DoD Updated the CMMC FAQs Again

DoD has updated the CMMC FAQs again, and the revision history doesn’t tell the full story. In this episode, we break down the most important FAQ 2.3 changes, including significant changes, annual affirmations, CMMC UIDs, joint ventures, hard-copy CUI, and why the Affirming Official is one of the most important CMMC roles inside your company.

---

Transcript

CMMC FAQ Version 5 Breakdown — May 2026

---

Jacob: All right, folks. It is May of 2026, and if you’re like most people, you probably didn’t know that DoD has updated their CMMC frequently asked questions document for the third time since November of 2025.

At this point, FAQ updates are the primary way the department is communicating guidance to defense contractors — and there are definitely things you need to know in the newest update. That’s what we’re talking about today.

Jason, we covered CMMC FAQ version 4 back in January, and just like that update, DoD didn’t tell anyone there was a new version. No press releases, no social media posts, not even an indicator on the CMMC page that anything changed — unless you click the link and open the PDF every single day. Depending on what you count as a revision, the department has updated 11 different questions across three versions of this document in less than six months. What is going on here?

Jason: I think everyone needs to realize that this document is going to be a living document for the life of the CMMC program. Anytime there’s speculation that needs to be clarified, instead of a grand parade or big announcement, it’s just a quiet update — and it behooves you to stay on top of it, or watch the show whenever changes happen.

Jacob: Absolutely. We’ll put the link below so you can read the document yourself — and you definitely should, because we can’t cover every detail here. But let’s get into the big ones.

---

Topic 1: Significant Change and Annual Affirmation

Jacob: There is a growing landmine around “significant change” and annual affirmation, and I can already see it coming. Section C, Question 12: what qualifies as a significant change that would require an organization to undergo a new CMMC evaluation?

DoD keeps saying that if you experience a significant change in your environment, you need to get a new assessment. And of course, everyone asks — what does “significant change” actually mean? The answers are pretty nebulous and open to interpretation. But they did give us some information.

My rule of thumb: if you have a change to the scope of your environment, that’s a significant change. If what was assessed is now different, you need a new assessment — full stop.

Jason: My rule of thumb is simpler: if it sounds sus, it probably is, and you need a reassessment. If a change you’re about to make dramatically affects the boundary that was certified by a C3PAO, treat it as a significant change and get a reassessment. That’s just me.

Jacob: So scope is a good rule of thumb, but DoD doesn’t actually use that word in this update. What they do give us is one hard example: requirements that were marked “not applicable” during your assessment that become applicable afterward are now considered a significant change — because that security requirement was never assessed in the first place.

The example they give is Wi-Fi. If you had no Wi-Fi when you were assessed and then you install a Wi-Fi system afterward, a bunch of requirements that were marked NA and never evaluated are now very much in scope. That’s a significant change and triggers a new assessment requirement.

Jason: Jacob, the number of organizations I speak to where their plan includes things like Wi-Fi endpoints or mobile devices being marked not applicable to save money on scope — and then they plan to quietly add them back in after certification — is significant. The mentality has shifted to “let’s do this quickly and cost-efficiently by cutting things out and bringing them back in after the assessment.”

Jacob: Nothing more cost-efficient than paying for two assessments instead of one. So what’s not considered a significant change? Routine updates, maintenance, patching, upgrades — not significant. Pretty obvious.

But then you get into the gray area. DoD gives examples of changes that “require additional consideration” — meaning they’re not automatically significant, but they’re not automatically clear either. Things like major functionality changes, changes that require a new security approach not present in your original SSP, or changes that reduce or remove support for requirements — applicable requirements that suddenly become not applicable. DoD doesn’t say these are significant. They say they require additional consideration.

Additional consideration by whom? By the affirming official. Because after your original assessment, this is not a one-and-done process. Every year, the affirming official at your company has to submit an annual affirmation stating that you are continuously compliant, that there have been no significant changes, and that everything is still good. Then after that period, you get a new formal third-party assessment.

So if a major functionality change happens during that year — is it significant? That’s your call to make.

Jason: It’s “it depends” times two. Is the change significant? It depends — you have to evaluate how it affects your boundary and make the decision. Did you make the right decision? Also depends — it all comes out in the wash if something happens or someone reports it. You need a very solid, documented defense for why you concluded a change was or wasn’t significant. And if there’s a paper trail anywhere saying “we decided this wasn’t significant because we didn’t want to pay for it” — that is not going to hold up.

Also think about who’s actually making this decision. Your IT team, your MSP — they may own the security implementation and the documentation. But the person who has to attest on behalf of the company that compliance is still happening? That’s not going to be your MSP. It’s probably not going to be your IT guy. For small and medium-sized companies, the affirming official is probably the CEO, the owner, or the president — someone who typically isn’t deep in the weeds on what the IT team is doing because they outsourced it for a reason.

You all need to be on the same page about what decisions were made regarding significant changes — because you’re the one signing the annual affirmation. And having a CMMC certification does not insulate you from False Claims Act liability. If you submit an affirmation saying “we’re still doing everything we were doing a year ago” and you’re not — now the government has a baseline to compare against. That actually makes the liability easier to pursue.

Jacob: In larger organizations there’s usually some legal team involvement, but for smaller ones it really does come down to whoever’s running the show day-to-day. I ask organizations all the time: “Do you know who your affirming official is?” And the answer is often “I don’t know.” That’s going to be a big issue. Everyone is focused on the initial assessment right now — which makes sense, that’s the first bridge to cross — but two-thirds of your experience under CMMC will be the annual affirmation process, not third-party assessments. Make sure you’re prepared for that.

---

Topic 2: Joint Ventures

Jacob: A couple more interesting items from this FAQ. Still in Section C, Question 6: if a company is a joint venture, does the JV need its own CMMC status, or can the status of each partner suffice?

DoD says either works, as long as the CMMC unique identifiers represent the scope used during contract performance. The CMMC UIDs for the systems that will process, store, or transmit CUI during performance — those can belong to the JV itself or to the individual JV members. DoD doesn’t care which, as long as the right UIDs are provided during the proposal and that’s where the CUI lives.

This also ties into what they say elsewhere in the FAQ about cage codes. If a system is not represented by a CMMC UID provided in the proposal, DoD says it cannot be used to process, store, or transmit FCI or CUI during contract performance. That applies to primes, subs, joint ventures, enclaves, business units — doesn’t matter. It all revolves around which systems are represented by those UIDs.

Jason: Basically it deflects the policing responsibility down through the supply chain. The UIDs get collected by the prime, reported up the chain, and as long as everyone with CUI flowing through them is listed and protected, you’re in good shape. What’ll be interesting down the road is that there will eventually be more UIDs than there are contractors in the ecosystem — there are more CUI systems than there are companies handling them. That’s probably the more interesting number to track.

Jacob: Another thing to think about: contract performance changes over time. If you provide your UID at proposal time and then get a new one during performance, and your prime is still using the old one — that’s a problem nobody’s really talking about yet.

---

Topic 3: The Paper CUI Exception

Jacob: Last one — and this one is worth reading even if just to watch your hair fall out. Section C, Question 11: are CMMC assessments required for organizations that only handle hard copy controlled unclassified information?

Deep breath. The short answer is no. If you only handle paper CUI with no digital systems involved, you don’t need a third-party CMMC assessment. The requirements to safeguard that information under DFARS 252.204-7012 still apply to you, but no third-party assessment is required.

I’ve said this many times and I know it annoys people inside DoD: I don’t have a problem with saying paper-only systems don’t need a third-party assessment. My problem is the inconsistency. When I operate a digital system, a third party has to evaluate my paper security controls too. But when there are no digital systems, the paper controls don’t require third-party evaluation. Why does the presence of a computer processing CUI suddenly make the paper controls relevant to a third-party assessment? If that’s truly the logic, then just be consistent — don’t assess paper controls when there are digital systems either. It would make assessments shorter, cheaper, and faster. Help me help you, DoD.

Jason: It also needs to be consistent enough that people can interpret it correctly, because the strategy shifts that happen when people misinterpret this guidance can be very damaging to the ecosystem.

Jacob: Right. And people are already doing it. I’ve seen entire strategies built around “just tell my prime to print it out and FedEx it to me so I don’t have to get assessed.” If that’s a conspiracy, it’s a conspiracy by the lumber industry and Big Paper.

Jason: Blame them.

---

Wrap-Up

Jacob: So — FAQ updates happened. DoD didn’t tell you. Subscribe to the channel so we can. A few things to keep in mind:

Read the FAQ closely, because the revision history at the bottom doesn’t capture all of the changes. Make sure you know who your affirming official is and that they’re aligned with the IT and security teams on what’s changed since your last assessment. Significant change is going to bite people who aren’t paying attention. CMMC UIDs are the common denominator across joint ventures, primes, subs, and everything in between. And if you’re paper-only — lucky you, but DoD, come on.

Happy Memorial Day, everybody. We’ll see you next week.

Jason: See you next week.