Get compliant
Menu

Day: February 23, 2026

DoD Finally Clarifies Encrypted CUI Scoping, and It Changes Everything

If you’ve been wrestling with how to scope systems that only touch encrypted CUI, the DoD just handed you a gift. Their January 2026 FAQ update directly addresses one of the most expensive questions in CMMC Level 2 preparation: Can systems that only process encrypted CUI be excluded from your full assessment boundary? The answer […]

CMMC Level 1 Requires 17 Safeguards 15 Controls

The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why: 

CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.