Hello Everyone,

We're in the process of navigating CMMC Level 2 compliance and have some legacy applications, devices, and network setups in our environment.

We had someone tell us we could potentially include them in an acceptable risk policy. Where we would disclose the known risks, accept the risk, and document mitigations we've put in place.

I'm curious if anyone else has gone down this route. What practices / documentation methods have you found helpful in balancing these legacy elements with CMMC requirements? Any advice or resources would be greatly appreciated.

Just for some added depth, we've got a fully on premise environment with legacy ERP systems, file servers with CUI & non-CUI all mixed in (several TB worth), CMM Machines that are end of life, etc.

Thanks!