CMMC and MSPs - Scope only includes SPAs

old.reddit.com / @/u/ApprehensiveTree7184, https://old.reddit.com/user/ApprehensiveTree7184

Hello all...

I am somewhat confused when it comes to assisting the MSP I work in to become CMMC L2 assessment ready. We are assisting DIB customers with becoming CMMC L2 ready, and it is clear what needs to be done to meet most of the controls in their environments. But as an MSP, we ourselves don't have any CUI assets and it seems to me that our scope is limited just to SPAs (our people, our SIEM, EDR, SOC, RMM, etc) and perhaps our tech's PCs being CRMAs (remoting into assets that may contain CUI).

Is there a catalog of controls/requirements that apply when only SPAs are in scope for the assessment? It seems that many (but certainly not all) controls don't really apply if there are no CUI assets to speak of in our boundary.

submitted by /u/ApprehensiveTree7184
[link] [comments]

published about 1 month ago


Previous

For those of you obtaining CMMC level 2~ What VPN’s are you using?
published about 1 month ago

Next

RHEL Server as Gateway
published about 1 month ago
See all items from the same source