What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

November 25, 2025

New CMMC FAQ released by DoD/W CIO

Last week the DoD/W released version 3 of its CMMC FAQ with some important new tidbits. Two are mostly clarification of points in the final rule but one is new and something people have been saying for years "I wish they would just put that in writing so we'd all know." Well, be careful what you ask for, because they finally did. Encrypted CUI is still CUI. What does this mean? Keep reading!

OPA vs POAM "depends on the nature and timing of the change. If the significant change introduces a temporary deficiency or vulnerability after the system was initially compliant, an OPA may be created to document the remediation plan. However, if the significant change is identified during a CMMC assessment and results in a security requirement being assessed as "NOT MET," a POA&M must be created to address the gap within the 180-day remediation window" (Remember that 180-day window applies to self assessments too.)

VDI The key new language here is "If the VDI is properly configured to prevent copying (including screenshots)" -- VDI sessions that run in a browser cannot prevent screenshots, so those endpoints are in scope as CUIA. I know at least one major vendor offering a VDI "solution" that is browser-based and therefore does not put the endpoints out of scope (though their marketing says otherwise).

And now, drumroll, please ...

Encrypted CUI "CUI remains controlled until it is formally decontrolled. As such, encrypted CUI data retains the control designation given to the plain text counterpart. While it is true that certain risks (e.g., transmission across unsecured, "common carrier" networks) may be accepted for cipher text that would not be accepted for plain text, this does not mean the original, controlled information, nor the data (plain or cipher text) representing it, is considered decontrolled."

Practically speaking, what does this mean? Well, many organizations have declared certain devices out of scope because the only CUI they touch has already been properly (FIPS 140-2 validated) encrypted. For example:

(1) Encrypting files locally for offsite backup Until now, this was generally considered fine, as long as the offsite storage did not have access to the decryption key. Now, this is only compliant if the offsite storage is FedRAMP Moderate or Equivalent (FRME).

(2) Network equipment Many organizations have categorized their switches and even wireless networks as out of scope, because only encrypted CUI (endpoint-to-cloud connection) passes through. Now, however, this stance needs to be reconsidered.

Some CMMC Certified Assessors (CCAs) are taking the position that any device that doesn't fall under the common carrier exemption (i.e., the Internet) is now a CUI Asset (CUIA). I think that's too broad, however. My brilliant friend and colleague, Dr. Jeff Baldwin, came up with an analysis that I believe perfectly covers the essential points:

  1. Is the device in question part of your system boundary already? If yes, it is potentially an in scope asset. (i.e., it's not a device on the Internet)

  2. Then you look at the nature of its interaction with CUI. Does it only "access" CUI when there are encrypted packets passing through the device without the ability to decrypt the traffic? If yes, then the FIPS encryption already satisfies the protection requirements for CUI on that device.

  3. Next, does this device have the ability to interact with unencrypted CUI, i.e., is there permitted lateral movement to CUIA? If yes, it's a CUIA (or CRMA, depending on whether it is intended to touch CUI). If no, it's out of scope.

Understand that this is *one* interpretation, and not all CCAs agree on this. As always, it's important to discuss things like this with prospective C3PAOs to be sure they agree with your scoping decisions.

I realize we got pretty far into the weeds with that last one but it's vitally important that you understand scoping and asset categorization. You will not pass an official L2 certification assessment if your scope isn't correct. This has been proven many times already.

Clear as mud? Ask me for help!



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






Site Map

Home
CMMC
PCI
GLBA
Consulting
Employee Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews



The Net Effect, LLC

Copyright 1996-2025 The Net Effect, L.L.C. All rights reserved. Read our privacy policy