By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
Key clarifications from the January 2026 CMMC FAQ updates
The Department of Defense (DoD) issued two updates to its CMMC Frequently Asked Questions. These January 2026 updates provide clarification on several areas that have historically generated confusion within the CMMC ecosystem, including scope, encryption requirements, the treatment of external service providers (ESPs), and expectations for virtual desktop infrastructure (VDI) endpoints.
1) B‑Q8 – Encrypted CUI is still CUI
What DoD clarified: CUI remains controlled until it is formally decontrolled. Encrypting CUI (at rest or in transit) does not convert it into “non‑CUI” or allow you to treat the ciphertext as out of scope. The FAQ explicitly rejects the idea that encrypted data is decontrolled.
Why this matters: Some organizations have been using encryption as a scoping workaround (e.g., parking encrypted CUI on systems that otherwise do not meet NIST 800‑171 security requirements). That thought process can no longer be used. Contractors will need to revisit architecture decisions built on the “encryption makes it out‑of‑scope” assumption.
Action for clients:
- Treat any representation of CUI – plaintext or ciphertext – as in-scope unless formally decontrolled. Align system boundaries, policies, and monitoring accordingly.
- Re-baseline your CUI data flow diagrams and storage locations where encryption was the sole scoping control.
2) C‑Q8 – OPAs are not POA&Ms
What DoD clarified: Operational Plans of Action (OPAs) manage ongoing risks (patches, temporary deficiencies, routine maintenance), whereas Plans of Action and Milestones (POA&M) address gaps in an organization’s implementation of the CMMC security requirements. OPAs are not time‑bound the way Plan of Action and Milestones (POA&Ms) are, and they cannot be used to paper over a “NOT MET” requirement discovered during an assessment. If a requirement is NOT MET, it belongs on a formal POA&M—subject to the CMMC program’s rules and closeout timelines.
Why this matters: Some contractors hoped to route late‑breaking gaps into “operational” processes to avoid a finding during their third-party assessment. The DoD is saying no – the compliance pathway is a POA&M. OPAs cannot “rescue” failed security requirements during an assessment.
Action for clients: Use OPAs for post system implementation hygiene; use POA&Ms for remediation of unmet requirements discovered during an assessment.
3) E‑Q2 – Can a non‑FedRAMP Moderate cloud store encrypted CUI?
What DoD clarified: If a cloud service provider (CSP) processes, stores, or transmits CUI, the CSP must meet FedRAMP Moderate (or equivalent) under DFARS 252.204‑7012. The FAQ directly addresses a growing question: may you park encrypted CUI in a non‑FedRAMP Moderate cloud (or equivalent)? The answer is “No!”
Why this matters: Some teams argued that if CUI is always encrypted before it hits the cloud, FedRAMP should not apply. The new FAQ rebukes that argument.
Action for clients: If your cloud environment holds any CUI (plaintext or encrypted), confirm FedRAMP Moderate authorization or acceptable equivalency and document it in your SSP and Shared Responsibility Matrix.
4) E‑Q7 – When VDI contains the CUI, can the endpoint be out of scope?
What DoD clarified: If CUI never leaves the remote virtual desktop infrastructure (VDI) instance, the endpoint used to access that VDI may be considered out of scope – provided it’s configured so no processing, storage, or transmission of CUI occurs locally. This means only basic VDI protocols (video, keyboard, and mouse) are permitted, and the VDI must prevent copying (including screenshots), saving or printing CUI, and separate multifactor authentication is required to access the remote VDI instance.
Why this matters: Many organizations want to avoid turning every laptop into a CUI asset. The FAQ validates a narrow path – but only if your endpoint configuration actually enforces “no local CUI.”
Action for clients: Lock down VDI clients to disable local storage/clipboard/print, and ensure no CUI artifacts (temp files, caches, logs) persist on the endpoint.
5) C‑Q10 – “Paper‑only” CUI scenarios can eliminate the requirement for a CMMC assessment
What DoD clarified: Organizations that only handle hardcopy CUI are not required to complete a CMMC assessment. However, the organization is still required to properly safeguard the hardcopy CUI and provide appropriate safeguarding training to employees.
If the organization places the hardcopy CUI on an information technology system (e.g., scanned, entered, photographed, uploaded, printed, etc.), and therefore becomes subject to the broader CMMC security requirements, the additional requirements for printed material also become applicable.
Why this matters: Organizations (most likely subcontractors) can avoid CMMC assessment requirements if they only receive, process, and store hardcopy CUI documents.
Action for clients: Document processes for handling and storing hardcopy CUI and provide employees with the appropriate training for safeguarding these documents.
6) C‑Q11 – Encryption alone ≠ logical separation
What DoD clarified: You cannot claim logical separation of networks solely by encrypting traffic. Segmentation must be achieved through design and controls (e.g., routing/firewalling, ACLs, identity boundaries) that enforce isolation—not just confidentiality on shared infrastructure.
Why this matters: Organizations that rely on TLS/IPsec overlays across a flat network cannot argue that those segments are “logically separate.” The FAQ resets the bar: encryption protects data; it does not prove network isolation.
Action for clients: Where you’ve declared “logical separation,” ensure your network diagram shows appropriate boundary protections (e.g., firewalls, routers, VPNs, VLANs).
7) C‑Q12 – If your enclave uses enterprise networking, what is in scope?
What DoD clarified: If your CUI enclave resides within a broader enterprise network, and all CUI is encrypted before leaving the enclave, you do not automatically have to pull the enterprise network into scope, provided the enclave is logically separated from the enterprise network.
Why this matters: This provides organizations a path to avoid dragging the entire enterprise into scope if encryption is coupled with a defensible boundary and segmentation that is not purely crypto‑based (see C‑Q11).
Action for clients: Keep enterprise transit out of scope by proving:
- CUI encryption before transmission,
- No TLS inspection on enterprise gear, and
- Documented boundary controls (e.g., gateways, firewalls, identity tiers) that meet Level 2 requirements.
As these FAQs make clear, the DoD is tightening expectations around how contractors scope, secure, and validate environments that handle CUI. The rationales that relied on interpretive shortcuts—such as treating encrypted data as “out of scope” or assuming segmentation without enforceable boundaries -can no longer be used. Contractors that embrace these clarifications now will be better positioned for smoother assessments, fewer POA&Ms, and reduce their chances of a failed assessment.
If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
Access more CMMC resources:
About the Author
Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.
More Insights from Scott M. McAuliffeThe information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
