u/pro_league_material

▲ 11 r/CMMC

Does basic self-assessment NIST SP 800 171 submitted to SPRS require a passing 88/110 score without any POAM-ineligible?

For context I reviewed the SPRS Quick Entry Guide and could not find anything explicitly stated saying you do or do not need certain score rather they provide suggested, example scores. The need is to submit a Basic Self Assessment NIST SP 800 171 into SPRS, and I’m looking to determine whether or not we’d need to meet that 88/110 at least with a POAM along with it. I may be confusing this with a C3PAO assessment, but I wanted to get clarification on the matter. Thanks

reddit.com
u/pro_league_material — 6 days ago
▲ 6 r/CMMC

How do assessors determine the Sufficiency of practices?

My question is rather broad, but I wanted to ask the community when is enough evidence enough? One example I’m thinking about would be CM L2 3.4.3 regarding System Change Management and other practices which would produce documented evidence from them.

I know this would vary based upon when the OSA’s SSP determines, for example, when scheduled vulnerability scanning takes place. However what about scheduled or spontaneous visitors producing logs for L1 3.10.3 of escorting visitors via sign in sheet?

I guess my question boils down to at what point or length of time producing artifacts does an assessor agree the amount of evidence is adequate? Also if prior undocumented changes were made what should an OSA do to remediate that in a fashion adequate for an assessor?

reddit.com
u/pro_league_material — 7 days ago
▲ 2 r/CMMC

Fact or Fiction: AWS GovCloud + LZA = 80% inherited practices?

I came across a LinkedIn article from October 2025 claiming that being in AWS GovCloud and deploying AWS’ Landing Zone Accelerator (LZA) would bring an OSA’s scope to about 80% inheritance of the 110 controls. Is this true?

Here’s their estimates of inheritance:
AC (82%), AT (67%), AU (78%), IA (82%), IR (80%), MA (80%), MP (80%), PE (83%), PS (83%), RA (67%), SC (81%), SI (86%),

My organization is a small business in need of Level 2 and looking to create a cloud only environment based on AWSGovCloud and workspaces to eliminate physical scope. I don’t know if this is claim is based off of some really good policies, or if this is a realistic claim. If you guys are able to clarify if this is sounds reasonable from an assessor perspective that’d be great.

I don’t know if I’m allowed to link the article but if a mod tells me i could then i have no problem doing that. Also I’ve posted in here in the past on various questions, so just want to point out I have no association with the org who posted the article. Thanks :)

reddit.com
u/pro_league_material — 18 days ago
▲ 16 r/CMMC

Is a SSP & POAM inherently CUI?

My organization previously had a GAP analysis done by a consulting org, and the produced SSP and POAM were both marked as CUI. Obviously I understand that it’s proprietary information which we would not want to release. However I’m trying to find specific citations which treat it as such and why. Is it because it’s submitted as SPRS so automatically CUI? Is it once it’s filled with information it’s CUI? Any clarity would be greatly appreciated.

reddit.com
u/pro_league_material — 19 days ago
▲ 10 r/CMMC

Is a GCC High Browser-Only with no VDI and no physical scope possible?

I’m trying to figure out whether or not a C3PAO has successfully assessed or will disagree on if an organization can do a cloud only enclave scope without the use of VDI? Examples of what would be included would be no downloading from GCC high, no copy/paste, CUI stays only in sharepoint/onedrive, no physical CUI, etc.

I’m trying to get into the weed definition wise of what “process, store or transmit CUI” means on a technical level as well. Let me know what you guys think and whether or not it’s a viable route. Thank you

reddit.com
u/pro_league_material — 24 days ago
▲ 11 r/CMMC

Can non-CUI Users be in a GCC High Tenant and out of scope?

We are a small company working towards a level 2 assessment by a C3PAO. I understand that this may be a question as to whether we allow it or not from a SSP perspective, but I wanted to ask this subreddit from an assessor perspective whether or not non-CUI users in a GCC High tenant can be made out of scope? I’m unsure if they are in scope inherently due to CUI being present in the tenant. This questions comes from a cost saving angle of keeping users who are already in the tenant there instead of making a separate commercial tenant.

Also if non CUI users would be able to be out of scope, then would they be required to have Intune, Entra, etc or could they just use licenses for email only? Thank you

reddit.com
u/pro_league_material — 1 month ago
▲ 7 r/CMMC

How to get GCC High Shared Responsibility Matrix from Microsoft?

The small company I work for has been in GCC High for years, but we do not have any record of a shared responsibility matrix from Microsoft. Previously I had sent emails to O365FedRAMP@microsoft.com and AzFedDoc@microsoft.com to request one but I never heard back. If anyone knows how to get this for Level 2 compliance that’d be awesome. Thanks!

reddit.com
u/pro_league_material — 2 months ago