New CMMC Rule: Treatment of Controlled Unclassified Information (CUI) in Transit

compliance
Written By Brian Wane

XQ + Meerkat Position Paper

Authors:

Chris Haigh, Meerkat Cyber

Brian Wane , XQ Message, Inc

The newly introduced CMMC rule provides clarity on handling CUI during transmission. Specifically, the rule states that a common carrier’s information system is outside the contractor’s CMMC assessment scope, as long as CUI remains properly encrypted throughout transit.

Key Implications

This clarification means that effective endpoint encryption, such as XQ’s Zero Trust Data solution, ensures that any system storing or transmitting encrypted CUI is excluded from the CMMC assessment scope. This aligns with logical security principles, as properly encrypted CUI poses no meaningful risk.

Endpoint Encryption as a Compliance Strategy

By implementing robust endpoint encryption, contractors can:

  • Ensure CUI remains protected during transit and beyond.

  • Minimize the systems subject to CMMC assessment, simplifying compliance.

  • Reduce operational and regulatory burdens while maintaining security.

Logical Consistency and Compliance

It would be inconsistent to treat properly encrypted CUI as a security risk. Recognizing the effectiveness of endpoint encryption not only reinforces compliance efficiency but also promotes a clear, risk-based approach to data protection.

Summary

The new CMMC rule reinforces the critical role of endpoint encryption in securing CUI in transit. By utilizing XQ’s Zero Trust Data solution, contractors can confidently mitigate CUI transmission risks, streamline compliance, and strengthen their overall security posture.

References

Brian Wane
Next

ITAR Compliance in the Digital Age: A Zero Trust Approach to Defense Data Security