Earlier this month, the Department of Defense released Revision 2.2 of the CMMC FAQs. This is the fourth revision since the updated program’s initial rollout in 2024.

At first glance, the update may not look significant. Revision 2.2 only introduced three new questions, following a prior update in November that added four. But taken together, these revisions tell an important story.

Why the DoD updated CMMC FAQs again

This latest FAQ revision continues to focus heavily on CMMC scope. While ideally at this stage of the phased rollout and as one of the first steps of the certification process, scoping would be well understood. But these updates make it clear that scoping remains one of the most persistent sources of confusion for organizations preparing for and undergoing CMMC assessments.

When the DoD revises FAQs this late in the rollout, it’s rarely to clarify edge cases. It’s because the same misunderstandings are still surfacing, and often during readiness reviews or later in the assessment process with C3PAOs where the consequences could mean certification delays or contract ineligibility.

This guide breaks down these mistakes so you can avoid them in your own readiness efforts and assessments. 

Looking for in-depth guidance on scoping before an assessment? Check out our on-demand webinar led by an expert with real CMMC Level 2 scoping experience.

The top 3 scoping misunderstandings addressed by the latest CMMC FAQs

During the January CyberAB Town Hall, the PMO confirmed that these FAQ updates were driven by recurring scoping questions surfacing across CMMC assessments.

Below, we break down what the new FAQs clarify and what the takeaways are for organizations preparing for certification.

1. Confusion about whether paper-only CUI triggers a CMMC assessment

New FAQ: C-Q10 - Are CMMC assessments required for organizations that only handle hard-copy CUI?
Answer: No.

The DoD clarifies that organizations only handling hard-copy CUI are not required to complete a CMMC assessment, because CMMC assessments address cybersecurity-related risk to CUI processed, stored, or transmitted on contractor-owned information systems.

However, the answer also makes several critical distinctions that are often missed:

What this clarification actually means

• Paper-only workflows do not automatically trigger a CMMC assessment.
• Contractors are still required to safeguard hard-copy CUI under DoDI 5200.48.
• The moment that hard-copy CUI is scanned, photographed, emailed, uploaded, printed, or entered into a system, that system becomes subject to CMMC requirementst.
• Organizations handling both paper and digital CUI will have both addressed during assessment.

This clarification doesn’t reduce organizations’ responsibility to safeguard CUI. It only clarifies scope for a CMMC assessment.

What keeps going wrong

Many organizations still operate under one of two incorrect assumptions:

• Any CUI handling requires a full CMMC assessment → over-scoping
• Paper workflows exempt them from security obligations entirely  → under-scoping

Both lead to unnecessary cost, delays, or rework.

Open questions that remain

Even with this clarification, uncertainty around paper CUI persists. For example:

• How does paper-only FCI affect Level 1 scoping?
• Will DoD programs or primes actually limit CUI delivery to paper?
• Will primes still require CMMC certification to reduce supply-chain risk, even if CUI is paper-only?

Notably, the FAQ says organizations that only handle hard-copy CUI “should” not be required to complete a CMMC assessment. This language leaves discretion to primes to flowdown CMMC requirements regardless of the CUI delivery method.

What this means for the DIB

2. Over-reliance on encryption as a scoping strategy

New FAQ: C-Q11- Can encryption alone create logical separation within a CMMC assessment scope?
Answer: No.

This FAQ directly addresses one of the most persistent misconceptions in CMMC scoping: that encryption, by itself, creates logical separation.

What this clarification actually means

• Encryption protects data, not boundaries
• Logical separation requires architectural controls such as firewalls, VLANs, routing rules, and network enforcement mechanisms

Encryption is necessary to protect the confidentiality of data, but it is not sufficient for preventing data transfers or enforcing the security boundary of a network.

What keeps going wrong

This clarification quietly challenges a tools-first mindset:

• Buying encryption tools does not equal a secure CUI environment
• Logical separation is about how systems interact, not how data is wrapped

In practice, this is where “checkbox security” breaks down during CMMC assessments, especially with C3PAOs.

What this means for the DIB

3. Enclave scope misconceptions, especially around networking

FAQ addressed: C-Q12 - Must enterprise networking components be included if an enclave has no direct internet connection?
Answer: No, if logical separation is properly implemented.

This FAQ addresses a nuanced but high-impact issue: how enterprise networking components interact with enclave scope.

What this clarification actually means

• Enterprise networking components do not automatically become in scope, but configuration matters.
• Proper encryption and logical separation must be in place, documented, and tested to prove that the CUI enclave is otherwise logically separated from the greater enterprise network.
• It’s not enough to assume that these components are out of scope because your enclave does not have a direct internet connection.

What keeps going wrong

The DoD continues to clarify this because:

• Enclaves are often poorly defined or built
• Logical separation is assumed, not proven
• Evidence doesn’t align with actual architecture

These mistakes often result in late-stage scope expansion, which is one of the most common reasons assessments stall.

What this means for the DIB

CMMC scoping issues didn’t start with Revision 2.2

Revision 2.2 isn’t the first time the DoD has stepped in to correct how organizations are scoping their environments for CMMC assessments. Just two months earlier, Revision 2.1 addressed a different but related set of scoping mistakes or misunderstandings that were showing up across organizations’ readiness efforts and early assessments.

Like the new FAQS in Revisions 2.2, these targeted systemic misunderstandings about what it actually means to safeguard CUI in modern environments.

Together, these 7 updates are not meant to be “gotchas” on organizations seeking certification. They are about correcting patterns of behavior that undermine actual safeguarding of sensitive unclassified information.

Why the DoD keeps clarifying CMMC scoping

These repeated updates aren’t accidental. They reflect a deeper transition underway.

For years, NIST 800-171 compliance operated as a self-attestation model of security, which led to informal interpretations and inconsistent enforcement under DFARS 7012. CMMC replaces that model with a pre-award (and often third-party) verification of compliance, so many long-standing assumptions are being tested for the first time.

As C3PAOs begin formal Level 2 assessments:

• Informal scoping shortcuts are being challenged
• SSPs are being measured against real environments
• Misalignment leads to rework, delays, and lost contract eligibility

The DoD is tightening interpretive guardrails now, before Phase 2 enforcement ramps, to reduce downstream disruption.

What DIB organizations should do differently now

Instead of trying to minimize scope through shortcuts, organizations should:

• Validate scoping decisions against the latest FAQ language
• Document why something is out of scope, not just that it is
• Implement controls to protect CUI, not to game assessment boundaries
• Use enclaves since encryption alone is not enough
• Engage trusted RPOs or C3PAOs early to sanity-check readiness
• Rely on tooling that automates infrastructure, evidence, and documentation to reduce human error and rework over time

Simplify CMMC scoping and what comes next with Secureframe

Over-scoping, under-scoping, and other scoping errors are among the most costly mistakes organizations make during CMMC preparation.

Secureframe provides the expertise and automation required for teams to avoid these mistakes for their first assessment and every assessment after.

Secureframe is an end-to-end CMMC solution that ensures teams:

• Identify in-scope assets automatically and accurately with an AI-guided, step-by-step workflow
• Stand up a CMMC-compliant enclave in under 30 minutes, without needing to build it from scratch or maintain it over time
• Define and document CMMC boundaries clearly
• Auto-generate SSPs, POA&Ms, and policies aligned to your real control environment
• Monitor, get alerted, and remediate changes over time to prevent scope drift

Whether you’re preparing for a Level 2 self-assessment or a C3PAO assessment, Secureframe helps ensure there are no surprises as enforcement tightens leading into Phase 2. To learn more about Level 2 readiness, talk to an expert or read the blog below.