The Department of Defense/War just released an update to the official CMMC FAQs. While the update does not change requirements or timelines, it does remove long-standing misinterpretations held by many organizations and service providers. These updates reinforce what we have been telling defense contractors and subcontractors for years: shortcuts don’t lead to compliance, and the only sustainable path is a deliberate, standards-based approach built on the actual rules.
Here is what updated in the CMMC FAQs and why it matters.
Encrypted CUI is Still CUI
The updated FAQ makes it clear that data does not lose its status as Controlled Unclassified Information simply because it is encrypted. CUI remains controlled until it is formally decontrolled, regardless of encryption state. This is important because some organizations believed that encrypting CUI allowed them to store it in non-compliant environments. That was never correct, and now the DOD/DOW has confirmed it explicitly.
Encrypted CUI Cannot Be Stored in a Non-FedRAMP Moderate Cloud
One of the most important updates is the explicit confirmation that encrypted CUI must still reside in a cloud environment authorized at FedRAMP Moderate or equivalent. Some service providers have promoted the idea that encrypted CUI in commercial cloud services or other low-assurance environments is acceptable. The FAQ makes clear that this interpretation was incorrect.
This clarification aligns directly with the way CyberSheath manages customer environments. Our approach meets the required standards and eliminates any ambiguity about cloud compliance. Organizations that assumed encryption alone satisfied cloud storage requirements will now need to address not only a control gap, but a scoping gap that often requires a fundamentally different architectural approach, with cascading impacts across the entire control framework.
Most VDI Setups Remain in Scope
Many organizations believed they could reduce their CMMC scope simply by using a Virtual Desktop Infrastructure. The updated FAQ makes it clear that endpoints remain out of scope only if they meet strict technical configuration that limits the endpoint to providing keyboard, video, and mouse services to the VDI, nothing more.
This confirmation mirrors the guidance we have provided for years. VDI can be a helpful tool, but it is not magic, and it does not remove responsibility from the endpoint unless it is configured in a very specific way. The DOD/DOW confirmed that most current implementations do not meet the standard, which has direct implications for assessment scope, boundary controls, and compliance status. And even in cases where endpoints qualify to be out of scope, the VDI platform itself remains fully in scope, including identity services, networking, storage, and all infrastructure supporting the virtual desktop.
OPA Versus POA&M Is Now Explicitly Defined
Some practitioners in the field have incorrectly treated normal operational issues as failed security requirements, leading organizations to place routine patching items or short-term maintenance vulnerabilities on POA&Ms. The updated FAQ makes it clear that this is not how POA&Ms are intended to be used. OPAs are not a formal requirement and are not part of the CMMC evidence model. They are simply how an organization tracks operational issues that do not represent a failure of a NIST SP 800-171 requirement. These operational items do not belong on a POA&M because they are not unmet security requirements. A POA&M is created only when a requirement is marked not met based on NIST SP 800-171A. The FAQ reinforces the boundary: POA&Ms are for failed requirements, and operational issues should be handled through normal maintenance processes. CyberSheath keeps this boundary clear by managing operational issues separately and reserving POA&Ms strictly for unmet controls.
Why the Latest DOD CMMC Updates Matter for Compliance
These updates do not introduce new requirements, but they eliminate the ambiguity that many organizations and service providers were operating under. The room for creative interpretation is now significantly smaller. Encrypting CUI does not remove compliance obligations. Commercial cloud environments that lack the required authorization are not acceptable, regardless of how the data is protected. VDI does not shrink scope unless it is engineered with precision. And POA&Ms cannot be used to mask genuine gaps, nor should they be cluttered with routine operational issues.
For many defense contractors, this means their current architectures and practices will not withstand an assessment as cleanly as they may have assumed. Designs built around “encrypt it away,” commercial cloud shortcuts, loosely configured VDI, or misclassified remediation plans will require rework. The clarifications make the actual path forward unmistakable: align with the standards as written or face gaps that cannot be explained away.
For CyberSheath, this update simply reflects the approach we have taken from the beginning. Our managed services and program design follow the intent and the letter of the requirements, not interpretations of convenience. These clarifications reinforce that doing compliance the right way is not optional. It is the only way to succeed in a CMMC assessment.
If your organization needs help understanding what these updates mean for your current environment or what changes may now be required, our team is ready to support you. Contact us to discuss your next steps.