Encrypted CUI and FedRAMP: Latest Guidance from the DoD

For defense contractors pursuing CMMC compliance, one question has been lingering: Does Controlled Unclassified Information (CUI) have to remain in a FedRAMP environment at all times, or can it move through lower-security environments with the right protections? The Department of Defense/Department of War (DoD/DoW)  has provided some updated guidance in its November 2025 CMMC FAQ — but it still leaves room for interpretation. 

In this post, we’ll assess the updated guidance around encrypted CUI for defense contractors, as well as some additional context to support the FAQ text. 

DoD CIO: Yes, Encrypted CUI is still CUI

The DoD’s November 2025 CMMC FAQ says that, yes, CUI remains CUI even when it is encrypted. Here is the full text from this section of the FAQ:

Is encrypted CUI still considered to be CUI? 

B-A8. In accordance with 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. As such, encrypted CUI data retains the control designation given to the plain text counterpart. While it is true that certain risks (e.g., transmission across unsecured, "common carrier" networks) may be accepted for cipher text that would not be accepted for plain text, this does not mean the original, controlled information, nor the data (plain or cipher text) representing it, is considered decontrolled.

This means that, regardless of whether it’s encrypted or not, CUI remains sensitive and requires governance as such. It does not fundamentally change once it is encrypted. And this is no surprise: Of course, a PDF containing CUI is inherently still CUI when it is encrypted and shared. 

However, ‘Certain Risks May Be Accepted for Cipher Text.’

This FAQ answer goes on to say that “Certain risks (e.g., transmission across unsecured, ‘common carrier’ networks) may be accepted for cipher text that would not be accepted for plain text.” This indicates some flexibility in how CUI is shared in its encrypted state. Presumably, this would be similar to how encrypted data is controlled for ITAR (International Traffic in Arms Regulation). 

ITAR stipulates an encryption carve-out rule for end-to-end encrypted data as an export. ITAR controlled data is a subset of CUI. And, with ITAR, end-to-end encryption and granular access control demonstrate adequate governance and security of CUI data. 

FedRAMP Storage Is Your Safest Bet for CUI Protection

All this being said, storing CUI in a FedRAMP authorized location — and protecting it with end-to-end encryption and granular access control — remains your best bet for securing CUI in a manner that will pass CMMC Level 2 assessment. 

Virtru enables CMMC-compliant CUI storage and sharing with several of our products, including: 

• Virtru for Gmail: Virtru provides client-side, end-to-end encryption for Gmail. Google Workspace can be configured for FedRAMP High, which meets the FedRAMP storage requirement, while Virtru allows for controlled, encrypted sharing outside of your organizational boundary. 
•  Virtru for Microsoft Outlook: Virtru email encryption can be used in Microsoft 365 Commercial Cloud as well as its Government Cloud. To meet the highest level of CMMC security, attach any CUI as a file attachment, which will store it in Virtru’s FedRAMP authorized environment. What appears as an attachment to the recipient is actually a link to authenticate and access the encrypted, FedRAMP-stored data object.
• Virtru Secure Share: Files stored in Virtru Secure Share are also located in Virtru’s FedRAMP-authorized cloud environment. This tool allows you to send and receive encrypted, access-controlled  files, making it valuable for contractors who collaborate externally. 
• Virtru Private Keystore: For an added layer of control over your encrypted CUI, you can optionally choose to host your own encryption keys on-premises or in a virtual private cloud. 

It’s important to note that Virtru is FedRAMP authorized at the moderate level and listed on the FedRAMP Marketplace. Other vendors who tout FedRAMP equivalency have not undergone assessment by a third-party assessment organization (3PAO); by choosing an “equivalent” organization rather than an “authorized” organization, you as the customer inherit the risk and reporting responsibility in case of a security incident. FedRAMP authorized organizations, however, are thoroughly vetted and responsible for incident reporting and management. 

Choose a Trusted Partner for Your CMMC Compliance Journey

If you are pursuing CMMC compliance, Virtru will be just one piece of the puzzle. We are clear on exactly which controls we support (up to 27, detailed in the Virtru Shared Responsibility Matrix) and we do not overpromise on CMMC, like other vendors in the space. 

That being said, Virtru is an effective and powerful CUI control that gives you flexibility in how you architect your CMMC strategy. Virtru allows you to scope and manage CUI sharing with FedRAMP authorized storage, providing platform-agnostic solutions that meet you where you work. 

Contact our team today for a demo of our CMMC solutions. We’d love to talk further about your approach to compliance and how we can support you.