Earlier this month, the U.S. Department of Defense updated its Cybersecurity Maturity Model Certification (CMMC) Frequently Asked Questions (FAQ) to clarify the applicability of CMMC assessments when an organization handles Controlled Unclassified Information (CUI) in paper/hardcopy form only. This paper examines the substance of that clarification, its practical implications for defense contractors, and Atlantic Digital’s interpretation of the guidance in light of ongoing industry debate. 

Executive Summary

The Department of Defense recently clarified that organizations handling Controlled Unclassified Information (CUI) exclusively in hardcopy form are not required to undergo a CMMC assessment, provided the CUI is never processed, stored, or transmitted on a contractor-owned information system. This clarification affects assessment applicability, not safeguarding obligations. Contractors should review contract language carefully and approach “paper-only” scenarios with caution, as routine business practices often introduce digital CUI exposure.

What the DoD CMMC FAQ Says About Hard Copy CUI

The authoritative DoD CMMC FAQ (Version 4) explicitly includes the following question and answer, which is reproduced verbatim: 

“CQ10: Are CMMC assessments required for organizations that only handle hardcopy CUI?”

“CA10: No. Organizations that only handle hardcopy CUI should not be required to complete a CMMC Assessment. CMMC assessment requirements address cybersecurity related risk to CUI and apply only when the CUI is processed, stored, or transmitted on a contractor owned information technology system. Nonetheless, contractors are required to protect the hardcopy CUI. Per DoDI 5200.48, paragraph 1.1(b), any contractor or subcontractor that receives CUI is required to safeguard that information with Government training and safeguarding requirements.  

Additionally, if a contractor who was only provided hardcopy CUI plans to place the hardcopy CUI on an information technology system (e.g., scanned, entered, photographed, uploaded, printed, emailed), then that information technology system is subject to the applicable CMMC assessment requirements prior to the CUI being placed on the system.  

For organizations that handle paper CUI in addition to processing, storing, or transmitting CUI in a contractor owned information technology system, the necessary CMMC assessment will address both the paper CUI and the digital CUI, in accordance with the applicable NIST SP 800171 security requirements…” (Defense CIO

While the FAQ states that CMMC assessments will address both paper and digital CUI when an information system is in scope, this does not mean that hardcopy CUI is independently assessed outside the context of a contractor-owned information system. Rather, applicable NIST SP 800-171 controls (such as Physical Protection and Media Protection) are evaluated as they relate to safeguarding CUI within the assessed system boundary, while hardcopy-only CUI safeguarding requirements continue to be governed primarily by DoDI 5200.48 and contractual obligations. 

In summary, the FAQ clarifies that CMMC assessment requirements are tied to cybersecurity risk on contractor-owned IT systems. If CUI never touches such a system, a formal CMMC assessment is not required. However, this does not eliminate the safeguarding obligation: contractors handling only paper CUI remain responsible for complying with applicable physical protection and training requirements.

Business Processes Implications

For many defense contractors, particularly those that do not handle CUI at all, the FAQ has limited practical impact, because the FAQ addresses assessment applicability, not contract scoping. In such cases, DFARS clause 252.204-7012 and the associated NIST SP 800-171 requirements generally do not apply because Covered Defense Information (including CUI) is neither processed, stored, nor transmitted on the contractor’s information systems. DFARS 252.204-7012 requires contractors to provide adequate security only when covered defense information resides on or transits through a contractor-owned information system or network (DFARS).  

NIST SP 800-171 establishes security requirements specifically for the protection of CUI when it is processed, stored, or transmitted by nonfederal information systems operated by organizations. While organizations may have separate obligations to safeguard CUI in physical form under other authorities, such as DoDI 5200.48, NIST SP 800-171 does not function as a comprehensive safeguarding standard for paper-only CUI absent an information system context (NIST).  

Consequently, organizations that neither receive CUI nor process covered defense information on their systems may fall outside the scope of these cybersecurity requirements.  Applicability ultimately depends on contract language and the scope defined by the contracting officer, not solely on operational practices (Acquisition). 

For contractors that receive CUI exclusively in hardcopy form and do not process, store, or transmit that CUI on any contractor-owned information technology system, the FAQ indicates that a CMMC assessment is not required. This clarification does not create a new self-attestation pathway, nor does it negate obligations imposed DFARS clauses such as 252.204-7019 or 252.204-7020 when those clauses are included in a contract or flowdown. Whether self-assessment or certification is required remains dependent on solicitation language, contract requirements, and prime contractor flowdowns. (Defense CIO).

Risk and Practicality: Atlantic Digital’s Perspective

While the FAQ may appear to reduce assessment burden in narrowly defined scenarios, Atlantic Digital advises contractors to approach this guidance cautiously. 

The DoD’s clarification should not be interpreted as a determination that paper CUI is inherently low risk. Physical compromise, including theft, loss, or unauthorized access to printed technical data, remains a documented and credible threat vector. The FAQ reflects a scoping decision about assessment applicability, not a reduction in safeguarding expectations. 

At the same time, the DoD appears to be balancing mission risk against practical constraints within the Defense Industrial Base (DIB), particularly for very small or specialized organizations. By limiting third-party assessment requirements to scenarios involving contractor-owned IT systems, the DoD is attempting to reduce compliance friction where cyber risk exposure is comparatively limited. 

This balance between defense-in-depth principles and practical scalability is at the heart of the current industry debate. Contractors should not assume that “paper-only” CUI handling constitutes a safe harbor, as contract terms, prime contractor requirements, and routine business practices frequently introduce digital CUI exposure.

Atlantic Digital Guidance to Contractors

Atlantic Digital recommends that organizations: 

  • Do not rely on the FAQ as a standalone compliance determination; contract language, solicitation requirements, and prime contractor flowdowns remain controlling. 
  • Treat paper-only CUI scenarios as fragile and easily invalidated by routine practices such as scanning, emailing, or collaboration. 
  • Maintain awareness of applicable Physical Protection and Media Protection obligations even when a third-party CMMC assessment is not required. 
  • Make deliberate scoping decisions to avoid unintended digitization that could trigger assessment requirements. 

The DoD CMMC FAQ does not modify DFARS clauses, override solicitation requirements, redefine CMMC levels, or create new compliance pathways. It is interpretive guidance intended to clarify assessment applicability, not a binding regulatory change.

Important Note

This article is provided for informational purposes only and reflects Atlantic Digital’s interpretation of publicly available DoD guidance. It does not constitute legal advice and does not replace contract-specific requirements, solicitation language, or direction from a contracting officer.

Conclusion

The DoD’s statement that a third-party CMMC assessment is not required for organizations handling only hardcopy CUI must be read with nuance. Assessment requirements are tied to cybersecurity risk on contractor-owned information technology systems. Hardcopy CUI remains subject to safeguarding obligations under DoDI 5200.48 and any applicable DFARS or NIST requirements when contractually required. Contractors should verify contract language and prime expectations carefully, recognizing that the FAQ provides clarification, not exemption, from security responsibilities. When uncertainty exists, deliberate scoping and early validation are far less costly than remediation later.