u/Cold-Painting3562

▲ 10 r/CMMC

Cloud-only (GCC High), no VPN, remote workers on public/hotel Wi-Fi. Is Conditional Access + TLS enough for 3.1.12/3.1.16/3.1.17?

Fully cloud, no on-prem. Looking for anyone assessed with a similar setup.

Our environment:

  • CUI lives in GCC High + on Intune/BitLocker-managed laptops
  • Every session requires Conditional Access (compliant device + MFA)
  • All traffic to GCC High is TLS 1.2+/FIPS, end to end, regardless of network
  • Local Wi-Fi at HQ WPA3-Enterprise, internet-only, no on-prem resources behind it
  • Employees travel often, connect through hotel/public Wi-Fi, sometimes open

Our position:

  • Nothing in 3.1.12–3.1.15 requires trusted transport, only that the session be controlled/monitored/encrypted, which we do
  • Scoping 3.1.16/3.1.17 to our own Access Points, not networks we don't own public system / home office.
  • Leaning on DoD FAQ v5: B-A8 (ciphertext on unsecured "common carrier" networks is an accepted risk) and F-Q4 (encrypted CUI transiting networking components doesn't pull them into scope)
  • Not deploying a VPN, since the session is already fully protected independent of network

Questions:

  1. Did your C3PAO accept "no VPN" for a cloud-only org, or push back?
  2. Did public/hotel Wi-Fi come up as an issue at all, given B-A8/F-Q4?
  3. For 3.1.16/3.1.17, did assessors stay scoped to your own access points, or try to pull remote networks in?
reddit.com
u/Cold-Painting3562 — 4 days ago
▲ 3 r/CMMC

How do you keep consultants compliant in a CMMC L2 environment?

For anyone who's brought consultants into a CMMC Level 2 environment, how do you keep them authorized to work in your system?

Since they're consultants rather than employees, we can't run our own screening on them. Our current policy requires any contractor who will handle CUI in our system to hold a clearance, and we're treating that clearance as the screening control. Is that how others handle it, or is there a cleaner approach?

Separately, for consultants who only need email and won't touch CUI: is sensitivity labeling plus DLP enough to keep them out of scope? The idea is to use labels + DLP to stop CUI from ever reaching them so they stay outside the assessment boundary. Does that actually hold up, or are they still in scope just by having a mailbox in our GCC-High tenant?

Thanks in advance for any guidance!

reddit.com
u/Cold-Painting3562 — 11 days ago
▲ 12 r/CMMC

GCC High, fully cloud. How to meet AC. L2-3.1.16 / 3.1.17 without VDI or VPN?

We're a small DoD contractor, fully cloud-based in GCC High with no on-prem and a mostly remote workforce. All laptops are Entra-joined and locked down via Intune. Trying to nail down how others are satisfying the wireless controls (3.1.16 authorize wireless access, 3.1.17 protect with authentication + encryption) when there's no organizational wireless to point at remote workers connect to their own home/personal Wi-Fi we don't own / control. We know the connections to GCCH servers is always encrypted but still seems like we need to meet these controls.

What I've done so far: an Intune/PowerShell control on the endpoints that blocks open Wi-Fi and only permits WPA2/WPA3 connections to meet.

The core question: is this achievable WITHOUT VDI and WITHOUT a VPN? Connections from the endpoints to GCC High are always encrypted in transit, the devices are Entra-joined and hardened, and I know the January FAQ that encrypted CUI is still CUI so Network cannot be dismissed because of the TLS.

For those in a similar GCC High + remote posture: are you meeting 3.1.16/3.1.17 with just locked-down endpoints and encrypted transport, no VDI/VPN? And how did your C3PAO take that approach?

reddit.com
u/Cold-Painting3562 — 18 days ago