If you’re planning your CMMC Level 2 assessment scope thinking that encrypting CUI gets it “out of bounds,” the DoD’s latest FAQ guidance delivers a reality check. The January 2026 update addresses three critical scoping questions that every DIB contractor needs to understand, because getting this wrong means either overscoping (and overspending) or underscoping (and failing your assessment).
The Bottom Line: Encryption Doesn’t Equal Decontrol
According to the DoD FAQ, encrypted CUI is still CUI. Period. The guidance references 32 CFR Part 2002, confirming that CUI remains controlled until formally decontrolled, encryption doesn’t change its designation. This means every system that processes, stores, or transmits encrypted CUI needs to be evaluated for your CMMC assessment boundary.
Why does this matter? Because many contractors believed that encrypting CUI at rest or in transit would reduce their assessment scope. It doesn’t. If your file server contains encrypted CUI files, it’s in scope. If your network switches route encrypted CUI packets, they’re in scope.
Logical Separation Requires More Than Crypto
The second clarification hits another common misconception: encryption alone doesn’t create the logical separation required by DFARS 252.204-7012. The FAQ explicitly states that while encryption provides confidentiality protection, it doesn’t prevent data transfer or enforce security boundaries.
Think about it practically, an encrypted file containing CUI can still be copied to a USB drive, emailed to personal accounts, or synced to unauthorized cloud storage. That’s why your assessment boundary must include all systems that can access, move, or transmit encrypted CUI, regardless of its encryption state.
Logical separation requires actual network segmentation through firewalls, VLANs, or VPNs that prevent unauthorized data flows, not just cryptographic protection.
The Enclave Exception
There’s one important nuance for contractors using security enclaves. The FAQ clarifies that enterprise networking components outside your enclave don’t automatically fall into CMMC scope, if you meet two conditions:
1. Your enclave is properly logically separated from the enterprise network
2. All CUI is encrypted before leaving the enclave
This makes sense: once CUI is both encrypted and confined within a logically separated boundary, the enterprise infrastructure carrying those encrypted packets functions like any common carrier network.
What This Means for Your POA&M
Start by mapping every location where CUI exists, encrypted or not. Your scoping exercise needs to trace the full data flow, from creation through destruction. Don’t assume encryption reduces your boundary; instead, use it as one layer in your defense-in-depth strategy while maintaining proper network segmentation.
For contractors planning virtualized enclaves or considering cloud migration, this guidance reinforces that architecture matters more than encryption alone. Your boundary decisions today will determine your assessment scope, and costs, for the next three years.
If you’re not sure whether your current encryption strategy aligns with these scoping requirements, now is the time to clarify. That’s exactly what a Phase 1 scoping conversation is built for.