What the May 2026 CMMC FAQ Means for Contractors Handling CUI

The Department of War’s May 2026 update to the CMMC Frequently Asked Questions offers more than minor clarification. For contractors preparing for CMMC Level 2, it provides a clearer signal about how the Department is thinking about scoping, cloud usage, external collaboration, ongoing compliance, and the protection of Controlled Unclassified Information (CUI). The message is straightforward: protecting CUI is not just about where it is stored. It is about how it is controlled wherever it moves.

For many organizations, that is where the hardest problems begin. CUI often moves across tenants, subcontractors, suppliers, mentors, external partners, and cloud environments. The latest FAQ helps sharpen the distinction between encryption and actual control, between secure storage and secure collaboration, and between theoretical boundaries and technically enforced protections.

CMMC is Here Now, and Level 2 Readiness Cannot Wait

One of the clearest takeaways from the FAQ is timing. The Department began incorporating CMMC requirements into applicable procurements on November 10, 2025, and implementation is already underway. While the early phases emphasize self-assessments more heavily, the market is moving toward broader use of Level 2 independent assessments beginning November 10, 2026.

That means contractors handling CUI should not treat CMMC as a future planning exercise. The right time to prepare for Level 2 is now, especially for organizations that expect to collaborate across multiple environments or support external access to sensitive information.

NIST SP 800-171 Rev. 2 Still Governs CMMC Level 2 Assessments

The FAQ also reinforces an important point that many contractors still misunderstand: CMMC Level 2 assessments are still conducted against NIST SP 800-171 Revision 2. The Department has said it plans to move to Revision 3 through future rulemaking, and organizations can begin implementing Revision 3 now, but they still need to ensure they are assessable against Revision 2 in the meantime.

For contractors, the practical takeaway is simple. Modernizing your program around Revision 3 may be a smart long-term move, but it does not remove the need to meet the assessable standard that exists today.

Recommended Watch: What It's Like to Work with Virtru for CMMC

Scope, SSP Quality, and External Providers are Central to Level 2 Success

The strongest theme running through the FAQ is scope. CMMC outcomes depend on understanding which systems, services, users, and data flows are actually part of the assessment boundary.

That begins with the System Security Plan (SSP). The FAQ makes clear that an inadequate SSP can result in No Score, which is a powerful reminder that CMMC is not just a technical implementation exercise. Organizations need to be able to explain their architecture, document how requirements are met, and keep those descriptions current as the environment changes.

External providers matter here too. MSPs, MSSPs, and other external service providers may still affect assessment scope even if they do not directly receive CUI, especially when they manage security tooling or handle security protection data. For contractors relying on outsourced IT or managed security, the question is not simply whether those providers hold your data. It is whether they are part of the systems and services protecting it.

Material Change Does Not Mean Every Technology Change Triggers Reassessment

The FAQ also helps clarify one of the biggest ongoing compliance questions contractors have: what actually counts as a significant or material change?

The answer is not “every tool swap.” Routine maintenance, patching, and replacing a security solution with a like-for-like or stronger capability generally are not treated as significant changes on their own. But if a change introduces new functionality, brings in previously unassessed systems or tools, or makes a previously non-applicable requirement applicable, reassessment may be required.

That matters because many organizations are thinking through system migrations, cloud changes, tool consolidation, and security stack modernization right now. The FAQ makes clear that change management is not just operational hygiene — it is part of maintaining CMMC status. Security impact analysis, updates to the SSP, documented review of CUI flow, and input from the Affirming Official all become critical if an organization wants to maintain continuing compliance without creating unnecessary reassessment risk.

Encrypted CUI is Still CUI

One of the most important clarifications in the FAQ is that encrypted CUI remains CUI until it is formally decontrolled. That point has major implications for compliance strategy. Encryption is essential, but it does not eliminate safeguarding obligations. If the underlying information is CUI, the encrypted form of that information remains controlled.

This matters because too many organizations still treat encryption as though it changes the nature of the data. It does not. The real compliance question is not simply whether the data was encrypted. It is whether the organization can still control who accesses it, under what conditions, and what happens after it is shared.

That is one reason data-centric protection is becoming more important in CMMC conversations. No single product determines whether an organization is compliant, but solutions that extend protection to the data itself can strengthen an organization’s ability to maintain control after sharing. This is where Virtru fits naturally. Virtru helps organizations apply persistent protection to files and messages, with controls around access, sharing, revocation, and visibility that continue after the data leaves its original repository.

Encryption Alone Does Not Create Logical Separation

The FAQ also directly states that encryption alone does not create logical separation. This is an important correction to a common misconception in enclave and scoping strategies. Encryption protects confidentiality, but it is not a substitute for segmentation, routing controls, firewall policy, VPN architecture, or other mechanisms that actually define and enforce a boundary.

That distinction matters for how security tools should be positioned. Virtru is not a replacement for enclave design, segmentation, or compliant cloud architecture. It is best understood as a complementary protection layer. Where architecture defines and protects the environment, Virtru helps maintain control over the CUI that moves through and beyond it.

Cloud Requirements Still Apply, Even When Data is Encrypted

The FAQ makes another key point for organizations relying on cloud platforms: a non-FedRAMP Moderate cloud offering cannot store encrypted CUI simply because the data is encrypted. In other words, encryption is not a shortcut around cloud compliance requirements.

That has direct implications for cloud strategy. If a cloud environment is storing, processing, or transmitting CUI in support of contract performance, it still needs to meet the applicable FedRAMP Moderate or equivalency requirements.

This is also where Virtru’s cloud posture matters. Virtru is FedRAMP Authorized, which gives contractors an option for incorporating persistent data protection into secure collaboration workflows in environments where federal and defense-related cloud requirements matter. That does not remove the customer’s responsibility to ensure that the broader environment is appropriately designed and scoped for CUI, but it does mean Virtru can operate as part of a compliant cloud strategy rather than as a workaround for one.

VDI and Endpoint Scope Guidance Is One of The Most Practical Updates in the FAQ

The FAQ’s new scoping guidance around VDI is especially valuable because it clarifies how the Department is thinking about endpoints. An endpoint can remain out of scope only if it is configured so that it does not process, store, or transmit CUI beyond keyboard, video, and mouse interaction. The FAQ specifically points to controls such as blocking local drive access, printing, copy/paste, screenshots, and file transfer.

That guidance highlights a broader principle that applies well beyond VDI: scope depends on what actually happens to the data. If an endpoint takes possession of CUI, retains it locally, or meaningfully processes it outside the controlled environment, the scoping argument becomes much harder. If it does not, there may be a defensible case for keeping that endpoint out of scope.

The Real CMMC Challenge is Secure Collaboration

Taken together, the FAQ points toward one of the biggest practical issues in CMMC Level 2: secure collaboration. Some of the hardest CMMC problems do not show up in static storage environments. They show up when CUI has to be shared with subcontractors, suppliers, mentor organizations, external users, or cross-tenant collaborators.

That is where organizations need stronger answers than repository permissions alone can provide. Who can access the data? Is the access view-only, or can the recipient download it? What happens if the file leaves the original tenant? Can access be revoked later? Is there an audit trail showing who accessed the content and when?

These are exactly the types of questions that make persistent protection relevant. Virtru’s secure sharing and data protection capabilities are designed for scenarios where organizations need to maintain control after the moment of sharing. Solutions like Virtru Collaborate and Data Harbor help organizations share sensitive information more securely across organizational boundaries, while capabilities like Data Protection Gateway and Private Keystore support stronger policy enforcement and customer-controlled key management for protected content.

The value is not that these tools replace segmentation, identity, or compliant cloud infrastructure. It is that they help reduce the security gap between storing CUI securely and collaborating on it securely.

Where Virtru Fits in a CMMC Level 2 Strategy

The latest FAQ reinforces a simple but important reality: protecting CUI is not just about where it sits. It is about maintaining control over it wherever it goes.

Recommended Reading: Virtru Shared Responsibility Matrix for CMMC 2.0

That is where Virtru fits best in the CMMC conversation. Not as a shortcut to compliance, and not as a substitute for scope discipline or architecture, but as a way to extend protection to the data itself. For organizations that need to collaborate across tenants, share with external parties, reduce the risk of downloaded files, or preserve access control beyond the perimeter, that can be a meaningful part of a broader Level 2 strategy.

The May 2026 CMMC FAQ confirms something many contractors are already discovering firsthand: it is not enough to secure the system where CUI starts. You also need a strategy for securing the data after it moves.