Stop. Your CMMC Scoping Strategy Might Be Built on Lies.
If you're counting on encrypted networks to keep assets out of scope, or assuming your VDI endpoints are safe by default, you're walking into a C3PAO assessment with a target on your back.
The DoW just dropped CMMC FAQ Revision 2.2 (January 2026), and it systematically dismantles five assumptions contractors are still using to shrink their assessment boundaries. These aren't edge cases. These are the shortcuts people take when they're trying to make CMMC cheaper or faster, and the DoW just said no.
Here's what's about to cost you your certification:
Myth 1: "We only handle paper CUI, so we're exempt forever"
The trap: The moment you scan, email, photograph, or type that paper CUI into any system, that system is now in scope. And the assessment covers both the digital handling and the paper CUI you thought was keeping you safe.
What contractors miss: "Occasional digitization" doesn't get you a pass. One scanned contract pulls your entire workflow into scope.
Fix it now: If your process involves any digitization (even quarterly), treat those systems as in-scope from day one.
Myth 2: "Encryption alone creates logical separation"
The trap: Contractors encrypt CUI traffic and claim the encrypted path logically separates their network, keeping non-CUI assets out of scope.
What the DoW says: Encryption protects confidentiality. It does not prevent data transfer. It does not enforce a security boundary. Logical separation requires actual network controls (firewalls, routers, VPNs, VLANs) that block unauthorized movement.
What contractors miss: You can have perfect encryption and still fail scoping because your network topology allows lateral movement.
Fix it now: Map your full data path. If you're relying on encryption to exclude systems from scope, you're exposed. Implement boundary controls at the network level.
Myth 3: "Our enclave is encrypted, so enterprise networking stays out of scope"
The trap: Contractors build isolated CUI enclaves, encrypt all outbound traffic, and assume the enterprise routers, switches, and firewalls are automatically excluded.
What the DoW says: Enterprise components can stay out of scope, but only if the enclave is otherwise logically separated. If there's any unprotected path, weak segmentation, or reliance on enterprise components for access control, those components are pulled into scope.
What contractors miss: "Otherwise logically separated" is doing a lot of heavy lifting in that sentence. If your enterprise network provides any access control or routing decisions for the enclave, it's in scope.
Fix it now: Verify logical separation with ruthless precision. Test every connection point. Document why enterprise assets have zero role in CUI access or movement.
Myth 4: "VDI endpoints are out of scope because CUI lives on the server"
The trap: Organizations deploy VDI and assume the laptops or thin clients accessing it are automatically out of scope.
What the DoW says: An endpoint is out of scope only if it's configured to allow no processing, storage, or transmission of CUI beyond keyboard/video/mouse data. That configuration must be verified.
What contractors miss: Default VDI setups allow caching, local file mounts, printing, and screenshots. If any of those features are enabled, the endpoint becomes a CUI asset and pulls into scope.
Fix it now: Audit every VDI feature. Disable copy-paste, file transfers, local printing, clipboard sync, drive mapping, and screenshot tools. Lock it down server-side so users can't bypass restrictions.
Myth 5: "Out-of-scope VDI means we don't need endpoint controls"
The trap: Even when endpoints qualify as "out of scope," contractors assume no hardening or MFA is required.
What the DoW says: The endpoint stays out of scope only if the VDI server blocks all data exchange beyond video/keyboard/mouse.
That requires:
Blocking copy-paste, file transfers, screenshots, saving, printing (except within compliant systems)
Transmitting only video, keyboard, and mouse data
Multifactor authentication to the VDI server (hardware token or PKI with PIN, separate from the unmanaged client)
Restricting access to authorized users and allowable locations
What contractors miss: "Out of scope" is not "no controls." It's "ironclad configuration verified during assessment." If the VDI isn't locked down, the endpoint is in scope and you must apply full NIST SP 800-171 controls there.
Fix it now: Test your VDI configuration aggressively. Assume a C3PAO will try to screenshot CUI, mount a USB drive, or print to a local device. If any of those work, you're non-compliant.
Why This Matters Right Now
These five clarifications are closing loopholes contractors are still using in gap analyses and pre-assessment scoping.
The pattern is unmistakable:
The DoW is not accepting shortcuts on logical boundaries
Scoping shortcuts will trigger major non-conformities
Encryption, isolation, and VDI do not automatically shrink your assessment scope
If your current scoping strategy relies on any of these myths, you have a choice: rework it now while you control the timeline, or wait until a C3PAO shows up and discovers the gaps during a formal assessment.
The second option is the most expensive way to learn this lesson.
Action Steps for 2026:
Audit your scoping assumptions: Are you relying on encryption, paper-only workflows, or VDI to exclude assets?
Test logical separation rigorously: Verify that network boundaries enforce separation, not just encrypt traffic.
Lock down VDI configurations: Disable every feature that could move CUI to endpoints.
Document everything: When a C3PAO questions your boundary, you need evidence that separation is real.
Source: DoW CMMC FAQ Revision 2.2 (January 2026)
Disclaimer: This is a paraphrased summary for practical application. Always refer to the official DoW FAQ document at the DoW CIO website for authoritative guidance.