The DoD CMMC FAQs keep getting updated, and scoping is still the problem.

Earlier this month, the Department of Defense released Revision 2.3 of the CMMC FAQs. This is the fifth revision since the updated program’s initial rollout in 2024, and the third update in less than six months. 

At first glance, each update may not look significant. Revision 2.3 only introduced three new questions, following a prior update in January that added three and another in November that added four. But taken together, these revisions—and the 11 new FAQs added—tell an important story.

This guide covers what's changed across the latest revisions, Revisions 2.2 and 2.3, and what it means for your CMMC readiness right now and maintaining compliance after the assessment.

Why the DoD updated CMMC FAQs again

The FAQs have quietly become the primary vehicle for CMMC guidance updates between formal rulemaking processes.

Like v2.2, this latest FAQ revision continues to focus heavily on CMMC scoping, and even adds a new standalone section, Section F, dedicated to this topic.

While ideally at this stage of the phased rollout and as one of the first steps of the certification process, scoping would be well understood. But these FAQ updates make it clear that scoping remains one of the most persistent sources of confusion for organizations preparing for and undergoing CMMC assessments.

And now, as Phase 2 enforcement approaches, those mistakes are going to cost more organizations money and contracts, and pose a bigger risk to the capability and integrity of the supply chain. 

This is a key shift in messaging as CMMC enforcement ramps: leaders like Stacy Bostjanick emphasize that the true stakes of not complying with CMMC are not contract-eligibility. They’re national security. 

That’s why a new focus area in the latest CMMC FAQ revision is continuous compliance. Organizations across the DIB are not challenged with achieving certification to check the box, but with maintaining compliance to ensure sensitive defense information remains protected, the defense supply chain resilient, and service members supported.  

When the DoD revises FAQs this late in the rollout and this frequently, it’s not to clarify edge cases. It’s because the same misunderstandings are still surfacing, and often during readiness reviews or later in the assessment process with C3PAOs where the consequences could mean certification delays, failed assessments, legal settlements, contract ineligibility, capability loss, or even security breaches. The impact of these consequences would not be limited to the defense ecosystem, but to the nation.

This guide breaks down these common mistakes so you can avoid them in your own readiness efforts, assessments, and ongoing program management.

Looking for in-depth guidance on scoping before an assessment? Check out our on-demand webinar led by an expert with real CMMC Level 2 scoping experience.

The top 6 scoping misunderstandings addressed by the latest CMMC FAQs

During the January CyberAB Town Hall, the PMO confirmed that the FAQ updates in Revision 2.2 were driven by recurring scoping questions surfacing across CMMC assessments.

Revisions 2.3 adds even more FAQs related to scoping, but these questions are not just surfacing before or during assessments. They’re also surfacing after when organizations are trying to maintain and affirm compliance between assessments. 

Below, we break down what the six FAQ updates in the last two major revisions clarify and what the takeaways are for organizations navigating the certification process.

1. If joint venture companies need their own CMMC Status, or can “inherit” a partner’s

New FAQ: C-Q6 - If a company is a Joint Venture, does the JV need its own CMMC Status, or can the CMMC Status of each JV partner suffice?

Answer: It depends on the systems in scope.

Clarification on JVs has been a gap in official CMMC guidance for years, with the DoD's responses during the public comment period thin on specifics. 

Revision 2.3 finally addresses it directly: a JV may need its own CMMC Status, or partner statuses may suffice. What determines the answer isn't the type of business entity. It's which systems will actually be used to process, store, or transmit FCI or CUI during contract performance. Those systems must be identified with CMMC Unique Identifiers (UIDs) in the proposal.

What this clarification actually means

• If the JV uses a member's already-certified systems to handle FCI or CUI, the JV itself likely doesn't need its own CMMC Status.
• If the JV will use its own systems, it likely needs its own CMMC Status and UID.
• Any systems not represented by UIDs listed in the proposal are considered non-compliant and cannot be used during performance, no exceptions.

What keeps going wrong

JV companies often:

• assume one partner's existing CMMC Status covers shared infrastructure, even if there are systems being used to process FCI or CUI that haven’t been assessed.
• treat CMMC scope as something to figure out after contract award and funding is provided.

Neither assumption holds up under CMMC 2.0. 

What this means for the DIB:

2. Whether paper-only CUI triggers a CMMC assessment

Updated FAQ: C-Q11 - Are CMMC assessments required for organizations that only handle hard-copy CUI?
Answer: No, but they may elect to conduct one.

This FAQ first appeared in Revision 2.2 as C-Q10, with the answer that paper-only organizations "should not be required to complete a CMMC assessment." Revision 2.3 tightens the language (no third-party assessment is required), but adds that organizations may voluntarily elect to conduct a self-assessment or C3PAO assessment for a higher degree of assurance.

The practical effect is a shift in discretion. The old language left room for primes to flow down CMMC third-party assessment requirements regardless of CUI delivery format. The new language limits the mandate but gives subcontractors a path to voluntarily certify, which may make them more attractive partners to primes.

What this clarification actually means

• Paper-only workflows do not automatically trigger CMMC assessment requirements.
• Contractors are still required to safeguard hard-copy CUI under DoDI 5200.48.
• The moment that hard-copy CUI is scanned, photographed, emailed, uploaded, printed, or entered into a system, that system is in-scope and must comply with CMMC requirements before CUI touches it. 
• Organizations handling both paper and digital CUI will have both addressed during a single assessment.

This clarification doesn’t reduce organizations’ responsibility to safeguard CUI. It only clarifies scope for a CMMC assessment.

What keeps going wrong

Many organizations still operate under one of two incorrect assumptions:

• Any CUI handling requires a full CMMC assessment → over-scoping
• Paper workflows exempt them from security obligations entirely  → under-scoping

Both lead to unnecessary cost, delays, or rework.

Open questions that still remain

Even with this clarification in Revision 2.3, uncertainty around paper CUI persists. For example:

• How does paper-only FCI affect Level 1 scoping?
• Will DoD programs or primes actually limit CUI delivery to paper?
• Will primes still expect subcontractors that claim they’ll only handle paper CUI to achieve CMMC (C3PAO) certification to reduce supply chain risk?

What this means for the DIB

3. How to define “significant change” and when it triggers a reassessment vs remediation plan

New FAQ: C-Q12 - What qualifies as a "significant change" that would require an OSA to undergo a new evaluation?

Answer: A significant change is one that affects your previously assessed scope.

This is arguably the most operationally useful addition in Rev 2.3. What exactly is a “significant change” has been one of the most anxiety-inducing open questions in the DIB since enforcement began. Per 32 CFR and the CMMC Level 2 Scoping Guide, a significant change to your architecture or assessment boundary requires a new assessment. But distinguishing that from routine maintenance that could be addressed on an operational plan of action (OPA) has never been directly addressed, until now.

While the DoD avoids a single prescriptive definition (expected, given how varied environments are), it provides concrete examples.

What this clarification actually means

The DoD provides three use cases to determine when:

• Reassessment is required if any security requirement that was previously assessed as N/A becomes applicable after a change. For example, if adding WiFi capability to a system that achieved CMMC Status without WiFi, the relevant access control requirements were N/A and are now applicable and have never been assessed.
• Reassessment is NOT required for routine changes that maintain security posture, like patching or replacing a FIPS 140.2 firewall with a FIPS 140.3 firewall. These are expected changes covered by existing security requirements.
• Additional consideration is required for major functionality changes, changes that require a new security approach or design not present in the previously assessed system and SSP, and changes which reduce or remove support for a CMMC security requirement. For example, if a Windows-based environment is merged into a LINUX-based environment, then the appropriate course of action depends on whether the resulting environment and all the systems, configurations, or security tools it includes have been previously assessed.

The Affirming Official is responsible for the final determination for changes that fall into category 3, and bears the legal and contractual risk of getting it wrong, so consulting with authorized independent consultants is recommended.

What keeps going wrong

Organizations demonstrate compliance to change-related requirements during their first assessment and then stop treating change management as a live process. By the time the next three-year assessment arrives, the environment looks different from the documented one and the organization (and AO) face real contract and legal risk. 

What this means for the DIB

4. How to handle system changes to maintain compliance between assessments

New FAQ: F-Q5 - How do I properly handle changes to my system while maintaining continued CMMC compliance?

Answer: Evaluate, document, and involve your Affirming Official.

This companion FAQ to C-Q12 provides the procedural workflow that C-Q12 leaves implicit. It's the only brand-new FAQ in the new Section F on Scoping. The other four questions in that section were re-organized from Sections C and E in Revision 2.2.

What this clarification actually means

The DoD outlines a three-step workflow for properly handling changes:

• Before implementation: Perform security impact analysis, assess effects on CUI flow, document in your change management process, and review planned change with your Affirming Official.
• During implementation: Document the change and any temporary risks in an OPA, identify who's responsible, and track progress.
• After implementation: Update the SSP to reflect the completed change, then review with the AO before the next annual affirmation.

What keeps going wrong

For some organizations, a compliant change management process might exist on paper but not in practice. So when changes happen:

• OPAs don't get created
• SSPs don't get updated
• Personnel aren’t assigned for change implementation and remediation
• AOs don’t get consulted and keep signing affirmations of compliance

What this means for the DIB

5. Over-reliance on encryption as a scoping strategy

New FAQ: C-Q11- Can encryption alone create logical separation within a CMMC assessment scope?
Answer: No.

This FAQ directly addresses one of the most persistent misconceptions in CMMC scoping: that encryption, by itself, creates logical separation.

What this clarification actually means

• Encryption protects data, not boundaries
• Logical separation requires architectural controls such as firewalls, VLANs, routing rules, and network enforcement mechanisms

Encryption is necessary to protect the confidentiality of data, but it is not sufficient for preventing data transfers or enforcing the security boundary of a network.

What keeps going wrong

This clarification quietly challenges a tools-first mindset:

• Buying encryption tools does not equal a secure CUI environment
• Logical separation is about how systems interact, not how data is wrapped

In practice, this is where “checkbox security” breaks down during CMMC assessments, especially with C3PAOs.

What this means for the DIB

6. Enclave scope misconceptions, especially around networking

FAQ addressed: C-Q12 - Must enterprise networking components be included if an enclave has no direct internet connection?
Answer: No, if logical separation is properly implemented.

This FAQ addresses a nuanced but high-impact issue: how enterprise networking components interact with enclave scope.

What this clarification actually means

• Enterprise networking components do not automatically become in scope, but configuration matters.
• Proper encryption and logical separation must be in place, documented, and tested to prove that the CUI enclave is otherwise logically separated from the greater enterprise network.
• It’s not enough to assume that these components are out of scope because your enclave does not have a direct internet connection.

What keeps going wrong

The DoD continues to clarify this because:

• Enclaves are often poorly defined or built
• Logical separation is assumed, not proven
• Evidence doesn’t align with actual architecture

These mistakes often result in late-stage scope expansion, which is one of the most common reasons assessments stall.

What this means for the DIB

CMMC scoping issues didn’t start with Revision 2.3

The past two revisions were not the first time the DoD has stepped in to correct how organizations are scoping their environments for CMMC assessments. Just two months earlier, Revision 2.1 addressed a different but related set of scoping mistakes that were showing up across organizations’ readiness efforts and early assessments.

Together, these updates are not meant to be “gotchas” on organizations seeking certification. They are about correcting patterns of behavior that undermine actual safeguarding of sensitive unclassified information in modern environments.

Why the DoD keeps clarifying CMMC scoping

These repeated updates aren’t accidental. They reflect a deeper transition underway.

For years, NIST 800-171 compliance operated as a self-attestation model of security, which led to informal interpretations and inconsistent enforcement under DFARS 7012. CMMC replaces that model with a pre-award (and often third-party) verification of compliance, so many long-standing assumptions are being tested for the first time.

As C3PAOs conduct more Level 2 assessments: 

• Informal scoping shortcuts are being challenged
• SSPs are being measured against real environments
• Misalignment leads to rework, delays, and lost contract eligibility

The DoD is tightening interpretive guardrails now, before prime flowdown requirements and Phase 2 enforcement ramps, to reduce downstream disruption.

What DIB organizations should do differently now

Instead of trying to minimize scope through shortcuts, organizations should:

• Validate all scoping decisions against the latest FAQ language
• Map in-scope systems to CMMC UIDs before bid submission
• Establish a significant change framework with your Affirming Official before the next change occurs
• Document why something is out of scope, not just that it is
• Implement controls to protect CUI, not to game assessment boundaries
• Use enclaves since encryption alone is not enough
• Engage trusted RPOs or C3PAOs early to evaluate assessment readiness or continuous compliance
• Rely on tooling that automates infrastructure, evidence, documentation, and monitoring to maintain CMMC compliance while reducing human error and rework over time

Simplify CMMC scoping and what comes next with Secureframe

Over-scoping, under-scoping, and other scoping errors are among the most costly mistakes organizations make during CMMC preparation.

Secureframe provides the expertise and automation required for teams to avoid these mistakes for their first assessment and every assessment after.

Secureframe Defense is an end-to-end CMMC solution that ensures teams:

• Identify in-scope assets automatically and accurately with an AI-guided, step-by-step workflow
• Auto-provision a CMMC-compliant enclave using GCC High or Google Workspace, without needing to build it from scratch or manually detect drift over time
• Define and document CMMC boundaries clearly
• Auto-generate SSPs, POA&Ms, and policies aligned to your real control environment
• Monitor, get alerted, and remediate changes over time to prevent scope drift

Whether you’re preparing for your first or your next Level 2 (C3PAO) assessment ahead of Phase 2, Secureframe helps ensure there are no surprises as enforcement tightens. To learn more about Level 2 readiness, talk to an expert or read the blog below.