No CMMC for Hard Copy CUI?

A recent webinar from the US Army Corps of Engineers told suppliers that if they only handle paper CUI, then CMMC requirements don’t apply to them. That’s a significant concession to industry on par with COTS exemption and POAMs. But is this USACE flexing their discretion or are they setting up a conflict by setting policy around CMMC applicability?

---

Transcript

All right, folks. It is December of 2025, and we have no major rulemaking updates. We have no major publications coming out. Everything is nice and calm and uh not a creature was stirring—except for the US Army Corps of Engineers and their recent interpretation of hard copy CUI and whether or not CMMC requirements will apply to contractors only handling CUI in paper form.

That’s what we’re going to talk about today.

Daniel, you and I were going to tune in to the rescheduled US Army Corps of Engineers webinar that happened last week prior to the CUI hotline that we do every Friday. Like and subscribe. And uh we both missed it due to registration issues, scheduling conflicts, and as soon as the webinar was over, we were immediately flooded with people calling us, emailing us, pinging us going, “What the heck is going on? The Army Corps said that if we only handle hard copy CUI, we don’t have to worry about CMMC whatsoever.”

So what happened? What did they say? What is going on?

So on that Friday—I think it was the Friday that it happened—about a little in the afternoon after CUI hotline, again, like and subscribe, I get an email. It’s like, hey, I sent this email to the Army Corps. Like they said something on the webinar that doesn’t make sense.

I’m like, okay. Like, well, I wonder what they said.

And I start looking and reading the email. It’s a good, good friend of the show, good friend of Summit 7, good friend of mine. And this is what they actually said. And I was able to receive a screenshot of this.

And looking at the highlighted piece here: “Third tier sub is given paper only drawings appropriately marked as CUI. So the normal contractual requirements help safeguard the paper. But since there’ll be no electronic transmission of FCI/CUI through the contract system, it never triggers CMMC.”

So this particular friend of the show responded back to the individual that ran the webinar, and they were in conversation. And basically the statement was made. It’s like if there’s not electrons and digital transmission occurring, then the contractual CMMC requirement for the protection of that FCI or CUI is not applicable.

So Jeff Baldwin—so I posted this on LinkedIn and then I posted the clarification we got about, hey, when does this actually apply on the paper side of the house, which I’m sharing my screen again.

And they’re like: if the contractor or subcontractor receives paper only, the CUI is never digitized—which we know will not happen. I mean, how many people are doing paper-only stuff? The CUI is never entered into any IT system. No contractor system is used to process, store, or transmit CUI. No electronic reproduction, backup, or transcription occurs. No mixed handling—paper review, but then notes typed in later.

If all—and only if—these conditions are met, then there is no CMMC assessment scope because there’s no CUI in a contractor information system. So that’ll be important here in just a second. The subcontractor would not be required to hold a CMMC level.

So I post this on LinkedIn. I’m like, “Hey guys, great news. Merry Christmas. Uh, the Army Corps says if you’re sending paper copies and they will never in a million years become digital versions of themselves, you do not have to flow CMMC contractual obligations downstream.”

The LinkedIn community blew the freak up.

Because they were like, “Wait, wait, wait, wait, wait, wait, wait. Encrypted CUI is now CUI based on the latest CMMC FAQs, but we don’t care about paper now?” Like if it’s CUI, it’s CUI.

And I think that’s what the community is wrestling with. You either say something is sensitive because of what’s in that information or you don’t.

And you know, there are contractual things here in play around, you know, what does an information system definition mean versus automated information system? Jeff Baldwin on my LinkedIn post—if you see his comment—he actually posted about that. It’s a really good kind of follow-up there.

But at the same time, the community is like, there’s too much to keep up with here. Tell us to protect the data or tell us not to protect the data. So protect CUI or don’t protect CUI, but you can’t have it in these weird situations where you just can or can’t do it. Like it’s confusing everybody.

And side note—we all know, we all know—I’m trying to be cool, be chill—we all know that the minute you slide a piece of paper over to your subcontractor with CUI, you express mail it over to them, that the first thing they’re going to do is take a picture of it or put it in their system, right? Their ERP system.

Like the real kind of underlying question here is number one: do we think this precedent will stand?

But number two, I don’t think primes are going to want to take the risk of only sending paper copies of CUI for one of two reasons.

One, they know what’s going to end up happening to it and they don’t want to be liable if something does happen to it and they don’t have the right contractual flowdown requirements stating you will not treat CUI like this.

And then the second thing is, like, I don’t think we live in a paper world.

Somebody posts on my LinkedIn as a comment like, “Oh great, we’re back to handling things 20 years ago, right?” We’re going backwards if we’re switching to paper-only copies.

Anyways, that is the update here. It’s still confusing. I still would say it’s unfolding even though we do have some clarification like you see here in this slide.

Like I just don’t think it’s going to stand, Jacob. I really don’t.

Yeah. So, uh my therapist says I need to be more mindful of my feelings as we talk about uh the definition of information systems and whether or not hard copy CUI applies. This comes up pretty often.

Okay, long story short, the way that I view this, I see this as the US Army Corps of Engineers making a risk determination that I do not think the department will agree with overall. But there’s a lot of lag between when individual components, requiring activities, program managers make decisions and then overall department policy that catches up to it.

Right? Obviously, it’s taken a long time to get CMMC off the ground because people were making individual decisions saying, “Well, we don’t really care uh to find out whether anybody’s doing anything.”

So, I think that this is a decision by the US Army Corps that I don’t think that the overall department will agree with over time. I’m pretty sure that we would see an update to the FAQs, some sort of memo, and or language in upcoming rule revisions to 32 CFR 170 and or the DFARS clause for the CMMC program. That’s what I think of at a high level.

The other takeaway here—policy vs edge cases—like you said, there’s just not a lot of people that this edge case is going to apply to or really help out.

Yeah. However, it is a very important philosophical line that they need to draw because I feel like this is an interpretation that I can understand how they would get themselves to this. I can see the chain of logic that they could use to get to this conclusion.

And it’s basically a game of regulatory telephone, right? Because there is nothing in the definition of information system in FSMA itself, the legislative definition, that says that an information system is only a digital system.

There is nothing in the corresponding definition of an information system in OMB A-130 that takes FSMA and implements it for the entire government. In fact, A-130 says the requirements of this circular apply to management activities concerning all information resources in any medium, including paper and electronic information.

For those that don’t know, FSMA, OMB A-130, FIPS 199, FIPS 200, and 800-53 derive down to 800-171 in the CUI program. This is the hierarchy of where these protection philosophies come from. But that specific wording isn’t carried over from one document to the next all the way down.

And so we get this loosey-goosey game of telephone to the point where what I feel like happened—and we’re definitely going to follow up on this in the future, we’ll circle back in the new year—is this is the equivalent of when contractors and their leadership teams hear “cybersecurity” and think this is an IT problem, which as we know it is not.

I feel like the US Army Corps and some other people are hearing “Cybersecurity Maturity Model” and equating information systems to only digital assets. And that clearly is not the case, because 3.8.1 in NIST SP 800-171 requires protection of system media containing CUI, both paper and digital.

You can go back to 800-53 to read where they got that from, and then on and on all the way back up to FSMA. There is nothing in the definition of information system that says it only has to be digital.

Glenda Snodgrass—friend of the show, friend of Reddit, friend of the Discord server—follow her on LinkedIn, she puts out great information. She had a great one-liner for this where she said this limits your paper-based CUI, limits your exposure, limits your scope tremendously, and reduces complexity—but it does not remove the obligation to protect the data.

And because people see CMMC as its own standalone thing rather than part of the overall protection of CUI effort, we’re losing the plot on the Army Corps’s position. And I think it’s just going to take time for guidance to catch up.

Long story short, if you’re a paper-only contractor downstream from the US Army Corps of Engineers, enjoy it while you can. Because until something changes, this is their position.

But logically, it doesn’t really make sense.

What happens if level three CUI is printed and handed over? Does nothing apply anymore? How often do we talk about printer requirements, shredding requirements, and physical safeguards?

The idea that paper suddenly eliminates assurance concerns clearly isn’t the intent. But when things aren’t clearly spelled out, this is what happens.

So yes, contractors are getting a big break. In other cases—like FedRAMP equivalency—it goes the other direction and gets overly restrictive. These things take time to correct.

I don’t want to bash anyone. There are a lot of incredible people in the DoD trying to do their best, consulting legal teams, and validating interpretations.

What I’d like to see is stronger governance—DoD CIO involvement, slide reviews, FAQ updates—so interpretations are consistent across components.

To the Army Corps’s credit, they didn’t say protection doesn’t apply—just that CMMC verification doesn’t. That sounds like a risk-based decision, not a definitional one. And that distinction matters.

If it’s risk-based, say that. If it’s definition-based, it’s wrong.

So until clarification comes, paper-only contractors downstream from the Army Corps have a temporary advantage.

Congrats. Merry Christmas. Happy Hanukkah.

Construction especially has legacy subcontractors where paper may be practical, and that’s likely part of the calculus.

We’re not saying good judgment or bad judgment—we’re saying it’s confusing, and we want clarity.

Is this the CIO’s stance, or just the Army Corps?

There have been many concessions to industry over the years. This could be another one. But if that’s the case, say it clearly.

Otherwise, rulemaking needs to clarify this relationship.

That’s where we are.

Great news if you’re paper-only, and another philosophical debate heading into next year and future CMMC rulemaking.

Daniel, always good to see you. Thanks for the notes from the webinar.

What do you all think? Should paper-based CUI require a CMMC assessment? Is an information system only digital? Does it include paper?

Let us know in the comments.

Like and subscribe. We’ll see you next week.

See y’all.

[Music]