by Michael Peters
Bookmark

Updates in the CMMC FAQs and How They Help Small Businesses

When the Department of Defense released CMMC FAQs Revision 2.1 in November 2025, the update appeared modest on the surface. Four new questions were added without changing the CMMC model or the underlying regulatory framework in 32 CFR Part 170. For organizations already fatigued by years of CMMC evolution, it would be easy to dismiss these 

Importantly, each of these four additions resolves an ambiguity that many contractors had been relying on to narrow the scope, defer remediation, or justify architectural shortcuts. Collectively, they close several loopholes that organizations assumed would remain open until formal enforcement began. 

This article covers each of these new FAQs, the assumptions they invalidate, and how organizations should adjust their compliance strategies accordingly.

 

 

B-Q8: Encrypted CUI Is, and Was, CUI

The addition of B-Q8, which explicitly states that encrypted CUI remains CUI, may seem obvious. Yet in practice, many organizations had treated encryption as a de facto scope-reduction mechanism. If data was encrypted at rest or in transit, it was often treated as lower risk, less tightly controlled, or functionally “out of scope” for certain architectural decisions.

The updated FAQ removes that ambiguity entirely. The DoD states unambiguously that CUI remains controlled until it is formally decontrolled, regardless of whether it is in plaintext or encrypted.

These clarifications clarify the intent of specific rules, closing gaps that some organizations previously used to shortcut the process. Encryption can no longer be used as a rationale for:

  • Moving CUI into environments that do not otherwise meet CMMC or DFARS requirements.
  • Treating encrypted datasets as exempt from access control, audit, or monitoring expectations.
  • Arguing that specific transmission paths or storage locations fall outside the assessment scope.

More importantly, B-Q8 signals assessment rationale. Organizations that relied on encryption to forgo CUI scoping will need to revisit their CUI boundary definitions.

 

C-Q8: OPAs Are Not A POA&M

The introduction of C-Q8, which clarifies the distinction between Operational Plans of Action (OPAs) and Plans of Action and Milestones (POA&Ms), closes another area of dangerous misinterpretation. Before this update, many organizations assumed OPAs could serve as a flexible alternative to POA&Ms, particularly for issues identified late in the assessment process.

OPAs are operational risk-management tools used after a system is compliant, typically to address vulnerabilities or deficiencies introduced by subsequent changes. POA&Ms, by contrast, are remediation plans and conditions that must be met before final certification.

Critically, if a requirement is assessed as NOT MET during a CMMC assessment, an OPA cannot be used to avoid that finding. A POA&M must be created, and only for requirements that are explicitly eligible. If the requirement is categorized as critical, no POA&M is permitted.

This clarification fundamentally reshapes assessment preparation. It means organizations can no longer rely on operational intent or future remediation plans to soften assessment outcomes. Readiness must be demonstrated at the time of assessment, not promised afterward.

 

E-Q2: Encrypted CUI In The Cloud Still Requires FedRAMP Moderate 

The FAQ states that a CSP that stores encrypted CUI must still meet FedRAMP Moderate requirements. If the statements in B-Q8 weren’t specific enough, E-Q2 reiterates it for this context. If a cloud service processes, stores, or transmits CUI in any form, it must treat that data in accordance with the guidelines. 

This clarification has sweeping implications for organizations that adopted cost-effective or developer-friendly cloud platforms under the assumption that encryption reduced compliance exposure. 

 

E-Q7: VDI Endpoints Are Only Out Of Scope If You Can Prove They Are Harmless

The final addition, E-Q7, tackles one of the most nuanced areas of CMMC scoping: Virtual Desktop Infrastructure (VDI) endpoints. Under the previous rules, an organization might have assumed that VDI was outside the scope of CMMC. 

An endpoint may be considered out of scope only if it is technically prevented from processing, storing, or transmitting CUI beyond keyboard, video, and mouse data, and only if specific safeguards are in place.

The FAQ further outlines the conditions required to maintain the out-of-scope designation, including disabling clipboard sharing, file transfers, local printing, caching, screenshots, and unmanaged authentication paths. Multifactor authentication must also be implemented in a way that is independent of the unmanaged endpoint.

 

How CMMC Assessors Are Likely To Operationalize These FAQ Updates

Abstract clouds on a blue field, connected with circuits

While the CMMC FAQs are not guides themselves, they signal to organizations and security providers how different controls and configurations fit into assessment. Organizations that fail to anticipate this shift risk being surprised not by new requirements, but by stricter enforcement of existing ones.

From an assessor’s perspective, these updates simplify decision-making in several key areas.

  • Claims that encryption reduces scope will be treated as categorically invalid. With B-Q8 and E-Q2 explicitly stating that encrypted CUI remains CUI and still requires FedRAMP Moderate–equivalent protections in cloud environments, assessors no longer need to entertain nuanced arguments about cryptographic compensating controls.
  • Assessment-time deficiencies will be evaluated against POA&M eligibility with far less discretion. C-Q8 provides assessors with guidance on whether unmet requirements constitute outright failure or indicate potential for remediation. If a requirement is not met during the assessment and the project is ineligible for a POA&M, assessors are now explicitly justified in recording a failure, regardless of planned remediation.
  • VDI-based scoping claims will be tested at the configuration level, not accepted at face value. E-Q7 provides assessors with a checklist of technical conditions that must be met for endpoints to be considered out of scope. Expect assessors to ask about specific VDI configurations, such as disabled clipboards, disabled local printing, and blocked file transfers.
  • Vendor and service-provider dependencies will be scrutinized more aggressively. Assessors will have more straightforward guidelines for determining whether software platforms and managed service providers fall within your CUI perimeter. 

In this environment, successful CMMC outcomes will increasingly favor organizations that treat compliance as an engineering discipline rather than a documentation exercise. The FAQs do not arbitrarily raise the bar; they narrow the gap between what organizations believe is compliant and what assessors are authorized to accept.

 

Maintain Your CMMC Compliance with Continuum GRC

For organizations that answer those questions honestly, these FAQ updates provide clarity rather than constraint. They define the rules of the road at a moment when compliance is transitioning from theory to enforcement. But it’s up to them to ensure their infrastructure aligns with the language and intent of these clarifications.

We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect your systems and ensure compliance.

[wpforms id= “43885”]