Sign up to save your podcasts
Or
Share CMMC FAQ Update: Timeline, Subcontractor Flowdowns, Enclaves, Cloud Rules, and VDI Scope Explained
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
CMMC FAQ Update: Timeline, Subcontractor Flowdowns, Enclaves, Cloud Rules, and VDI Scope Explained
Submit any questions you would like answered on the podcast!
The DoW just released updated CMMC FAQs that clarify the rules contractors keep getting wrong. In this episode, Austin and Brooke break down what the new guidance actually says, what it means for your scope, and where vendor and architecture decisions can derail an assessment before it even starts.
We cover the most important FAQ clarifications, including:
- The real CMMC timeline and what Phase 1 vs Phase 2 changes
- Why primes may demand Level 2 earlier than the official dates
- Flowdown requirements for subcontractors (and what “defensible” verification looks like)
- The myth that encrypted CUI is no longer CUI (it is still CUI)
- Whether CMMC assessment results will be public (they will not)
- POAM vs “operational POAM” and why the distinction matters
- Hard copy only CUI: when Level 2 may not apply (and the strict caveats)
- Why encryption does not create logical separation or reduce scope
- Enclaves and enterprise networking components: what pulls systems in scope (and what does not)
- Cloud storage rules: why non-FedRAMP clouds cannot store encrypted CUI
- MSP requirements: do MSPs need CMMC certification (and what a CRM must include)
- VDI scope rules: when endpoints can be out of scope, and when they are automatically in scope
If you are making decisions around scope, vendors, cloud tools, backups, enclaves, or VDI, this episode will help you avoid assumptions that assessors will not accept.
View all episodes
By CMMC Compliance GuideSubmit any questions you would like answered on the podcast!
The DoW just released updated CMMC FAQs that clarify the rules contractors keep getting wrong. In this episode, Austin and Brooke break down what the new guidance actually says, what it means for your scope, and where vendor and architecture decisions can derail an assessment before it even starts.
We cover the most important FAQ clarifications, including:
- The real CMMC timeline and what Phase 1 vs Phase 2 changes
- Why primes may demand Level 2 earlier than the official dates
- Flowdown requirements for subcontractors (and what “defensible” verification looks like)
- The myth that encrypted CUI is no longer CUI (it is still CUI)
- Whether CMMC assessment results will be public (they will not)
- POAM vs “operational POAM” and why the distinction matters
- Hard copy only CUI: when Level 2 may not apply (and the strict caveats)
- Why encryption does not create logical separation or reduce scope
- Enclaves and enterprise networking components: what pulls systems in scope (and what does not)
- Cloud storage rules: why non-FedRAMP clouds cannot store encrypted CUI
- MSP requirements: do MSPs need CMMC certification (and what a CRM must include)
- VDI scope rules: when endpoints can be out of scope, and when they are automatically in scope
If you are making decisions around scope, vendors, cloud tools, backups, enclaves, or VDI, this episode will help you avoid assumptions that assessors will not accept.