A January 2026 FAQ from the Department of War (DoW) answered more than 30 frequently asked questions about the Cybersecurity Maturity Model Certification (CMMC) program.
The Q&A went over 3 topics involving encrypted CUI, answering:
This blog dives into what the presence of encrypted CUI entails for your organization and CMMC Scope.
This answer is quick. Yes, encrypted CUI is still CUI. As long as a piece of CUI remains controlled, so do encrypted files and packets that contain it.
From the DoW:
B-Q8: Is encrypted CUI still considered to be CUI?
B-A8: In accordance with 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. As such, encrypted CUI data retains the control designation given to the plain text counterpart. While it is true that certain risks (e.g., transmission across unsecured, "common carrier" networks) are accepted for cipher text that would not be accepted for plain text, this does not mean the original, controlled information, nor the data (plain or cipher text) representing it, is considered decontrolled.
All this goes to say, your CMMC scope must include networks containing encrypted CUI.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 requires the logical or physical separation of CUI from non-CUI data. This means that they must either exist on entirely separate endpoints (physical), or be digitally separated by access controls, network segmentation, etc. (logical).
Many believe that encrypting CUI creates the logical separation needed to deem the network out of scope, but encryption does not negate the need for logical network separation. Anything forwarding, routing, or transmitting encrypted packets containing CUI must fall within your CMMC scope.
Encryption alone is not logical separation because it doesn’t prevent data transfer.
From the DoW:
A-Q11: Can encryption alone create logical separation for a network within a CMMC Assessment Scope?
A-Q11: No. Logical separation occurs when data transfer between physically connected assets (wired or wireless) is prevented by non-physical means such as software or network assets (e.g., firewall, routers, Virtual Private Networks (VPNs), Virtual Local Area Networks (VLANs). While properly implemented encryption provides necessary confidentiality protection, it does not, by itself, prevent data transfer or enforce the security boundary of a network. To create logical separation, you must prevent data transfers within out-of-scope networks. An encrypted file containing CUI can be moved to another device within the same network, which necessitates the network be added to scope.
In an enclave that relies on enterprise networking components, those components do not fall under CMMC scope, assuming proper logical separation and encryption are in place.
From the DoW:
C-Q12: Our enclave does not have a direct internet connection. Instead, it relies on enterprise networking components residing outside of the enclave. All CUI data is properly encrypted before leaving our enclave. Must the enterprise networking components be brought into our enclave’s CMMC Assessment Scope?
A-Q12: No. So long as the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC Assessment Scope to include the enterprise networking components.
Your enclave may rely on out-of-scope networking as long as it is logically separated because the CUI would have already been encrypted out of the enclave.
While encryption is a valuable tool in limiting access to CUI, it does not change your CMMC Assessment Scope.
Encryption prevents unauthorized access to encrypted data but does not prevent misuse by those who can access it, unlike a CMMC-certified environment. To learn more about identifying your CUI and scoping your environment, reach out to a Summit 7 expert.