Boots on the Ground: 10 CMMC Guidance Shifts to Action Now

Team, grab your coffee. The Department just dropped a new CMMC FAQ CYBERSECURITY MATURITY MODEL CERTIFICATION Program FREQUENTLY ASKED QUESTIONS, and it’s packed with the kind of specific guidance we’ve been waiting for. As your "boots on the ground" here at Maple Woods, I’ve combed through the legalese to bring you the tactical highlights.

Here are the top 10 clarifications you need to know right now:

1. Go-Time is Official: The clock has started ticking. The Department began incorporating CMMC assessment requirements into contracts on November 10, 2025. The current phase (the first 12 months) is focusing heavily on self-assessments (Level 1 & 2), so get your SPRS scores in order.

2. The VDI "Out of Scope" Win: This is huge. If you use a Virtual Desktop Infrastructure (VDI) and lock it down (no copy/paste, no file transfers, video/mouse/keyboard only), the endpoint device is considered out of scope. This is a game-changer for BYOD policies.

3. Encryption ≠ Decontrolled: Don't get cute here. Encrypted CUI is still CUI. Just because it's in a cipher text doesn't mean it's decontrolled. Treat it with respect.

4. No Cheap Cloud Workarounds: You cannot store encrypted CUI in a non-FedRAMP Moderate cloud and claim it's safe. The cloud provider must meet FedRAMP Moderate baseline requirements, even if the data is encrypted.

5. NIST Rev 2 is Still the Standard: Even though NIST 800-171 Rev 3 is out, CMMC is sticking to Rev 2 for now. You can implement Rev 3, but you have to map it back to Rev 2 and cover any gaps.

6. OPA vs. POA&M: An OPA (Operational Plan of Action) is for routine maintenance like patching. A POA&M is for actual security gaps found during an assessment. Don't mix them up.

7. The "Critical" List: There are requirements you generally cannot put on a POA&M. If you miss these critical steps, you don't get a Conditional Status; you just fail.

8. Scores Aren't Public (But Secrets Don't Help): The public cannot see your assessment score. However, Primes will expect you to share your status to form teaming arrangements. If you want on the team, show your work.

9. Flow Down is Real: If a Prime has a Level 3 requirement, the flow down to the subcontractor is Level 2 (C3PAO) minimum, unless the government says otherwise.

10. International Scope: To our friends overseas, if you are on the contract, CMMC applies to you. No exceptions for non-U.S. companies.

The Bottom Line: The gray areas are shrinking. The Department is getting specific, which means we need to get moving. If you're feeling exposed on any of these points, reach out to the team. We've got your Overwatch!