If you’re planning your CMMC scope assuming that encryption gets you out of compliance requirements, the DoD’s January 2026 FAQ update has news you need to hear. The message is clear: encrypted CUI is still CUI, and those systems handling it can’t be written off as out-of-scope just because the data is encrypted.
Here’s what matters for your CMMC planning.
The DoD Answered Three Critical Questions
The FAQ tackled questions that contractors have been asking since CMMC scoping guidance first emerged:
1. Is encrypted CUI still CUI?
Yes. Per 32 CFR Part 2002, CUI remains controlled until formally decontrolled. Your encrypted files and packets containing CUI retain their control designation. The FAQ explicitly states that while certain transmission risks are accepted for cipher text, this doesn’t decontrol the information.
2. Does encryption create logical separation?
No. This directly impacts how you interpret DFARS 252.204-7012’s requirement for logical or physical separation of CUI from non-CUI data. The DoD clarified that encryption alone doesn’t prevent data transfer or enforce security boundaries, it only provides confidentiality protection.
3. Are enterprise networking components outside an enclave in scope?
Not necessarily. If your enclave is logically separated from the enterprise network and CUI is properly encrypted before leaving the enclave, those external networking components don’t automatically extend your CMMC assessment scope.
What This Means for Your Scope
The practical impact: any system that forwards, routes, or transmits encrypted packets containing CUI must be evaluated as part of your asset categorization. You can’t simply declare these systems out-of-scope because the data passing through is encrypted.
This affects your assessment boundary in several ways:
- Network devices handling encrypted CUI traffic need to be documented
- You must still implement logical separation through firewalls, VLANs, or similar controls
- Asset categorization decisions must consider the presence of encrypted CUI
The third FAQ answer offers some relief, properly architected enclaves can rely on enterprise networking without expanding scope infinitely. But this requires both logical separation AND encryption, not encryption alone.
Avoiding the Encryption Shortcut Trap
The temptation is real: if data is encrypted, why does it matter what systems touch it? The DoD’s position reflects a key security principle, encryption protects confidentiality but doesn’t control access or prevent misuse by authorized users.
Your POA&M needs to address the actual security boundary, not just confidentiality controls. During asset categorization, you’ll need to evaluate each system touching encrypted CUI to determine if it’s a CUI Asset, Security Protection Asset, or potentially a Contractor Risk Managed Asset.
Bottom Line for DIB Contractors
Don’t build your CMMC strategy on the assumption that encryption reduces scope. The DoD has made clear that encrypted CUI requires the same scoping rigor as any other CUI. The worst time to discover you’ve under-scoped your environment is when your C3PAO shows up for the assessment.
If you’re still determining what falls inside your CUI boundary, now is the time to validate your assumptions. Getting this wrong early means rework, expanded scope, and potentially failing practices you thought were out of bounds. Start with a proper scoping exercise, before you’ve committed to an approach that encryption alone won’t support.