Encrypted CUI Is Still CUI: Why Encryption Alone Does Not Decontrol Your Data

A common misconception in defense contracting: if you encrypt CUI, it stops being CUI. It does not.

The DoD addressed this directly in the CMMC FAQ (B-Q8):

Is encrypted CUI still considered to be CUI? In accordance with 32 CFR Part 2002, CUI remains controlled until it is formally decontrolled. Encrypted CUI data retains the control designation given to the plain text counterpart.

What “formally decontrolled” means

CUI does not lose its status because you applied a technical control. Encryption is a safeguard, not a decontrol action. Under 32 CFR Part 2002, only the authorized holder or originator can decontrol CUI through a formal, documented process.

Your encrypted emails, encrypted file storage, and encrypted backups are all still CUI. Every system that touches that data, even in its encrypted form, is in scope for your CMMC assessment.

Why this catches contractors off guard

Here is the scenario that trips people up:

1. A contractor encrypts CUI before sending it over email
2. The contractor assumes the encrypted version is no longer controlled
3. The email system handling the encrypted message is excluded from the CUI boundary
4. The C3PAO asks about that email system during assessment
5. The contractor fails the assessment

The FAQ makes the DoD position clear: while certain transmission risks are accepted for ciphertext that would not be accepted for plaintext, the data remains controlled. Encryption protects the content. It does not change the control designation.

What this means for your email and file storage

If CUI passes through your email system, that email system is in your CMMC assessment scope, whether the CUI is encrypted or not. The same applies to file storage. If you store encrypted CUI on a file server, that server is in scope.

This is why “just encrypt it” is not a compliance strategy. Encryption is one control among many. You still need:

• Access controls on the systems handling encrypted CUI
• Audit logging of who accessed, sent, or modified that data
• Data loss prevention to prevent unauthorized transmission
• MFA enforcement on every account that touches CUI systems
• US-based infrastructure for data residency requirements

Not sure where you stand? Get the CMMC Level 2 readiness checklist. 30 items across 11 control families, with notes on what your C3PAO expects for each one.

The practical takeaway

Do not scope your CUI boundary based on whether data is encrypted. Scope it based on where CUI exists in any form, plaintext or ciphertext.

If your email provider handles CUI, that provider is in scope. If your file storage holds encrypted CUI, that storage is in scope. Plan your compliance architecture accordingly.

This is how IRONKEEP is built. Every component that touches your data, encrypted or not, meets CMMC Level 2 controls. Encryption is one layer of protection, not an excuse to skip the others.