Weekly CMMC Q&A: 11.21.25

We’re quickly approaching 67 CMMC Level 2 clients.

We sit down every Friday to share what we’ve learned.

Find us live on YouTube, LinkedIn, or reach out at cuihotline.org.

Transcript

All right, nobody can see our cameras when we are dancing whenever the screen is going up, I think. Anyway, it is Friday, and Thanksgiving is next week, so there will not be a hotline next week. We will be hanging out for the holiday or out Black Friday shopping or whatever, but we will not be here. If you are on YouTube, where we are streaming, or on LinkedIn, let us know if the brand new feature is working. We are streaming in horizontal and vertical video at the same time. Let us know if that is working or not working. You will have to pardon the mess behind me while the office studio transformation and construction project is going on. It is the first time in about five years that I have tried to move anything around, so it is a big project over Thanksgiving. But anyway, Daniel is here, I am here, it is the hotline, we do this every week. Daniel, how are you?

Daniel: I am doing great. It has been an interesting week so far. We have had the CMMC FAQs, which I think you are going to talk about, and a lot of discussion around encrypted CUI and non encrypted CUI. My favorite thing you posted was the solicitation that came out with C3PAO requirements. This is kind of the first drip of things we are starting to see. This week I have had quite a few calls with the AEC industry, architectural engineering and construction, and it is interesting to hear that many of them are just now starting their exploration. They know CMMC is a thing but think they are not really being impacted. Then you show them something like this solicitation and say, “Show your BD team if there is any interest in going after this kind of work.” I am pulling up my screen. This is the solicitation you found on sam.gov. At the very bottom under the description, you cannot see it well, so I will shrink it up here a bit.

My morning routine for the last couple of years used to be checking the OMB dashboard for rulemaking updates. Now it is checking SAM.gov every day to see which RFPs and solicitations are going to have CMMC in them. This one says, “The following is being added to section 4: CMMC C3PAO is anticipated for this requirement. If you disagree with the anticipated CMMC level, please provide a rationale and your recommended CMMC level.” It is interesting to start seeing this language because even in the CMMC FAQs that came out a couple of days ago, they said the intent of phase one is self attestation, but that they still have discretion. Their stated intent is self attestation in year one, but we are already seeing solicitations come out that anticipate certification. This is a good example. Our friend Alexis commented when I posted it and said this is not actually a solicitation yet, it is a sources sought. They are gathering information, so it is not a guarantee that it will appear in the final solicitation, but it is very helpful because clearly the customer wants it to be there. There is a chance it will not be, but this program is directly related to what is arguably always going to be controlled technical information. You are working on GPS satellites, the GPS system and range, all that kind of thing. If you have ever been to China Lake, California, it is a spooky weapons station in the middle of nowhere. It takes forever to get there and there is definitely some interesting work going on. So it is not surprising that this customer is interested in having a level two C3PAO.

If C3PAO certification is in the solicitation, it brings up the same situation we have talked about. People want to wait until they see it in the solicitation before they start implementing NIST SP 800 171. They are planning to award this in Q4, so before the end of phase one. If you wait a few more months to see the final solicitation and they include CMMC, you already know it will involve DFARS 252.204 7012 requirements. You are kind of shooting yourself in the foot by saying, “Maybe it will not be there, so we will not start working on 800 171.” This is a clear example of a customer signaling that they want this requirement in the contract.

One more quick note, and our producer Justin just dropped the link in chat. I mentioned architectural and engineering construction because we have the Five Days of Industry week coming up the second week of December. If you are in manufacturing, AEC, private equity, solution implementers, transportation or any of those verticals, make sure to register for your specific day. We are doing a one hour webinar for each industry. The link is in the YouTube chat and we will put it on LinkedIn as well.

Now, back to the DoD update. I was surprised by the reaction this got. The DoD officially published updated CMMC FAQs. If you Google “DoD CMMC CIO” you will land on the CMMC page with the FAQ box and the newest version. There were only a couple of FAQs with significant updates. The DoD would probably say they “clarified intent.” I think the one that got the most attention was their statement that encrypted CUI is still CUI. Daniel, how do you feel about that?

Daniel: I do not like it. With ITAR, there has always been an assumed carve out where, if the encryption is applied and you hold the keys, you can store data in a friendly country in an encrypted state. CUI does not play by those rules. Often ITAR, on behalf of a federal contract, is also CUI, so you end up pulling ITAR into scope in this conversation. It makes the two frameworks conflict. I understand some of the logic. People have posted about quantum computing and the possibility of decryption becoming easier in the future. But this stance brings many more assets into scope. I posted about this on LinkedIn the other day. Cloud providers that are not FedRAMP authorized thought they were safe because they only had encrypted CUI. That does not count anymore. Encrypted network traffic that was previously treated as out of scope now brings those assets into scope as security protection assets. The carve out methodology is basically gone for CUI, which means your environment will become more in scope, not less. The only caveat you brought up is internet traffic. There is an assumed risk posture for genuine internet transport that can be treated as out of scope. Still, this will be challenging, especially for MSPs. Joy commented on my post about backup providers. If backup jobs are encrypted and stored in a non FedRAMP cloud, that was historically fine. Now MSPs are going to have to reevaluate their tool stacks again. Overall, I do not like it. I wish DoD would align with ITAR requirements because so much CTI falls into ITAR, but it is the DoD. It is what it is.

The FAQs also say that a non FedRAMP moderate cloud service cannot store encrypted CUI. If you hear a solution provider saying, “We can help you with 7012 and CMMC because we have this cloud based offering,” but they are not FedRAMP or FedRAMP equivalent, the data being encrypted does not get them out of jail. Some people were getting tripped up by marketing claims, so you need to do your due diligence, double check the FAQs and, if you are heading toward an assessment, make sure your understanding matches what DoD actually wrote.

Another interesting question we got was about scope for endpoints accessing GCC High or Azure Government web portals. Someone asked whether the endpoint they are using is in scope if they use a browser to access those environments. The answer is yes and no. If you process, store or transmit CUI within that session, that endpoint is in scope because of local caching and related behavior. Even in the best case, if you are connecting to a CUI asset like M365, even if you are not personally manipulating CUI, that endpoint could still be a security protection asset, sometimes called a CRM associated asset, because it is connected to a CUI system. It is hard to defend a CRM associated asset. If an assessor thinks your justification is weak, they can simply say, “Apply all 110 controls to it.” That is not a fun position to be in. So yes, those endpoints are in scope under some classification, depending on how you architect the environment.

We also got a question in the AB town hall that at least half a dozen people asked. Is there a published list of CMMC level two companies, like a FedRAMP marketplace equivalent for CMMC? The answer is no. The government can see all the companies with CMMC level two status inside the CMMC EMASS system, but that is not a public database. There is no public list outside of a company telling you that they are certified and then showing you their audit certificate. The government has no current plans to publish such a list. So, if you are hoping to look it up somewhere centrally, you will not find it. You can set up Google Alerts and watch LinkedIn for companies that announce their certification, but there will not be an official central index. The DoD’s position is that verifying your suppliers is your problem, not theirs. That is not very helpful, but it has been their position for a long time.

We circled back on encrypted CUI in transport. Rob commented that if encrypted CUI is still CUI, then by that logic a black fiber transport should be classified at the level of what is inside it. How do we make the internet work in that world. The DoD’s answer is that, when it comes to transport mechanisms and the internet, they are accepting the risk even though the data is still CUI. It feels inconsistent and not especially defensible, but that is the current stance. Someone gave me an analogy. The CUI is inside a bank vault, but just because the vault is secure does not mean you do not lock the front door of the bank. That is the logic behind treating encrypted CUI as still in scope. I am not fully convinced, and I would like to see it explained more clearly, but that is where it stands for now.

Nicholas asked whether there has been new discussion about non DoD departments wanting to implement CMMC after DoD, such as DOE or others that were waiting for the road to be paved. There is nothing official yet, but we have heard rumors about interest from NASA and GSA. Any department could leverage the requirements if they wanted to, but NASA and GSA are close behind the DoD on the FAR Council. Still, we have not seen anything formal and I do not expect official news before the end of the year. That led to a discussion about the FAR CUI rule. You can think of the FAR CUI rule as the DFARS 7012 equivalent for non DoD federal agencies. It would add contract clauses that say if you handle certain kinds of data, you must implement NIST SP 800 171, report incidents and flow the clause down to subcontractors. It does not fundamentally change anything for DoD contractors because they already have 7012. It also does not itself include a third party assessment requirement. There is no CMMC like component baked into the FAR CUI rule. That is left to agencies to add through their own supplements. I met the GSA official shepherding that rule and he had no interest in adding third party verification. The logic is puzzling, because we already know self attestation did not work under 7012. The FAR CUI rule is currently tied up in the broader FAR rewrite. The administration is doing a large overhaul that removes duplicative content and reorganizes the FAR. That rewrite has to go through rulemaking itself, so we do not know whether the FAR CUI rule will emerge before or after it. I would not expect to see FAR CUI finalized this year.

We also talked about NIST SP 800 171 Rev 2 versus Rev 3. DoD has given itself a class deviation that lets it continue to require Rev 2, even though Rev 3 is now the current version. That means DoD will likely stay on Rev 2 for another year or more until the CMMC program is updated for Rev 3. Other agencies, like the Department of Transportation, are already referencing Rev 3 in some contexts and accepting CMMC certifications as evidence of compliance with Rev 2 where it makes sense.

Another question was whether DoD has discretion to require CMMC level three in phase one of the rollout. Technically DoD can always do what it wants, but as written, phase one does not include level three requirements. Practically speaking, DIBCAC, which runs level three assessments, has only recently completed its initial pilot level three assessments. Everything we have heard indicates they will not be ready to start regular CMMC level three assessments until the middle or end of next year. So it is highly unlikely that you will see level three in an official government solicitation during phase one. However, there are already conversations between the government and the primes about contract modifications that will state CMMC level three will be required within 12 to 18 months. That means primes will get early notice before the end of phase one that they will need level three. In turn, they are likely to push their suppliers to start pursuing level three well before the formal requirement hits their own contracts. We already have clients who have been told by primes that they must be level three certified by specific dates, such as January 2027.

We touched on the cost estimates for level three. For small businesses, DoD’s estimate was about 2.7 million one time and about half a million annually. For large businesses, the estimates were roughly 21.1 million one time and 4.1 million annually. These numbers factor in corporate IT and OT uplift, and the OT side is often the most challenging. You cannot treat specialized OT assets as just associated, because under level three you must apply all level two and level three controls to them, unless you can use intermediary devices and isolation strategies. Manufacturing downtime becomes a big constraint in that kind of upgrade.

Justin and others in chat shared that they have been told by primes they must reach a perfect 110 score on 800 171 by the beginning of the year in order to continue receiving contracts. We are hearing that more and more. There was even a Reddit thread where someone said they had warned their company repeatedly and the owner did not believe it would matter. Now the prime is calling them constantly and telling them they need to be compliant or lose the work. You will not see these stories in headlines, but these one off situations are where the real pressure is building.

Julian asked about CTI markings and whether the SP category needs to be in the banner or only in the designation block. The answer depends on the specific DoD instructions and the CUI marking guidance. The DoD CUI registry has tips and examples, plus a list of common marking discrepancies. Generally the header and footer banner can often be simplified to “CONTROLLED” or similar, with the detailed category information in the designation block, but you need to check the latest DoD instruction that applies to your situation. There are also some interesting statistics on the CUI registry site, like CUI registry visits by state, which is a fun side note.

Someone asked whether the CyberAB or DoD will ever publish a list of “bad eggs,” meaning solution providers that misrepresent compliance or CMMC readiness. The answer is no. The AB will not publish such a list and neither will DoD. Even publishing a list of “good” vendors has triggered threats of legal action in the past. If you are interested in community feedback, some people in the CMMC ecosystem hang out in the CUI Center of Excellence Discord server, which you can find from the CMMC subreddit. They have an informal channel where people swap stories about problematic vendors. From our perspective, we hear about a handful of providers frequently. They promise they are “CMMC compliant” or that their app is “CMMC ready,” but when clients reach the assessment, those claims fall apart. We will not name names, but the pattern is real.

Because so many people are now being pushed by primes to move quickly, we closed with some practical advice on vetting MSPs and solution providers. Ideally, work with an MSP that is itself CMMC certified, which shows they have implemented the controls and gone through the process. If not, look for past performance, specifically clients they have helped achieve certification. Ask them for their asset list that will be used to support you, including which tools they use, whether those tools are FedRAMP authorized or equivalent if CUI will be in them and whether any data will be stored encrypted in non FedRAMP environments. Confirm whether they use only US persons where export control requires it and how they handle marking and handling of CUI. Make sure they have a clear customer responsibility matrix so you know which controls they handle and which ones remain on you. If they cannot answer those questions clearly or they get vague when you ask about FedRAMP, CUI boundaries or assessment support, that is a red flag.

We wrapped up by noting that as of now there are 575 organizations with CMMC level two C3PAO certifications, including early joint surveillance participants. DoD originally estimated about 517 level two certifications during phase one, so the ecosystem is already ahead of that estimate. Their projection for year two was around 25,000 level two certifications. At the current rate, we will probably see 1,000 level two certifications in Q1 of next year. The phased rollout does not require everybody to be certified by the end of phase three. DoD expects it will take around seven years for all contracts to cycle over to new terms. That does not mean you personally have seven years, because primes and program offices are already setting earlier deadlines, but it does mean the overall assessment capacity does not need to hit forty thousand assessments per year. DoD’s modeling is closer to sixteen thousand per year as the ecosystem matures.

We ended by reminding everyone that there will not be a live stream next week because of Thanksgiving. If you are one of the folks who just received a DIBCAC audit notice, your holiday will probably be a lot less relaxing. For everyone else, enjoy Thanksgiving. We will be back in two weeks. If you watch the recording later and have questions, drop them in the comments, DM us, or visit summit7.us or cuihotline.org to get in touch.