r/CMMC

▲ 2 r/CMMC

What should I expect?

Our MSP is talking to a new whale prospect. They would require us to get them from CMMC level 1 to level 2 and make ourselves CMMC Level 2. I am currently making us CIS IG1 certified and am almost done but it was a lot of work and learning. It’s only me who does compliance at my company and kinda stressing about the idea of doing CMMC by myself when i barely know CIS. Any recommendations on where to start and keeping my sanity???

reddit.com
u/No-Commercial-7727 — 1 day ago
▲ 4 r/CMMC

Dealing with CUI in procurement files

How do small businesses handle CMMC L2 approved workflows with CUI procurement data?
Here's a scenario that I need opinion on accuracy:

Small business, with planned small secured enclave, has workflows that involve GSA MAS eBuy portal or SAM which do not tell you whether agency procurement docs are CUI unless you download them.
Since you don't know if they are CUI, you would be technically forced to use the enclave as destination for those files until proper disposition. If CUI is identified (e.g., in a PWS), all of your procurement workflow is bottlenecked and throttled to work through that enclave. Unless you want every machine of your small team in scope, you'd have to use VDI or other restrictive solutions to get to it and review.
Collaboration within your team would also be very limited, as you can no longer pull relevant information that could be the reason for the CUI out of the marked document and into anyone's machine. Furthermore, responses that make use of such data could also be CUI and thus would restrict the location and operation of whichever document response you'd be building.
Even with solutions like Preveil the above, if accurate, seems very cumbersome and would kill the productivity. Besides going with the forbiddingly expensive Gov Cloud High solutions, how would small businesses in govcon efficiently operate CUI procurement data under CMMC L2?

reddit.com
u/Fisk77 — 1 day ago
▲ 11 r/CMMC

Finding a "No Bullsh-t" C3PAO

All,

I have been in the IT business since the late 1980s. For ten years I had a side business doing CMMI Level 2 and 3 assessment preparation. I also assisted my employers in ISO preparation and assessments for another 15 years after that.

For the first few years, all the CMMC preparation and C3PAO assessment companies were scams- snake oil salesmen wayyy overcharging. I met a company who wanted to sell me a "package" of prep and assessment at $750k. Utter stupidity.

I have scoped my CMMC Level 2 at one employee- me. So I need a one seat license for everything.

I just got off the phone with a company that will provide me all the CMMC tools I need for Level 2 for $5500 per year. Then increases as I prep for Level 3. Plus that number includes a $20 per month price reduction- the company is monitoring prices to stay low. Finally, sanity in this business.

But C3PAOs still want to charge $30k. Too high for what's required. And when I talk to them, they have VERY INEFFICIENT PROCESSES which increase their time and for a seasoned Program Manager, I couldn't help but show them where they're staff are wasting money and my time.

Where can I find the "No Bullsh-t" companies who can do a one-seat CMMC assessment efficiently with costs that reflect their efficiency?

reddit.com
u/Think_Leadership_91 — 3 days ago
▲ 9 r/CMMC

Evedince for SSP

Hi all,

I am responsible within my organization for CMMC lvl2 and document the SSP

I would like to ask: how do you typically attach evidence to the document? Is it sufficient to include screenshots alone, or should supporting policies also be linked for each individual control?

I would appreciate your input.

reddit.com
u/ProofOk1899 — 4 days ago
▲ 8 r/CMMC

How do you confirm whether a contract requires CMMC Level 1 or Level 2?

A lot of contractors get a vague instruction to "be CMMC compliant" without anyone specifying which level applies, and the two levels are very different in scope.

The determination comes down to the type of information the contract covers. FCI maps to CMMC Level 1, while CUI maps to Level 2. If your contract only cites FAR 52.204-21, that points to Level 1. If DFARS 252.204-7012 is present, or a prime's flow-down references NIST SP 800-171, that puts you at Level 2 regardless of what your own contract language says.

The compliance burden difference is significant: Level 1 is 15 practices with an annual self-assessment, while Level 2 covers all 110 NIST SP 800-171 requirements with a third-party C3PAO assessment every three years.

And starting November 10, 2026, those third-party assessments become mandatory for applicable Level 2 contracts.

For people who've gone through this determination process: did you find clear answers by going straight to your contracting officer, or did the contract clauses alone give you enough to act on?

reddit.com
u/MyWorkDrive_Official — 4 days ago
▲ 10 r/CMMC

Cloud-only (GCC High), no VPN, remote workers on public/hotel Wi-Fi. Is Conditional Access + TLS enough for 3.1.12/3.1.16/3.1.17?

Fully cloud, no on-prem. Looking for anyone assessed with a similar setup.

Our environment:

  • CUI lives in GCC High + on Intune/BitLocker-managed laptops
  • Every session requires Conditional Access (compliant device + MFA)
  • All traffic to GCC High is TLS 1.2+/FIPS, end to end, regardless of network
  • Local Wi-Fi at HQ WPA3-Enterprise, internet-only, no on-prem resources behind it
  • Employees travel often, connect through hotel/public Wi-Fi, sometimes open

Our position:

  • Nothing in 3.1.12–3.1.15 requires trusted transport, only that the session be controlled/monitored/encrypted, which we do
  • Scoping 3.1.16/3.1.17 to our own Access Points, not networks we don't own public system / home office.
  • Leaning on DoD FAQ v5: B-A8 (ciphertext on unsecured "common carrier" networks is an accepted risk) and F-Q4 (encrypted CUI transiting networking components doesn't pull them into scope)
  • Not deploying a VPN, since the session is already fully protected independent of network

Questions:

  1. Did your C3PAO accept "no VPN" for a cloud-only org, or push back?
  2. Did public/hotel Wi-Fi come up as an issue at all, given B-A8/F-Q4?
  3. For 3.1.16/3.1.17, did assessors stay scoped to your own access points, or try to pull remote networks in?
reddit.com
u/Cold-Painting3562 — 4 days ago
▲ 22 r/CMMC

How do you avoid burnout while working towards CMMC Level 2 compliance?

For context, I am an intern on coop for the summer. I have worked for my university's IT support desk for 2 years now, and have a very good understanding of basic cybersecurity principles like device management, identities vs. accounts, don't click phishing links type things. During my interview, I was told I would be mainly working on Slackbots and AI integration to make our company procedures more efficient, as well as establishing a basic IT baseline (MDM enrollment, identity management, staff cybersecurity trainings) since they have no established IT team. My second interview was pretty much the same with a very brief mention of CMMC at the very end.
Flash forward to starting my job, and I find out they want me to get us up to level 2 compliance and I'm starting from ground zero. There are shared licenses, shared accounts, computers with uptimes of 3+ months, everyone's work computer has the exact same password (which was also the same as our wifi password), and 3 actively used machines were still on Windows 10.

As of yesterday I believe I have finally gotten us up to Level 1 compliance. I came in over the weekend to completely reconfigure our wifi network, I've gotten MDM completely rolled out, taught these guys what MFA, etc. I have a gigantic spreadsheet for all the controls I need to hit, with links to screenshots and policy documents I've written, and I'm really starting to feel burnt out and overwhelmed. I currently have 35/110 practices 'implemented' but I just have no motivation to keep chugging through it. My direct manager is not an IT person, he's an engineer and has his own work to do, and our CEO has no understanding of how computers work (we have a Windows 7 machine housing one of our Solidworks network licenses and when I said Windows 7 was a security risk, he asked if we could just turn off the wifi on the machine so it wouldn't get hacked into), so I don't really have anyone I could ask questions for help. I've tried setting benchmarks for myself of "try to get all the AU controls done this week," but it's getting really hard to stay motivated when I'm completely by myself here.

This might be more of a vent post, but if anyone has any advice of how they worked through level 2 and stayed motivated, I would really appreciate it.

reddit.com
u/Tornious — 5 days ago
▲ 4 r/CMMC

Cui outlook

I know this is very reliant out industry and which industry you reside in, but how do you guys project cui in the future when analyzing costs of becoming lvl 2 compliant ?

We are mostly defense /aerospace, but far down the list of subs . Im not in a decision making role, but am tasked in the cmmc space . I personally dont see it as worthwhile in relation to the costs , but am not sure how the projection looks in the future in terms of volume of our work.

Much of our work is EC , but I doubt they retroactively classify much of it as cui. Many of our primes are still using unsecured methods of sending cui down to us 😆

Anyway, how do we see this playing out ?

reddit.com
u/cashmgee — 5 days ago
▲ 9 r/CMMC

I need help ! to achieve the CMMC level 2.0 certifications.

I recently joined a new company, and within my first two working days I was assigned the responsibility of helping our organization achieve CMMC Level 2 compliance. I'm currently the only IT person handling this project.

My previous experience is as a Network and Security Engineer, but I'm completely new to CMMC compliance, governance, and audit preparation. To be honest, I'm feeling overwhelmed and I'm not sure where to begin.

I'm looking for guidance from anyone who has successfully implemented or achieved CMMC Level 2 certification.

I have a few questions:

  1. What are the best articles, books, or learning resources to understand CMMC Level 2 from the basics?
  2. Where should I start? What would be the first 30, 60, and 90 days of a CMMC implementation project?
  3. Are there any free training courses, YouTube channels, or learning platforms you would recommend?
  4. Is there any free documentation, templates, checklists, or implementation guides available online?
  5. Are there any free or open-source tools that can help with asset inventory, vulnerability management, documentation, evidence collection, or compliance tracking?
  6. If you've already completed a CMMC Level 2 implementation, what lessons did you learn? What mistakes should I avoid?
  7. If you were starting from scratch as the only IT person, what roadmap would you follow?

Any practical advice, documentation, GitHub repositories, templates, or real-world implementation experiences would be greatly appreciated.

reddit.com
u/Sati_Z7 — 5 days ago
▲ 3 r/CMMC

Continuous Monitoring Question

Continuous monitoring is about verifying control effectiveness continuously. Do you feel like that’s actually being done? or how do you typically see companies meeting it?

And for the assessors here: when a company really emphasizes this control, do you find their environment is genuinely in better shape or just better at showing evidence at assessment time? Curious whether the ones who take it seriously are actually more secure day to day, or mainly more prepared.

reddit.com
u/NegotiationFirst131 — 4 days ago
▲ 4 r/CMMC

Is evidence CUI?

For example, the evidence that you need to provide to prove to the assessor that a controller is met?

reddit.com
u/CicadaIcy6521 — 4 days ago
▲ 0 r/CMMC

What’s wrong with letting guests and employees share the same wireless?

Partially a security question, partially a CMMC question.

Let’s say you have a WPA3 PSK wireless network that employee CUI laptops, employee personal devices, AND guests are allowed to use. Client isolation is enabled and the wireless is logically segmented from the rest of the office network/resources.

Why isn’t this sufficient? It meets 3.1.16 and 3.1.17 as long your documentation is in place, doesn’t it? Or does this hurt a broader control?

EDIT: CUI laptops generally connect to the wired Ethernet, but no mechanism exists to enforce that. Even if I made a separate WAP for employees or employee personal devices, there’s nothing stopping them from connecting to the guest network anyway.

reddit.com
u/Practical-Owl-8113 — 5 days ago
▲ 8 r/CMMC

C3PAO recommendation for a small 5 person company

We have a small environment with a small amount of CUI. We currently use Preveil. Any recommendations for a C3PAO for a small company and scope is appreciated.

reddit.com
u/Mysterious_Taste_868 — 6 days ago
▲ 13 r/CMMC

C3PAO Shopping

From where we sit on the buyer's side of a C3PAO engagement, the questions CMMC L2 clients bring to the table are almost always the same two: What does it cost & when can you start? Those are fair questions but they don't protect you.

The CyberAB session this afternoon included a slide with a set of questions to ask a C3PAO that also included 1. operating locations (having assessors near your business keeps costs down if a site visit is needed), 2. fee structure (what do you owe if the assessment cannot move forward or if it takes longer than anticipated), & 3. sector experience (familiarity with businesses like yours can make the assessment a lo easier).

Then three questions at the bottom of the slide, set apart in bold, that most OSAs never think to ask:

1. When does your DIBCAC three-year assessment period expire?

The so what: A C3PAO has to itself pass a DIBCAC assessment of its own environment to become & stay authorized. That assessment carries a validity window. If a C3PAO's own DIBCAC standing lapses, its ability to deliver certifications is in question. You care because an assessor whose own clock is near expiry may lose standing during or after your engagement, putting the validity of your certification at risk.

2. Is there anything in your corporate future that would affect your FOCI status?

The so what: Authorization in the DIB depends on a non-disqualifying FOCI determination from DCSA, reassessed every three years. This question probes pending acquisitions, investment, or ownership changes. Under 32 CFR 170, a C3PAO must report any change to its SF 328 within 15 business days, & a disqualifying determination pulls authorization. So a corporate event on their side, one you have no visibility into & no control over, can strand your assessment mid-cycle.

3. How many months are left in your 27-month Authorization period?

The so what: Separate from the DIBCAC clock. A C3PAO's authorization from the accreditation body runs on a defined term. The slide names 27 months. If few months remain, you risk starting an engagement with an assessor whose authorization expires before your certification is complete or before a needed follow-on step. You care because you need the assessor authorized through the full lifecycle of your engagement, not just at kickoff.

That's the buyer-side read the checklist doesn't give you. You can prepare well, scope well, pass well, & still get stranded if the assessor's own authorization runs out mid-cycle or their corporate standing shifts under them. Their clock is your risk.

When we vet a C3PAO for a client, continuity sits next to competence. We want to know the assessor will still be standing / still authorized, on the other side of the engagement.

reddit.com
u/ResilientTechAdvisor — 5 days ago
▲ 3 r/CMMC

Post GCCH Migration - Auto BCC Rule to Satisfy the Marketing Guy

Our organization just completed the migration from commercial to GCCH. In our previous environment, we had a rule in Microsoft Entra to Auto BCC a Hubspot address that captures outgoing email for new contacts that can go into our CRM that our marketing guy uses for email blasts.

From what I understand, that is no longer going to fly, especially with the possibility of CUI floating around. Does anyone know of a way to do this other than having people manually adding the Hubspot address that won't put us into a bad situation?

reddit.com
u/Synik_one — 5 days ago
▲ 11 r/CMMC

Does basic self-assessment NIST SP 800 171 submitted to SPRS require a passing 88/110 score without any POAM-ineligible?

For context I reviewed the SPRS Quick Entry Guide and could not find anything explicitly stated saying you do or do not need certain score rather they provide suggested, example scores. The need is to submit a Basic Self Assessment NIST SP 800 171 into SPRS, and I’m looking to determine whether or not we’d need to meet that 88/110 at least with a POAM along with it. I may be confusing this with a C3PAO assessment, but I wanted to get clarification on the matter. Thanks

reddit.com
u/pro_league_material — 6 days ago
▲ 33 r/CMMC

Subjective bs

This is all subjective bs .

Audits should be black and white. Either you do or don't. Not interpretive. Not subjective.

But this is the hand we are dealt .

That and my 80 year old boss who's been wrong for the last 3 years is hard headed as fck. Just brought me on 2 months ago, ive been with company 15 years. Never any cyber experience but plenty of other auidt compliance work.

Had a msp hired that never did compliance . He's already spent 180k on it and I called the msp out on his bs and he bailed . We have a bad srps score now and are sitting at square one because my boss never followed up on anything .

This along witb the fact that primes dont even follow their own rules.

Im sitting here with a dist statement e as a low lvl sub 😆 Had to vent. Feel lost .

Hope you all are having a better Monday than I am.

reddit.com
u/cashmgee — 7 days ago
▲ 3 r/CMMC

How should I address "vibe coded" software in my environment?

I'm not sure why I am struggling with this one so much, but I'm hitting a wall when it comes to determining how to apply CMMC to internally developed software, particularly using a platform like Claude Code. I know PCI has specific requirements around internally developed software, but I think CMMC's lack of specificity on the topic is really throwing me for a loop.

reddit.com
u/ThatInfoSecGuy — 6 days ago
▲ 1 r/CMMC

3.1.18 BYOD identification and authorization

Environment: GCCH (Intune & Entra)

Current configuration

All employees are authorized to access the non-CUI email system (CRMA) since they've signed a BYOD agreement. We go through the following process:

  1. User signs into corporate email system through the managed Outlook app
  2. We get an alert
  3. We update hardware database to include the phone if all seems well

___

In hindsight this seems dubious. Would assessors be dissatisfied with granting access before explicitly identifying and authorizing a specific device? I'm not even sure how I'd be able to identify the device beforehand and add it to a BYOD group anyway.

reddit.com
u/Verdant_Bloom1533 — 5 days ago
▲ 4 r/CMMC

Claude Cowork on an In-Scope CUI Endpoint

Claude Cowork on an In-Scope CUI Endpoint

Has anyone gone through a level 2 audit successfully while having the Claude desktop app installed on endpoints that are considered in scope?

Do you need “technical” controls, or Is it sufficient to have Cowork configured with guardrails such as “ask first” combined with both a company policy specifically stating to never upload CUI (or point towards folders containing CUI documentation)… along with specific user training and acknowledgment forms?

Or is Claude desktop app/cowork basically a forbidden app?

reddit.com
u/ConcernOrdinary3380 — 6 days ago