New account so I don't dox myself.
C3PAO is telling us today that iOS is not FIPS compliant and we cannot process, store, or transmit CUI on any iOS device.
Citing this website: https://support.apple.com/guide/certifications/ios-security-certifications-apc3fa917cb49/web
Can anyone tell me different? We have a number of iphones running iOS 26 with MS Office 365 on them. GCC High if that matters.
We failed our mock audit because we didn’t document in the SSP how every control applied to every SPA in our environment. My question is, is this standard? I’ve talked to another auditor briefly who said the SPAs should only be assessed against controls that that SPA is used to make compliant.
https://www.theneteffect.com/cmmc/20251112.php#relevant
See my example below.
In 3.1.8, limit unsuccessful logon attempts, we defined how we limited logon attempts onto the windows machine. We were not compliant because the SSP didn’t document how we limited logon attempts onto the Threatlocker cloud portal. Upon looking at the SRM for threatlocker, it states that the limiting of logon attempts is the customers responsibility. In the threatlocker settings, there is no way to increase the lockout timer or number of failed logons before account lockout. The only thing I could find is the ability to federate it to a domain in which threatlocker would inherit the windows group policy. We would prefer not to do this because the “fractional IT employee” is completely remote and this small business would prefer to not pay for their new computer and GCCH license. Regardless, does anyone else have experience or guidance on whether SPAs are subject to all 110 security controls or not? And if not, is this something we could push back on the auditor against or do we need to cut our losses and find another C3PAO?
I run a mid-sized manufacturing company and our prime contractor has been pushing us to show our CMMC progress. Our IT is handled by a local MSP that we have worked with for years and they manage all of our other compliance needs. They have never done CMMC, but we really don't want to lose that relationship with our MSP. Do i have to replace them or is there another company that can help advise them with CMMC work. Specially a help with guidance on a SSP, to help them know what controls and steps to have in place. Thanks
I’m trying to find the largest 5 players in this space. Who are Summit7’s closest competitors? Who is servicing the largest companies out there?
Current stack:
Microsoft 365 Business Premium
PreVeil
We are preparing for CMMC Level 2 and trying to define a compliant path for meetings where CUI may be displayed through screensharing.
My current understanding is that using commercial Microsoft Teams for screensharing CUI is risky/not supportable for CMMC Level 2 unless the full environment, configuration, and inherited controls can be justified.
The three main alternatives I keep seeing are:
My understanding is that GCC High is a separate Microsoft cloud/tenant environment, not something that can simply be merged into our existing commercial M365 tenant. We have only about 15 CUI handlers from the 150-employee workforce. My initial answer was zoom for government because I know that zoom has integration with m365 so it may be easier for the end users. I'm trying to balance headache and price basically. I would appreciate any advice.
F500 cyber guy here (CISSP, not defense though so apologies if I'm late to the party). Been helping a couple buddies who run small defense subs prep for L2 and I can't find a clean answer on this from anyone.
Their people use AI for everything now. Copilot, ChatGPT, some are messing with agents. But the CMMC docs don't really address it. DFARS doesn't mention AI. 800-171 r3 has some adjacent stuff but nothing direct. NIST AI RMF exists but try handing that to a C3PAO and see how that goes.
Are you guys treating sanctioned AI tools as ESPs and doing the full categorization, or just bolting on AUP language and calling it good?
What about the analyst who pastes a CUI spec sheet into ChatGPT to summarize it because they're behind on a deliverable? You can't realistically watch every keyboard.
Has a C3PAO actually asked about AI tool usage in an assessment for any of you, or is it still flying under?
And for the workflows where you do let some AI tool touch CUI, how are you proving it's not training on your data beyond what the EULA says?
Feeling like a lot of folks are just kinda hoping it doesn't come up. Would love to know if I'm wrong about that.
Long time lurker, first time posting. 🙂
I think I know the answer to this but wanted to bounce it off the experts here. While I want to say we are a unique situation, I feel like everyone in this subreddit has their own unique architecture/story.
Here is the scenario:
We operate two completely separate Microsoft tenants.
ABC Public was stood up specifically to store, process, and transmit CUI. No connections between the two tenants at all. Separate accounts, separate systems, separate managed assets, etc. This setup existed before my time.
We are preparing for a CMMC Level 2 third-party assessment for early June.
ABC Public is very “vanilla”:
Because of that, some business functions still rely on ABC Cyber systems, mainly a CRM platform (think HubSpot, Pipedrive, Attio, etc.). The CRM itself is a standard commercial SaaS platform and is not FedRAMP authorized.
Important detail:
Users access the CRM using their ABC Cyber accounts and ABC Cyber-managed assets only. They do NOT access the CRM from ABC Public accounts/systems/devices.
There is no identity federation, trust relationship, synchronization, mail flow, or system integration between the environments.
The CRM may contain what I would classify as FCI related to federal contracts/customers, though I am digging deeper into that now to better understand exactly what data exists there. No CUI is supposed to exist in the CRM.
So my understanding of scoping is this:
During a CMMC Level 2 assessment, if the assessor asks:
“Where does your FCI live?”
…and the answer is:
“The ABC Cyber CRM”
Then that CRM environment is still in scope at least from a Level 1/FAR 52.204-21 perspective, even though:
In other words:
The CRM does not need full Level 2/800-171 controls, but it would still need to satisfy the Level 1 safeguarding requirements because it stores/processes/transmits FCI.
My concern is that if the CRM is determined to be in scope for FCI and is not meeting the FAR 52.204-21 / Level 1 requirements, then we may have a larger readiness issue before even moving forward with the Level 2 assessment.
Am I thinking about that correctly?
Hey everyone,
I have an interview coming up for the Information Security Intern (CMMC) role.
The role involves:
Security monitoring and alert review
Assisting with investigations/incident response
Vulnerability management & patching
Working with ITS Operations and enterprise systems
Learning cybersecurity operations in a professional environment
Background: I’m currently pursuing an M.S. in Information Science at with hands-on experience in Splunk, OpenVAS/Nessus, networking, IT support, and security labs.
For anyone who interviewed with similar security internships:
What technical questions did they ask?
Was it more behavioral or technical?
Any focus on networking, Windows, SIEM, troubleshooting, or compliance/CMMC concepts?
What should I prepare most for?
Any tips or experiences would really help. Thanks!
We are mid-journey on our CMMC Level 2 compliance and looking for some feedback on our tooling strategy.
Our Current Stack / Scope:
The Dilemma: We are looking at the WatchGuard Compliance Package (which includes automated NIST 800-171 control reports).
Is it actually worth paying extra for these automated compliance reports? Or should we just save the money and capitalize entirely on our Microsoft 365 Business Premium (Intune/Defender) capabilities and manually gather the firewall logs/evidence?
My gut tells me that since PreVeil is handling the CUI itself, the WatchGuard environment is essentially acting as a security domain that protects the endpoints accessing the enclave. Do automated reports from WatchGuard actually move the needle during a C3PAO assessment, or are they just expensive shelfware that duplicates what we can pull manually or through Microsoft?
Would love to hear from anyone who has gone through an assessment with a similar hybrid WatchGuard/Microsoft/PreVeil stack. Thanks!
My company is dipping their toes into government work, and we're discovering the incredible amounts of red tape that lay in our path. Currently, we plan to submit proposals for some SBIR opportunities, but we're ultimately going to need to be CMMC L2 compliant. There is a service called Greypike that can guide us to compliance, but they also offer an 'enclave' which appears to be a workspace that they host, where CUIs and other info will live. There's a monthly cost for them to maintain the workspace. My understanding is that this is a decent alternative to transforming our current internal cybersecurity infrastructure ourselves (hiring more staff, buying hardware, and creating all the policies involved).
Has anybody used a service like this before? The service is costly, but it's also costly to do it ourselves. We come from an entirely different industry, but feel we have something unique to offer for DoD work. When I look at our current cybersecurity structure and methods, and compare them to what CMMC L2 requires...it gives me a migraine. I'm struggling to justify the costs for using a service like Greypike. Any advice is highly appreciated! Thanks all!
I’m looking to get into CMMC auditing part time. I currently work full time as an information security analyst in cybersecurity. What steps should I take to get started and is the rate of pay worth it from your experience.
Hello,
I have recently started a new position wherein I am working on doing risk assessments. Recently, I had CCStudio come across my desk, which uses OpenVSX's plug-in marketplace to support its IDE environment. I hadn't really thought about it until this point, but how are these plug-ins controlled under CMMC? I'm fairly new to compliance so apologies if this seems like an obvious question.
As far as I can tell from my limited research, they wouldn't require individual assessments for every plug-in a developer may want, but we would be required to establish a list and perform regular vulnerability checks for each plug-in. Am I correct in that assumption?
If anyone has anything they can say to help, please do! Everything is greatly appreciated. Like I said, I'm new to the field, so anything is helpful for me!
I currently hold an active U.S. Secret clearance with a completed Tier 3 investigation. Could you please advise what additional steps are required in the Cyber AB portal for CCA personnel screening compliance?
According to the new FAQs, "significant change" and the need for a reassessment are being left in the hands of the OSCs. Wondering what the thought process is here. If you're a student of game theory, you would probably conclude that the decision will more often than not be "I don't need a reassessment."
ETA: here's a link to the May 2026 FAQs https://dowcio.war.gov/Portals/0/Documents/CMMC/CMMC-FAQsv5.pdf
I am a GRC professional with 10+ years of experience. One area of expertise is gap analysis and assessments, I have done this for years with many frameworks/standards.
I am interested in providing consulting for small to medium size companies who need cmmc compliance. I am struggling with lead generation and looking for some advice on how to get my firs clients.
I am studying for the CCP but hold both CISA and CISSP today.
Appreciate any insight.
I just got my TS/SCI after waiting for over a year. I hope I don’t have to wait a long time for DCSA once again
I work with a lot of subcontractors. Lately I've noticed the following with them:
No idea CMMC is a thing - which leads me having to go into my speech and presentation about it.
Struggling to achieve CMMC status - they've hired a consultant or MSP who never achieved CMMC status so it's the blind leading the blind.
It's gotten so bad that I have one internal employee here giving out my personal cell number to subs and telling them to call me immediately and I'll "get them situated", which is especially aggravating.
Hey guys, I'm a new university co-op hired by a small manufacturing company last week to get them CMMC compliant/certified. They know I don't know anything about CMMC and told me to research everything and tell them what they need to do to get certified by Nov. 1st. They also want to avoid hiring any third-parties as much as possible, so I figured I'd ask some questions here on an anonymous account.
For some background, one of the companies that contract us, is requiring us to get a least some level of CMMC by Nov. 5th. We currently only deal with FCI from them, but after reading and writing down the requirements, Level 1 seems really bare/minimal, so we were thinking about maybe doing the Level 2 self-assessment instead just so we're more prepared if we ever end up handling CUI later on.
Now for my questions:
Also, if possible, it'd be really helpful if you could provide documentation for your answers since I also have to make a write-up for our contracting company explaining why we chose whatever route we end up taking.
Sorry if these seem like dumb questions. I've been looking into this stuff for like a week and some of it is flying over my head. I'm just trying to get a better understanding
Anyone else use Yubikeys with the yubikey driver and have trouble with ECA?
My experience - yubikey minidriver does not work with HIDActiveClient. I need the minidriver since I have over 2 PIV certs loaded in it.
So I uninstall the active client, and yubikey works - but now I can’t use my ECA!