The Department of Defense has clarified a couple of points in newly added FAQs.
New CMMC FAQs Clarify Scope, Paper CUI, and Network Separation
The Department of Defense recently released a set of new FAQs that clarify some common questions about the Cybersecurity Maturity Model Certification (CMMC). These updates are especially helpful for contractors who handle paper CUI, use enclaves, or rely on network separation to protect sensitive data (C-Q10, C-Q11, and C-Q12).
Handling Paper CUI
Organizations that only handle hard-copy CUI don’t need a CMMC assessment. The CMMC framework is focused on cybersecurity risks, so it only applies when CUI is processed, stored, or transmitted on a contractor-owned IT system. That said, contractors are still responsible for protecting paper CUI according to DoDI 5200.48, including following government training and safeguarding requirements.
If hard-copy CUI is scanned, photographed, emailed, or uploaded then that system falls under CMMC assessment requirements. For organizations handling both paper and digital CUI, the assessment will cover both, following NIST SP 800-171 standards.
Encryption Isn’t Enough for Separation
Another important clarification, encryption alone does not create logical separation. Encryption protects the confidentiality of data, but it doesn’t stop data from moving between connected systems or enforce a network boundary. True logical separation requires tools like firewalls, VPNs, VLANs, or firewalls that control how data flows.
Enclaves and Enterprise Networks
The FAQs also address enclaves that aren’t directly connected to the internet. If an enclave relies on enterprise network components outside its boundary but all CUI leaving the enclave is encrypted, the external systems do not need to be included in the CMMC assessment, provided the enclave itself is logically separated.
Stratus is here to help
If your company needs help digesting these updates or otherwise would like someone to review your CMMC roadmap, feel free to contact us.
