do not apply to them.
Host Reaction: Both hosts missed the webinar but were immediately contacted by industry members seeking clarifications due to widespread confusion.
Direct Clarification: According to a shared email from the Army Corps, if "the contractor/subcontractor receives paper only, the CUI is never digitized, never entered into any IT system, no electronic reproduction, backup or transcription occurs," then "there is no CMMC assessment scope because there's no CUI in a contractor information system."
- Quote [02:34]: “If all, if and only if these conditions are met, then there is no CMMC assessment scope because there's no CUI in a contractor information system. So that'll be important here in just a second. The subcontractor would not be required to hold a CMMC level.” – B

2. Industry Response & Community Debate

Social Media Blowback: A LinkedIn post about this guidance caused a strong reaction from the compliance community, leading to intense debate and confusion.
- Quote [03:50]: “The LinkedIn community blew the freak up because they were like, wait, wait, wait, wait, wait... if it's CUI, it's CUI. And I think that's what the community is wrestling with.” – B
Underlying Frustration: The industry is frustrated by seemingly arbitrary distinctions between digital and paper CUI protection requirements.

3. Practicality & Real-World Applications

Host Skepticism: The hosts questioned the practicality of a "paper only" exemption, noting that in practice, hard copy CUI often gets digitized — intentionally or not.
- Quote [04:49]: “We all know that the minute you slide a piece of paper over to your subcontractor with CUI, ... the first thing they're going to do is take a picture of it, put it in their system.” – B
Prime Contractor Reluctance: Primes likely won’t rely on paper-only CUI due to liability risks and the near inevitability of digitization by subs.

4. Legal & Regulatory Perspectives

Information Systems Definition:
- The hosts note that FISMA and OMB A-130 definitions do not restrict "information systems" to digital only; they explicitly cover both paper and electronic records.
- Quote [06:20]: “There is nothing in the definition of information system in FISMA itself, the legislative definition, that says that an information system is only a digital system.” – A
Risk vs. Definition: Hosts argue that the Army Corps’ decision appears to be a risk-based, not definition-based, determination—an approach likely not consistent with existing legal definitions nor the intent of overarching DoD policy.
- Quote [14:24]: “I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.” – A

5. Philosophical and Policy Implications

Edge Case, But Significant: While this affects relatively few contractors, the philosophical issue—how paper-based CUI is handled versus electronic—matters for future rulemaking and consistent policy.
Regulatory Inconsistency: This situation illustrates the problems with varying interpretations across DoD agencies and the need for clearer, centralized guidance.
- Quote [13:28]: “The Army Corps could say this, Air Force could go say something else and say paper's not allowed. And so it's like you start looking at this and you're like, well, who do I believe... who has the ultimate source of truth here?” – B
Industry Concessions: There is precedent for the DoD making pragmatic concessions to industry for implementation challenges, but those should be clearly stated and properly governed.

6. Recommendations and Future Clarification

Call for Oversight: The hosts urge for more involvement from the DoD CIO’s office in reviewing agency communications and updating CMMC FAQs to ensure alignment.
Physical Requirements Still Apply: The Army Corps asserted that while CMMC doesn’t apply to hard copy CUI, NIST 800-171’s physical protection requirements (and DFARS 7012) still do.
- Quote [14:44]: “...when you're only dealing with paper based CUI, there's only a handful of physical protection requirements in 800-171 and we're willing to accept the risk as to not tie up the need for C3PAOs...” – A
Awaiting Formal DoD Guidance: Expect guidance to evolve, and potential clarification via updated FAQs or revisions to DFARS/CMMC rules.

Notable Quotes & Memorable Moments

On the confusion and backlash:

“Encrypted CUI is now CUI based on the latest CMMC FAQs. But we don't care about paper now. Like if it's CUI, it's CUI.”
— B [03:56]
On practicality of paper-only workflows:

“We all know that the minute you slide a piece of paper over ... the first thing they're going to do is take a picture of it, put it in their system.”
— B [04:51]
On Army Corps’ decision as a temporary loophole:

“If you're a contractor, that's paper only downstream from the U.S. army Corps of Engineer. Live it up While you can ... I don't think it will stick around, but it's a big advantage in the interim.”
— A [10:38], [11:49]
On inconsistent agency stances and governance:

“Who do I believe, right? ... who has the ultimate source of truth here?”
— B [13:38]
On risk-based versus definition-based decisions:

“I would like the US Army Corps to clarify that they're making a risk based decision rather than a definition based decision. Because if they're making a definition based decision, they're wrong.”
— A [14:24]
On policy clarity & the importance of centralized communication:

“If this is a collective stance of the CIO's office or is this just the Army Corps?”
— B [17:20]

Important Segment Timestamps

Army Corps interpretation recap and direct quote: [02:34]
LinkedIn community reaction: [03:50]
Discussion on digital vs. paper CUI practicality: [04:49], [10:38]
Legal definitions & chain of standards: [06:20], [07:40]
Implications for contractors and agency consistency: [13:28]
Call for clarified policy and agency oversight: [14:24], [17:20]

wavePod

No CMMC for Hard Copy CUI?

Powered by Wave AI

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: No CMMC for Hard Copy CUI?

Episode Overview

Key Discussion Points & Insights

1. The Army Corps Webinar & the "Paper-Only" CUI Interpretation

2. Industry Response & Community Debate

3. Practicality & Real-World Applications

4. Legal & Regulatory Perspectives

5. Philosophical and Policy Implications

6. Recommendations and Future Clarification

Notable Quotes & Memorable Moments

Important Segment Timestamps

Closing Thoughts

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: No CMMC for Hard Copy CUI?

Episode Overview

Key Discussion Points & Insights

1. The Army Corps Webinar & the "Paper-Only" CUI Interpretation

2. Industry Response & Community Debate

3. Practicality & Real-World Applications

4. Legal & Regulatory Perspectives

5. Philosophical and Policy Implications

6. Recommendations and Future Clarification

Notable Quotes & Memorable Moments

Important Segment Timestamps

Closing Thoughts