Anyone have experience with this test bank? Looking to sharpen my knowledge before testing. I'm familiar with the company and they seem credible. But another $100+ stings a lil'.

Certified CMMC Assessor (CCA) Practice Exam - IT Security - Networking & Security - Shop All (logicaloperations.com)

Maybe I can find some international colleges that are struggling with the same thing. We are based in Germany and were looking into implementing GCC High for our CUI enclave. As I found out, Microsoft does not offer this service outside of the US. Has anyone found a workaround (e.g. subsidiary in the US) or actually gotten some kind of exemption from the US-only rule?

Secondly, does anyone have any insight into why they got this restriction in the first place?

How long does the DoD Suitability Application take? Do you apply after achieving CCP or after achieving CCA? Where/how do you apply? This doesn’t seem very well documented.

Thanks and sorry if I missed some info, I didn’t see much on this online

Is there any resources that highlight and explain how to satisfy every single or most CMMC requirements for LVL 3?

The company I work for has taken up efforts to achieve CMMC lvl 3. All security policies are in place, I am trying to figure out what the best way to label physical cabinets. Should I order labels or would using a black and white label maker work fine? If using the B&W label maker, what should I type out?

Hi folks,

Long time reader, first time poster. First off, I'd like to thank all the contributors to this sub. You've been a tremendous source of information for our company.

We're a SPA in CMMC lexicon and are planning on acquiring L2 next year to support our current DIB customers and help our sales team get new ones. However, we don't process, store, or transmit CUI.

How would you scope this? Does this mean the scope of our CMMC certification is our entire organization? Do we guess at where CUI would reside if we did collect it? Can we create a small CUI enclave with no CUI?

Any thoughts you have would be greatly appreciated. Like all things CMMC, we've heard conflicting theories on this. :-)

I got an email about this service directly from the gov. Haven't been able to find too much else about it - but it doesn't seem brand new. Anyone using it?

https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/

How is everyone handling

c -the use of portable storage devices containing CUI on external systems is limited as defined.

I am not sure how to limit USB on an external device. If a user takes on a USB and plugs it into his computer, not sure how to stop him. WE need USB because of old CNC machines that only use USB to uploads configs.

So im going through the controls and trying to identify and rationalize how we satisfy each requirement. Its pretty daunting. We are a new contracting company and have no current CUI. Part of me thinks to just segment my scope to a specific GCC high tenant and keep everything else how we sit today? Otherwise i have to scope it all it seems like.

What does it take for you to consider each section "satisfied"? Specific process and explanation for each and proper documentation incase of audits?

I have been looking at bringing on prom servers into Azure Arc to start getting all the logs into Sentinel as well as take advantage of the compliance policies. However, when setting this up, there is an option to use private link / private endpoints. Otherwise, the connection goes encrypted over a public endpoint (the internet). I feel like this part is not so bad, but just wanted to check. I know a Microsoft rep is going to tell you to go with private link all day, as you have to pay for this traffic to go over the link.

Also, the data meets CMMC 2.0 L2 compliance while on prep. However, our cloud is commercial cloud. Sure, the data is not stored in commercial cloud, but Arc gives you quite a bit of visibility into the server, so does this break requirements for Level 2 compliance?

Basically, I am hoping to be able to bring them in, but not have to pay the premium for a private link, and I am trying to see if commercial cloud basically kills the requirements right off the bat. We are currently keeping our CUI in a separate enclave, or in a protected on-prem server that I am hoping to view in Arc.

Just polling everyone. For the 3.3.xx controls dealing with log collection and analysis. Do you capture and centralize logs from your servers and other service infrastructure (network, cloud, etc)? I started here, but now I am thinking the capture should also include endpoints. At the very least to endpoints that are in scope. Curious what everyone else is doing here.

Do cloud based SPA's need to be fedramp moderate? Do on prem SPA's fall into CUI boundary? They don't store or transmit CUI just provide security services like patch management or device control.

I have a client with a deep rooted MSP, providing help desk ticketing, DLP, email security, and a couple others. I need some kind of evidence to show them that their MSP is also going to be required CMMC (level2), which they have been preparing to get for the last two years, through the MSP’s “professional” services. The MSP had no idea what they were getting into, I am concerned for my client because of this. I’m trying to get my client to start flipping some of these services under their own ownership before it gets too close to 2025.

Is there hard evidence I can show them that says this MSP is going to require the same level of CMMC certification?

Hi All,

Seeking some guidance from those who have successfully implemented this requirement.

[d] multifactor authentication is implemented for network access to non-privileged accounts.

I'm at a company that uses MFA for VPN and privileged accounts, no problems there. But what exactly is this requiring for non-privileged? Is there an expectation that MFA should be implemented for endpoints, such as CaC reader on each system?

The example given in the CMMC assessment guide is implementing MFA for cloud-based email in addition to the VPN. Guess we could turn that on, but I'm not totally confident that's the coverage DCMA would look for.

Would appreciate any examples of controls implemented that satisfied this. Thank you!

Small defense company thats growing and will need to be CMMC compliant in a year.

Best approach?

Recommended companies?

Hey Everyone,

my organization has some international contractors that have access to our Microsoft GCC-High tenant resources. My question is are they allowed to access our Microsoft GCC-High tenant resources. We were thinking of creating a policy that has international travel as our exception. Will we encounter any issues with being compliant?

Is there an approved endpoint cloud backup service i can subscribe to for our laptop users?

I’ve used Acronis before, but for a different industry that didn’t require FedRAMP/CMMC.

Hi, I’m kind of new to CMMC-NIST-DFARS-all of the above. I was hired to practically catch my company back up to where they need to be- but I’m still learning all of this, I had no experience prior to it. We are Level 2. Is anything below a 110 for 800-171 not passing? Or can I just get us as close as possible, ensuring that the controls that can’t have POAMs are satisfied? I’m lost lol

TL;DR; My mean maintains a web application that may be expected to store CUI at some point in the future. I'm the engineering manager for the web application project. The individual leading the charge on our CMMC compliance efforts is grasping at straws for a way that we can provide a solution that doesn't require the client device accessing our web application to be in-scope, but I believe that is most definitely a nonsense request. What say the experts?

Hi! I'm the manager of a small software team that maintains a very "mature" (you can interpret that as meaning old) web application which customers use to manage various types of documents and business records. We have a need arising to store information, such as network diagrams, system security plans, evidence and artifacts, related to CMMC compliance in the future.

Now our software has a very long road ahead to be NIST 800-171 or CMMC compliant. I need to be realistic with my company leadership about what we can deliver and what we can promise our customers at the end of that road. The individual leading the charge on our company's CMMC efforts would really like for our SaaS product to provide a viable solution for managing the customer's compliance efforts in a way that doesn't bring the client device they access our service with into scope. I believe that's simply not possible, and here's why I believe that.

We provide a SaaS web application and that means our application is delivered via web browser, also known as an HTTP/HTTP client. HTTP/HTTPS is essentially a protocol for requesting files/resources from a remote server. It downloads the resource, generally caches it into a local file, and then does something with it (displays it, generally). By the very nature of HTTP/HTTP and how browsers operate, I think it immediately brings the device running the browser into scope if the customer uses our system to store CUI. I don't see any way around that.

From what I read online, customers that store CUI in SharePoint GCCH need to treat their devices accessing SharePoint the same way.

I'm a web developer, not a NIST 800-171 nor CMMC expert, so I may simply not know what I don't know here. Any clarification you could provide would be helpful.

What are the additional requirements DoD is pushing for this deviation? ie: what are the additional controls for 800-171 Rev 2?

Our Office 365 tenant is on GCC High. Would like to use an email client other than Outlook to access email via a desktop. Is this possible?

Thanks.

Straight forward question.

According to the scoping guide it falls under Security Protection Assets and so falls under the scope and thus if you don't have their new federal stuff then it's a no go correct?

As I understand, Security Protection Assets are assets which provide security functions to systems within a company's CMMC Assessment Scope and that these systems may or may not store or transmit CUI. If a company uses a cloud-based version of a Security Protection Assets, does the SPA need to be FedRamp certified (or equivalent).

This started as a "simple" exploration of creating a VLAN for out-of-scope assets so that we could reduce our CMMC footprint. Specifically, according to the CMMC Level 2 Scoping Guide, an Out-Of-Scope Asset is "required to be physically or logically separated from CUI assets". Separation is described elsewhere in the guide in a manner that makes clear that "physical" = airgap and "logical" = firewalls/VLANs.

So if I put my Out-Of-Scope Assets in an isolated VLAN with routing/firewall rules that prevent access to CUI assets, the OOSA are truly out of scope.

But if I take a laptop with CUI on it and temporarily connect to the isolated VLAN, are the assets on that VLAN suddenly in-scope? It seems like it.

What if I carry that laptop with me on a trip and connect it to a hotel wifi, or friend's wired home LAN? Even though the laptop's storage is FIPS-encrypted and any CUI it transmits will be sent over a VPN to the office, the laptop is still on the same network segment as a bunch of uncontrolled computers. How is that different?

One possible answer is if the laptop (let's suppose Windows) has a local firewall that disallows all inbound connections unless it's on a domain network. Would that qualify as "logical separation" enough?