Compliance Brief · CMMC

CMMC FAQ Revision 2.3 - what's new for DIB contractors.

The Department of War CIO just published Revision 2.3 of the CMMC FAQ, adding a brand-new Scoping section and clarifying eight areas that consistently surface during assessment prep. With Phase 2 third-party assessments beginning in November, here's what changed — and where to focus.

Revision 2.3 isn't a rewrite — it's a sharpening. The DoW CIO took eight of the questions assessors and contractors have been wrestling with for months and put answers on the record. If you handle CUI, three of them will change how you scope.

The headline addition is a brand-new Scoping section. The rest of the changes tighten existing guidance on hard-copy CUI, what counts as a "significant change" between assessments, virtual desktop infrastructure, and the obligations that flow through to cloud providers and managed service providers. None of it should surprise anyone who has been paying close attention — but the formal clarifications give Affirming Officials and assessors something to point at when the calls get hard.

Phase 2 begins November 10, 2026. For contractors handling CUI, that means a Level 2 third-party assessment is no longer a future problem. If your scoping decisions, change-management process, or external provider documentation aren't where they need to be, the runway is shorter than it looks.

Key Dates & Cadence

The Phase 2 clock is running.

Critical Milestones

Nov 10, 2025

Phase 1 active. Level 1 and Level 2 self-assessments required in applicable contracts under DFARS 252.204-7021.

Nov 10, 2026

Phase 2 begins. Level 2 third-party assessments required for contractors handling CUI.

Ongoing

Level 1 reassessed annually. Levels 2 & 3 every three years, with annual affirmation by the Affirming Official.

The Eight Clarifications

What Revision 2.3 actually says.

Each of these maps to one or more FAQ references in the official document. Read them in context with your System Security Plan and your asset inventory — most will either confirm what you already do, or surface a gap you'd rather find now than at audit.

01 / Scoping

Hard-copy CUI only C-Q11

Paper-only CUI handlers don't require a third-party assessment, but DFARS 252.204-7012 safeguarding still applies. The moment that CUI is scanned, emailed, uploaded, or otherwise digitized, the receiving system must already meet the applicable CMMC requirements.

02 / Change Management

"Significant change" defined C-Q12 F-Q5

The Affirming Official decides. Adding capability that activates previously N/A controls — for example, enabling WiFi — requires reassessment. Like-for-like upgrades, such as a FIPS 140-2 to 140-3 firewall, do not. Major architecture shifts need careful evaluation.

03 / Scoping

VDI endpoint scoping F-Q1 F-Q2

An endpoint accessing a VDI can remain out-of-scope only if the VDI blocks copy/paste, file transfers, printing, and local resource mapping — and MFA to the VDI is independent of the unmanaged client. Otherwise the endpoint becomes a CUI Asset.

04 / Architecture

Encryption ≠ logical separation F-Q3

Encryption protects confidentiality but does not, by itself, enforce a security boundary. Logical separation still requires software or network controls — firewalls, VLANs, VPNs — to actually prevent data transfer between assets.

05 / External Providers

CSPs must meet FedRAMP Moderate E-Q1 E-Q2

Any Cloud Service Provider handling CUI — even encrypted CUI — must be FedRAMP Moderate authorized or meet the DoW's equivalency requirements per the December 2023 memo. There is no carve-out for ciphertext-only storage.

06 / External Providers

MSPs & MSSPs are in scope E-Q4

Even when no CUI is transmitted to your IT or security service provider, they fall within your assessment scope if they have administrative access to your environment. Their controls are evaluated against applicable security requirements during your assessment.

07 / Baseline

NIST 800-171 Rev 2 still the standard B-Q2 B-Q3

A class deviation keeps Revision 2 as the assessed baseline until Revision 3 is incorporated through rulemaking. Companies operating against Rev 3 must use the DoW Organization-Defined Parameters and address any Rev 2 gaps in the interim.

08 / Data Handling

Encrypted CUI is still CUI B-Q8

Encryption does not decontrol CUI — ciphertext carries the same control designation as the plaintext. However, cryptographic erase implemented per NIST SP 800-88 is an acceptable method for sanitizing controlled media before disposal or reuse.

The pattern across all eight clarifications is the same: scope is broader than most contractors assume, and the burden of proof for narrowing it sits with you.

Where to Focus Next

Three paths, depending on where you are.

Revision 2.3 reads differently depending on where you are in your CMMC journey. Here's the short version for each cohort.

If you're early in CMMC

Confirm your data type and assessment path.

Identify whether you handle FCI only, hard-copy CUI, or digital CUI — that determines whether Level 1 self-assessment, no assessment, or a Level 2 third-party assessment applies (see C-Q2 and C-Q11).

If you're maintaining compliance

Brief your Affirming Official on change management.

C-Q12 and F-Q5 outline how to evaluate system changes between assessments. Document new risks, security impact analyses, and SSP updates so the next three-year reassessment confirms continuing compliance.

If you rely on cloud or MSPs

Verify FedRAMP status and provider scope.

Confirm FedRAMP Moderate authorization or equivalency for any CSP touching CUI, and document MSP/MSSP administrative access so their controls can be assessed inside your boundary.

The full FAQ is worth a careful read alongside your current SSP. If any of this changes your scoping picture or your roadmap to Phase 2, that's worth knowing now rather than in November.