▲ 13 r/CMMC

C3PAO Shopping

From where we sit on the buyer's side of a C3PAO engagement, the questions CMMC L2 clients bring to the table are almost always the same two: What does it cost & when can you start? Those are fair questions but they don't protect you.

The CyberAB session this afternoon included a slide with a set of questions to ask a C3PAO that also included 1. operating locations (having assessors near your business keeps costs down if a site visit is needed), 2. fee structure (what do you owe if the assessment cannot move forward or if it takes longer than anticipated), & 3. sector experience (familiarity with businesses like yours can make the assessment a lo easier).

Then three questions at the bottom of the slide, set apart in bold, that most OSAs never think to ask:

1. When does your DIBCAC three-year assessment period expire?

The so what: A C3PAO has to itself pass a DIBCAC assessment of its own environment to become & stay authorized. That assessment carries a validity window. If a C3PAO's own DIBCAC standing lapses, its ability to deliver certifications is in question. You care because an assessor whose own clock is near expiry may lose standing during or after your engagement, putting the validity of your certification at risk.

2. Is there anything in your corporate future that would affect your FOCI status?

The so what: Authorization in the DIB depends on a non-disqualifying FOCI determination from DCSA, reassessed every three years. This question probes pending acquisitions, investment, or ownership changes. Under 32 CFR 170, a C3PAO must report any change to its SF 328 within 15 business days, & a disqualifying determination pulls authorization. So a corporate event on their side, one you have no visibility into & no control over, can strand your assessment mid-cycle.

3. How many months are left in your 27-month Authorization period?

The so what: Separate from the DIBCAC clock. A C3PAO's authorization from the accreditation body runs on a defined term. The slide names 27 months. If few months remain, you risk starting an engagement with an assessor whose authorization expires before your certification is complete or before a needed follow-on step. You care because you need the assessor authorized through the full lifecycle of your engagement, not just at kickoff.

That's the buyer-side read the checklist doesn't give you. You can prepare well, scope well, pass well, & still get stranded if the assessor's own authorization runs out mid-cycle or their corporate standing shifts under them. Their clock is your risk.

When we vet a C3PAO for a client, continuity sits next to competence. We want to know the assessor will still be standing / still authorized, on the other side of the engagement.

reddit.com
u/ResilientTechAdvisor — 5 days ago

[HIRING] AWS GovCloud Engineer | Contract | Fractional | Remote | 90 days | $9,000

AWS GovCloud Engineer | Contract | Fractional | Remote | 90 days | $9,000

About the Role

ResilientTech Advisors is sourcing a hands-on cloud engineer for a 90-day contract engagement supporting a venture-backed technology client. This is a fully remote role.

What You’ll Do

• Build and execute within AWS GovCloud environments
• Implement and maintain IL4 boundary requirements
• Own build tasks under senior technical oversight
• Communicate technical decisions and progress to management-level stakeholders

What You Bring

• Hands-on experience working in AWS GovCloud
• Practical experience with IL4 boundary implementation or similar compliance environments
• Ability to translate technical concepts clearly for non-technical stakeholders
• AWS Certified Solutions Architect Professional or AWS Certified Security
Specialty preferred

Engagement Details

• Compensation: $9,000 total, paid on a milestone basis upon successful delivery of agreed deliverables
• Interviews: Conducted virtually
• Important: This position involves access to export-controlled technology and data. Any offer will be contingent upon the candidate’s eligibility to work in compliance with U.S. export control regulations.

To Apply, submit your resume to candidates@resilienttechadvisors.com

reddit.com
u/ResilientTechAdvisor — 10 days ago

VDOT Program Manager / Contract / Hybrid, Mechanicsville, VA / $160,000-$180,000/yr.

VDOT Program Manager / Contract / Hybrid, Mechanicsville, VA / $160,000-$180,000/yr.

Responsible for planning, organizing, & motivating a diverse program team throughout the development & delivery process, including all phases of projects & delivery management.

In-person interview required.
Contract, anticipated 07/01/2026-06/30/2027.

Key responsibilities:
-Assist in team development while holding teams accountable for their commitments & removing roadblocks.
-Facilitate multi-disciplinary teams in the development of plans, goals, objectives, policies, & procedures for completion of a program.
-Oversee & manage execution & coordination of day-to-day program activities as required.
-Manage working relationships with key stakeholders, including executive management, business management, vendors, program sponsors, suppliers, & technology management.
-Set program goals that are consistent with technical objectives & the agency’s overall technology strategy.
-Track & communicate program progress from a schedule, cost, & risk perspective to the program team, customers, & program stakeholders.
-Collaborate with peer Program Managers on Tolling program projects.
-Drive consistent program delivery through the full program lifecycle, including procurements, program plans, resource allocation, program risks, scope, schedule, delivery of value, & transitions to operations.
-Develop & maintain program plans, task lists, schedules, risks, status, resource allocation, & schedules.

Required experience:
-5 years of experience managing people & large programs & a bachelor’s degree.
-5 years of experience with DevOps methodologies, including CI/CD pipelines & version control systems.
-5 years of strong knowledge of Agile, Scrum, & software development lifecycle methodologies.
-5 years of demonstrated ability to manage application lifecycle activities, including maintenance, enhancements, & modernization initiatives.
-5 years of experience with both Agile & Waterfall program management principles & practices.
-5 years of the ability to blend both Agile & Waterfall program management in the right proportions to fit a particular program & business environment.
-10 years of overall IT experience.
-Fluency in MS Office tools such as Microsoft Project, Visio, & Office.

Desired experience:
-5 years of proven ability to assess candidate qualifications, competencies, & cultural fit to build high-performing teams.
-5 years of fluency in MS Office tools such as Microsoft Project, Visio, & Office.

Highly desired experience:
-5 years of working knowledge of security standards, regulatory requirements, & compliance frameworks, such as PCI.
-5 years of experience supporting internal & external audits & implementing IT governance best practices.

Preferred experience:
-Experience with Program Management Office methodologies & practices.
-PMP Certification.
-Tolling experience.

Send your resume to candidates@resilienttechadvisors.com

reddit.com
u/ResilientTechAdvisor — 12 days ago

IT Business Analyst / Contract / Hybrid (1 day a week on-site) in Richmond, VA | $80,000–$90,000 annually

We're looking for an IT Business Analyst / Contract / Hybrid (1 day a week on-site) in Richmond, VA | Pay is $80,000–$90,000 annually.

Contract status:
Contract role with an anticipated start date of July 1, 2026 and end date of June 30, 2027.

The IT Business Analyst will provide business, financial, and procurement support for the Information Technology Division.

Location and work arrangement:
-Hybrid schedule with one required in-office day per week in Richmond, Virginia. Additional on-site attendance may be required for meetings, training, or operational needs. Candidates must reside within a reasonable commuting distance of the Richmond metropolitan area. An on-site, in-person interview is required.

Key responsibilities:
-Serve as a liaison between procurement, finance, and operational teams
-Support timely processing of invoices, accounts payable transactions, and IT procurement activities
-Review and process invoices
-Reconcile vendor accounts
-Monitor expenditures and track payment activity
-Support budget management efforts
-Receive and process payments within prompt payment guidelines
-Track and produce analytic reports to measure productivity
-Support administrative duties for the division and VDOT offices around the state
-Process invoices, respond to procurement inquiries, and reconcile vendor issues
-Work closely with finance to track payments in process and tie them to expenditures and the overall budget
-Support acquisition and payment of IT goods and services

Required experience:
-5 years of experience reviewing, reconciling, and processing invoices and vouchers while ensuring compliance with prompt payment requirements
-5 years of experience managing goods and services procurements in a large, multi-dimensional business environment
-5 years of extensive experience using computers and Microsoft 365 applications, including Excel pivot tables and complex spreadsheets
-5 years of customer service experience with broad audiences, professionals, vendors, team members, and executive staff
-5 years of general knowledge of accounting practices and financial management
-1 day in office and must be able to provide transportation to attend mandatory trainings on site when required
Highly desired experience:
-3 years of knowledge of procurement processes, vendor management, and applicable state and agency procurement regulations
-5 years of Commonwealth of Virginia procurement knowledge and applied experience
-1 year using the eVA ordering system
-1 year of experience with the Cardinal financial system

Send your resume to candidates@resilienttechadvisors.com if you are interested in this role.

ResilientTech Advisors is a military veteran-owned, Virginia-registered SWaM firm.

reddit.com
u/ResilientTechAdvisor — 13 days ago
▲ 0 r/rva

IT Security Role in RVA!

We are looking for an IT Security Analyst 2 | Contract | On site in the Richmond Area | $40-45/hour.

This is a state-level contract role supporting agency information security operations, security projects, audits, vulnerability coordination, and documentation.

Important: This role is on site and requires candidates to be in or commutable to the Richmond, VA area.

Key responsibilities include:
-Monitoring and advising on information security issues related to agency systems and workflows
-Coordinating and executing IT security-related projects
-Coordinating response to information security incidents
-Developing and publishing security policies, procedures, standards, and guidelines
-Creating and maintaining user security awareness materials
-Preparing IT security documentation, agency notifications, web content, and alerts

Required experience:
-5 to 8 years of experience in the IT security field
-Experience conducting campus-wide data classification assessments, security audits, and remediation planning
-Experience ensuring internal IT security controls are appropriate and operating as intended

Highly desired:
-Experience collaborating with IT management, Internal Audit, and VITA to manage security vulnerabilities

Send your resume to candidates@resilienttechadvisors.com

We have lots of roles in the Richmond area, so if this one isn;t a fit, feel free to send your resume to us!

reddit.com
u/ResilientTechAdvisor — 14 days ago
▲ 20 r/CMMC

Going for CMMC L2? Tips to avoid L2 assessment jump scares & failures

If you're an Organization Seeking Certification (OSC), here's some straight talk from a Lead CCA who does assessments and readiness consulting.

As of the May CyberAB data there are 1,391 final CMMC Level 2 certifications and 47 conditional - meaning only a small number of OSCs have successfully made it through to the other side so far. The assessor community is also talking about a very specific theme - many organizations are just not ready.

So, I'm popping in here to share some helpful context and tips in three parts.

TLDR - You do not have to tackle readiness solo and you don't have to experience jump scares like you're in a horror movie.

Part 1. Professional support can dramatically improve your outcomes. Options scale to your timeline and budget:

High-level advisory - scoping, gap analysis, compliance strategy, and guidance. Keeping their hands off the keyboard helps keep the costs down. The first few questions that this person or people should be asking you need to be about your CUI business processes and data flows. If the first few questions are about technology instead it's a red flag (or at least a dark pink one).

Hybrid - advisory plus limited implementation help. This one will be a little bit more expensive but if you don't have a lot of people in-house who can roll up their sleeves and get busy, then it's a viable option.

Hands-on, shoulder-to-shoulder - fully embedded implementation. This is more expensive but it can really accelerate things, especially if you don't have people in-house who can do the work or who are trying to do this work while they do their other "regular" work. Just make sure you have someone in-house or a consultant to oversee the direction of where things are going. That person needs expertise on the CMMC compliance side and the technical implementation team needs to accept direction from them. CMMC is not an engineering project.

Part 2. Sharing notes on credentials & experience:

It is not required for a readiness consultant to hold RP, RPA, CCP, CCA, or LCCA credentials. Many experienced practitioners have been in the NIST 800-171 implementation space for years and they don't have any of these credentials. It doesn't make their support any less valuable.

That said - It can be super helpful to work with someone who has led CMMC assessments when preparing for your own. These folks will be lead CMMC certified assessors (LCCA). Note: CMMC certified professionals (CCP) have clear limitations on what they can do during official assessments. And they definitely cannot perform assessments unless they are under the supervision of a lead CCA. Word to the wise: verify the readiness consultant's current credentials/status using their first and last name in the CyberAB CMMC Marketplace before engaging. Here's a link to the CyberAB website. From there you can go to the Main menu and select "CMMC marketplace" https://cyberab.org/. Unfortunately, there are only 562 LCCAs (as of May) but the good news is that some of us do readiness consulting because we enjoy the readiness journey and helping others navigate it. Note: an LCCA who helps you get ready for an assessment cannot turn around and be your assessor after that

Caution - some of the folks in the assessor community have noted that a few consultants (including some CCPs) have been overly aggressive during assessments. Choose a partner who prepares you to collaborate with assessors effectively. Readiness consulting and acting as an assessor are separate roles with clear boundaries and a good consultant prepares you to work with your assessment team, not against them

Part 3. The best way to avoid horror movie-type jump scares is by doing a mock assessment. So please invest in doing that. You can do a mock assessment with the C3PAO you've selected for your real assessment. You'll get a clear picture of your readiness gaps which you can then take to a readiness consultant who can help you plug the holes ahead of your real assessment. Knowable - even if the C3PAO you hire for your real assessment does your mock assessment, they can't help you fix anything.

Don't make the journey harder than it needs to be.

I know that I've shared a lot in this post, so if you have questions about any of this, feel free to drop them here.

reddit.com
u/ResilientTechAdvisor — 15 days ago
▲ 0 r/hipaa

The PHI protection travels

If your company is a Health IT company and you are thinking of using offshore resources. No problem. Here are a few things to consider:

HIPAA follows the PHI - controls must travel with the data, regardless of remote/offshore location.

Core Requirements for Support Staff

• BAAs: Required for any vendor/subcontractor handling PHI; include flow-downs and breach notification.

• Safeguards:
-Admin: Training, role-based access (minimum necessary), sanctions.
-Physical: Secure devices/workspaces.

• Technical: Encryption, VPN/RDP + MFA, audit logs, access controls.

Priorities for PHI protection: Least-privilege permissions, audited secure access, BAAs + vendor monitoring, data minimization.

Offshore notes: Allowed with strong risk analysis, enforceable BAAs, and ongoing audits. Higher enforcement risk - address via contracts and controls.

What works / avoid:

• Works: Vetted #HIPAA vendors, zero-trust access, regular log reviews.

• Avoid: Broad access without monitoring, weak BAAs, “trust-based” setups.

u/ResilientTechAdvisor — 22 days ago
▲ 2 r/CMMC

Would you expect a visit to your home? (Alt Worksite vs Facility in Scope)

Imagine that you're a small business pursuing your CMMC Level 2 certification and one of your CUI servers with backups is in your house.

Would you expect the assessor to treat your home as an alternate worksite or a facility in scope?

If you're thinking "facility in scope", would you agree to a site visit part of the assessment plan?

The CAP tells the C3PAO to decide which security objectives can be assessed virtually and which should be validated in‑person on the OSC premises especially for physical and environmental controls and certain implementation evidence.

View Poll

reddit.com
u/ResilientTechAdvisor — 30 days ago
▲ 1 r/msp

Your MSP might be a CSP (and here’s when that matters)

\*Previous post deleted and updated for clarity and a less controversial title. Still: In the meeting, the CyberAB claimed that true MSPs are relatively rare in the DIB. They used the phrase "edge case."\*

Updated post: This week’s CyberAB Town Hall highlighted something we see OSCs get wrong constantly: misclassifying their External Service Providers.

The short version: if your provider both 1) offers its own cloud platform that meets the NIST SP 800‑145 cloud definition and 2) that platform processes, stores, or transmits CUI, then it is a CSP under 32 CFR Part 170 and DFARS 252.204‑7012 FedRAMP Moderate (or equivalency) comes into play.

Per the Level 2 Scoping Guide, an ESP is a CSP only when it provides its own cloud services based on the 800‑145 model; an ESP that just manages your tenant in AWS, M365 GCC(H), etc., or supports on‑prem gear is a Managed Service Provider, not a CSP.

So:
• If your MSP does not run its own multi‑tenant cloud platform, it’s an MSP/ESP, not a CSP. It can still be in scope as a CUI Asset or Security Protection Asset and may need its own CMMC assessment, but FedRAMP isn’t automatically triggered.\[Attachment\]
• If it does run such a platform and that platform handles CUI, treat it as a CSP and expect FedRAMP Moderate/equivalent or a Level 2 CMMC certificate.

reddit.com
u/ResilientTechAdvisor — 1 month ago
▲ 4 r/CMMC

Your MSP might be a CSP (and here’s when that matters)

Previous post deleted and updated for clarity and a less controversial title.

This week’s CyberAB Town Hall highlighted something we see OSCs get wrong constantly: misclassifying their External Service Providers.

The short version: if your provider both 1) offers its own cloud platform that meets the NIST SP 800‑145 cloud definition and 2) that platform processes, stores, or transmits CUI, then it is a CSP under 32 CFR Part 170 and DFARS 252.204‑7012 FedRAMP Moderate (or equivalency) comes into play.

Per the Level 2 Scoping Guide, an ESP is a CSP only when it provides its own cloud services based on the 800‑145 model; an ESP that just manages your tenant in AWS, M365 GCC(H), etc., or supports on‑prem gear is a Managed Service Provider, not a CSP.

So:
• If your MSP does not run its own multi‑tenant cloud platform, it’s an MSP/ESP, not a CSP. It can still be in scope as a CUI Asset or Security Protection Asset and may need its own CMMC assessment, but FedRAMP isn’t automatically triggered.[Attachment]
• If it does run such a platform and that platform handles CUI, treat it as a CSP and expect FedRAMP Moderate/equivalent or a Level 2 CMMC certificate.

reddit.com
u/ResilientTechAdvisor — 1 month ago
▲ 3 r/CMMC

Your MSP is probably a CSP

This week’s CyberAB Town Hall covered something we see OSCs get wrong constantly: misclassifying their MSP.

The short version: if your MSP hosts its own platform, it’s probably a CSP, and that drags FedRAMP Moderate (or equivalency) into your scope under DFARS 252.204-7012.

The CyberAB was blunt about it: a true MSP that processes, stores, or transmits CUI is rare in the DIB. Most providers people call MSPs that touch CUI turn out to be CSPs once you run the test.

The test, per NIST SP 800-145 (incorporated into 32 CFR Part 170): a provider is a CSP if their platform shows all five of these:

  1. On-demand self-service: OSCs can unilaterally provision capabilities automatically
  2. Broad network access: capabilities are available over the network and easily accessible
  3. Resource pooling: multiple consumers are supported via a multi-tenant model
  4. Rapid elasticity: capabilities can be scaled quickly and automatically
  5. Measured service: resources are controlled and optimized by a metering or measuring capability

Remember if the CSP processes, stores, or transmits CUI, it has to be FedRAMP Moderate or equivalent per DFARS 252.204-7012. If the MSP truly does not process, store, or transmit CUI or security protection data, then FedRAMP Moderate/equivalent is not required.

reddit.com
u/ResilientTechAdvisor — 1 month ago
▲ 7 r/CMMC

Why would any OSC say they need to reassess?

According to the new FAQs, "significant change" and the need for a reassessment are being left in the hands of the OSCs. Wondering what the thought process is here. If you're a student of game theory, you would probably conclude that the decision will more often than not be "I don't need a reassessment."

ETA: here's a link to the May 2026 FAQs https://dowcio.war.gov/Portals/0/Documents/CMMC/CMMC-FAQsv5.pdf

reddit.com
u/ResilientTechAdvisor — 2 months ago
▲ 7 r/CMMC

Mocking

For those of you who passed your CMMC level 2 and you did a mock assessment before your live assessment, did you find the mock assessment to be helpful?

reddit.com
u/ResilientTechAdvisor — 2 months ago
▲ 32 r/defensecontracting+1 crossposts

We attended the CyberAB Town Hall this week and they indicated that there is a lot of misunderstanding around the November 2026 deadline. Some people are under the impression that they have to have a C3PAO assessment done by November 2026.

The November "deadline" is not a hard deadline the way people are characterizing it. CMMC is a phased approach. The ecosystem is currently in phase 1 where self assessments are the focus. In November 2026, C3PAO assessment requirements will *begin* appearing in contracts as a rule rather than the exception.

Anyone who has a C3PAO assessment requirement in their contracts already knows. The primes already sent notices out. Some primes have even set their own deadlines in advance of November 2026 and others are using November 2026 as their deadline.

CMMC compliance can be expensive and it can be what many would call "painful." However, companies within the ecosystem have had more than a decade to prepare and some have been saying that they were compliant anyway as they were delivering on contracts. (insert wink here)

Sharing a few related thoughts...

Money-

For businesses in the defense industrial base, it's important to understand what work you want to pursue or continue delivering and what you're willing to invest to be able to do it. That's the very first part of the calculus: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2026/cmmc-as-a-business-design-decision-part-1-decide-what-work-you-want

Knowing what and when-

If you're a sub already delivering on DIB contracts and you're not sure if / when you need to be CMMC compliant and to what level (L1 or L2), reach out to your Prime and have a conversation.

Get help if you need it-

If you've decided that you're going to pursue DIB work, do not go it alone - *if you don't have a CCP or a CCA on staff*, hire an implementation consultant. The consultant should do a deep dive with you on your CUI business processes so that they can help you with scope.

Scope-

*Scope is where a lot of organizations fall down.*

Remember that scope is a noun and a verb in the CMMC world. And, it's a single most important word in your CMMC journey: You need to make sure that you've identified all of the people, processes, and technology that store, process, or transmit CUI - and you need to separate them from everyone and everything else.

Some organizations don't even make it out of the pre-assessment phase to be able to move forward with their assessment because of improper scoping.

Engineering-

Do not treat CMMC as an engineering project. CMMC is a compliance program. The technology is typically the least challenging part. If you let engineers lead your CMMC compliance journey, you probably will not be successful. Compliance and engineering need to work hand-in-hand.

Think "minimum necessary" when purchasing or designing your CUI environment - do not gold plate or allow tinkering with the environment after you've decided on the design. *Freeze* the enclave design as soon as you can. Enclave tinkering can destroy your scope.

What you write down needs to be real-

Documentation must absolutely match implementation and operations. Here's why:

CMMC level two has 110 security requirements and 320 assessment objectives. The assessor will evaluate each of those objectives and rate each one as "met" or "not met".

The assessor will review your documentation, which includes your policies and procedures. There are two other assessment methods… "interview" and "test". That is how the assessor will determine whether your documentation matches how things really work in your organization. *This is the other place where organizations tend to fall down.*

So...a C3PAO assessor may ask your team member(s) how a particular assessment objective within their scope of duties is achieved (interview). They may choose to ask your team member to *demonstrate* how a particular assessment objective is achieved within their scope of duties (test). Think screen sharing and walk-throughs.

One of the quickest paths to an assessment objective being rated as "not met" by an assessor is documentation that doesn't match implementation or operations.

u/ResilientTechAdvisor — 2 months ago