[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

February 18, 2026

CMMC FAQ updated again by DoD/DoW CIO

Revision 2.2 of the CMMC FAQ was recently released, with three interesting new Q&A. I summarize (and attempt to explain) the answers below.

Paper-only CUI

C-Q10: Are CMMC assessments required for organizations that only handle hard-copy CUI?

This answer is in three parts:

1. No, if you only handle hard-copy CUI, you are not required to complete a CMMC Assessment (though you are still required to safeguard that CUI according to the regulations).
2. If you receive hard-copy CUI and plan to put it on your information system (by scanning, etc.), then that information system is now subject to CMMC.
3. If you have an information system subject to CMMC, your assessment shall address both the paper and the digital forms of CMMC.

Analysis: I think the takeaway here is that providing only paper copies of CUI to your supply chain, with the requirement that they not scan or photograph it, is a great way to keep those small suppliers out of scope for CMMC.

Logical Separation

C-Q11: Can encryption alone create logical separation for a network within a CMMC Assessment Scope?

No. Properly implemented encryption provides confidentiality protection but does not create logical separation.

C-Q12: Our enclave does not have a direct internet connection. Instead, it relies on enterprise networking components residing outside of the enclave. All CUI data is properly encrypted before leaving our enclave. Must the enterprise networking components be brought into our enclave’s CMMC Assessment Scope?

No, if the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC Assessment Scope to include the enterprise networking components.

Analysis: These two Q&A combined with the November update that stated "encrypted CUI is still CUI" are, I believe, a very convoluted way of saying that even properly-encrypted CUI at rest requires all the protections of 800-171, while the "common carrier exemption" for CUI in transit has been extended to non-common carrier networks, up to the boundary of your CUI environment.

Practically speaking, what does this mean? It means that devices inside your CUI boundary that you thought were out of scope because they only transmit encrypted CUI are now CUI Assets (CUIA). Think specifically routers, switches, wireless access points. These devices don't need to be FIPS-validated if the CUI is being FIPS-encrypted prior to transiting them, but they are now CUIA in your CMMC assessment scope and need to have all the controls of 800-171 addressed (not necessarily implemented, but addressed).

So, you may need to re-think your scope and asset categorization based on these latest two Q&A.

And I'm thinking that addressing controls vs. implementing controls sounds like a great subject for my next newsletter, eh?

Meanwhile, if you need help, you know where to find me!

Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107