Hello CMMC people! I’m lucky to have stumbled on this forum. I’m trying to better understand CMMC constraints and try to enhance productivity at my company. For some context, I am an electrical and software engineering manager at a small company. We have been working toward CMMC compliance and in the process we have hit some challenging road blocks. I have been trying to figure out a way to enable work for my group however I am struggling to understand the constraints imposed by CMMC. For more context, my group works very close to hardware and given this, we frequently need admin access to our computers to install software to perform our job. It is challenging because we need to be able to go fast and we are relatively young so workflows haven’t been fully established. Currently there are only two people in the company that have admin privileges and I am trying to figure out if there is a way to allow certain subsets of people admin access to enhance productivity. For even more context I am a complete CMMC noob so I may be missing the point all together. Any advice would be helpful to either better understand or to find a way to work around very strict constraints. It is also worth noting that we do not have any contracts that require CUI data handling however we work with companies that do.

In other words, I am looking for someone that hosts email and not just is a connector piece. I don't want to bring it on-prem and at the same time 365 GCC High I don't even want to know the cost for the small amount of email we really do.

Hello folks. I just recently hit my 2 yr mark in industry and now meet the prereqs to take the CCP exam. I've been a SysAdmin for the past two years with my main focus being developing and implementing my employer's CMMC program. This was mostly a solo effort and we passed our Joint Surveillance Assessment with a full 110 score. I feel like since I have experience getting businesses compliant, the next step is to get my CCP to attest to that and help further my career goals of becoming an assessor down the line. Does this sound reasonable? I plan on lobbying my boss to fund the venture.

Has anyone here taken the RP training? What is it like? I started down the CCP path last year but after spending some time around here I feel like it would make more sense to be an RP. I work with an MSP that has CMMC clients.

Weird question. Do you have to enter a SPRS score if you don’t have the -7019 clause but do have the -7012 clause? I thought the -7019 clause was the legal requirement, but we don’t have it on our contracts and management is pushing back.

What is the accreditation agency? When I search online, the results are a number of folks providing boot camps and classes, but for some reason I'm finding it difficult to find specific information about who provides the credential. Can anyone help?

I've been trying to find some more information on what the security baselines for windows are for CMMC 2.0. Right now, I am just following the security baselines that Microsoft Recommends.

Is anyone doing the same thing or are you following CIS for setting your baselines?

I am in charge of IT for a small DoD contractor (under 40 people) and I am looking at replacing our on prem ManageEngine products. We currently have FirewallAnalyzer, Log360, and EndpointCentral. I am considering replacing FirewallAna;yzer and Log360 with Peerless' FEDRAMP SIEM. I am also looking at Rapid7 or Trustwave. Any others I should look at? For the EndpointCentral I need suggestions. Need something that can do patch management, USB device control, and inventory. Preferably something cloud based with a FEDRAMP version. Recommendations?

Scenario – A U.S. subsidiary of a foreign company wants to move into Department of Defense work subject to DFARS 7012. There is a local IT team with the ability to manage users on a local domain controller, rebuild PCs with Intune but that is about it. The on-premises domain controller syncs with the global Entra ID.

The local team does not handle any networking, server management, or domain administration. They function as IT Field Services and all network, server, domain administration is handled by non-US persons based in Europe and India.

What guidance would you give this company? They are subject to ITAR/EAR and a prime contractor is recommending a L2 CMMC Certification.

The only option I see is to separate the US location from the global company.

Is the subject matter expert presenting evidence for the controls relevant to their day to day responsibilities liable criminally if they don't pass out for any other reason that could cause criminal liability in this process?

Does putting windows computers into fips mode meet the compliance for controls in the title if the only endpoints users will use is windows laptops? I see their cryptographic primitive module is fips-validated.

https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4687

Basically what the title says. Right now we are using sharepoint to pretty much store all of our CUI Data. We are looking at PreVail as an option. But I wanted to see how other Federal Contractors are handling CUI.

What solutions did you implement are looking to implement? What solutions do you have for file sharing?

If our contract/work order has a flow down requirement to mark CUI in our technical documents, does this include source code? I have been digging through the Executive Order and cannot find clarification on this matter. If we do need to mark source code, or if anyone here currently marks source code, how do you do it? I've seen split opinions on whether the marking belongs in project metadata or perhaps as a header comment in the codebase itself.

These 2 seems to significantly overlap. Today which one do defense contractors have to meet? Just one or both? I am confused about what is required. is nist 800-171r3 being the standard enforced? Which one is enforcing it dfars or CmmC or both?

From what I am reading in nist 800-171r3 is it is saying all data from storage to transmission needs to be encrypted. Putting all your network devices in fips mode wouldn't even cover this because site to site VPN doesn't cover all layers of transmission. Only is done at the wan edge. Not the internal networks.

Is this asking for something like global protect that does sslvpn across all laptops. Everywhere?

Hello. I have a broad question and would like some input / opinions. Our organization is a Defense Contractor. We have CUI. Nothing is segmented to allow filtration of the CUI (i.e. who sees it). Thus we have to consider all data as CUI. Another caveat to our scenario is we use MECM for device management. Many of the users / devices are remote only so they are difficult to get a good reading on what has been done to the devices since MECM needs physical access to get pivot reports.

We are currently going through voluntary audit using a C3PAO. This a huge gig obviously.

Does anyone have some experience to share or opinions on what you would do?

I know this is probably a question with a lengthy answer but we on M365 GCC High, we do deal with CUI. We do not own servers and utilize SharePoint as our main form of data storage. How much of NIST 800-171 is covered with M365 GCC High? We have E3 licenses and E5 for admin. I know to look at the Microsoft placemat but was hoping from experience someone could guide me in the right direction of what needs to get done to be compliant.

I am trying to figure out around what time we can expect required CMMC assessments by outside assessors.

I found the following two links that estimate it to be around June 26, 2025.

https://natlawreview.com/article/department-defense-issues-proposed-timeline-cmmc-implementation#:\~:text=If%2C%20hypothetically%2C%20the%20final%20CMMC,begin%20on%20June%2026%2C%202027.

https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

Upper management keeps saying it is years away if at all and we most likely will have 6 months to fix any findings. I was hoping to find more updated info on this.

This is more of a generic question for the time being but I am curious. I know for M365 apps they have GCC, GCC High and DoD depending on your use case.

Say you were working with CUI or ITAR data but only had a normal GCC license (or commercial). Would it be sufficient enough to stay in compliance if you enforced that data from ever touching any of those apps (IE it was only stored on an on prem server and never went through any of M365 apps) or does just having that type of data within your company automatically mean you have to move to GCC high etc.

Digging into the rabbit hole deeper, say you had the data on prem and it stayed there but what if something that was CUI or ITAR was a word document and you opened it up in word. It is saved locally but word is part of the 365 suite so would that mean it needs to be GCC High?

Hi everyone

I am hoping for some scoping guidance regarding PII.

We have engagements with government agencies requiring us to protect CUI, technically it’s not CMMC, it’s NIST 800-53 (not 171 which surprised us a bit), but CMMC will be showing up in our contracts soon.

We receive basic personal information through our regular sales process such as first and last names and work email addresses of our government contacts that are loaded into salesforce. These are not explicitly labelled CUI but there are categories of CUI that cover this information, specifically “CUI Category: Privacy Information”.

Do we need to treat this information, and therefore systems storing and using it, as in-scope and thus need to be FedRAMP compliant such as salesforce?

I have a B.S in CS and recently earned my security+ then was informed about CMMC by a friend. I’ve been reading and watching videos to learn about how to get certified and what certification would do for me. I understand that this is a compliant that enterprises will soon have to meet and they’ll be in need of assessors which completing a CCP and CCA would qualify me as? If that is all correct, what is the procedure after earning these qualifications. Are there specific job titles or do I contact security consulting companies or do you work as a contractor. Just looking for someone to dumb things down a little as this is a lot of information to consume.

I'm reading Douglas J Landoll's CMMC Assessment Handbook, and he writes on page 29 that the micro-purchase threshold might exempt contractors from CMMC requirements. I'm looking through documents at acquisitions.gov and elsewhere to back this up. In the meantime, can anyone confirm Landoll's assertion and point me toward relevant documentation?

Hello everyone, I passed my CCP exam almost 3 weeks ago and still haven’t received any emails regarding the suitability application. I was informed by CyberAB that the DoD was updating the forms, but I’ve basically received no other information regarding timelines, etc. Is anyone else waiting on this? Pretty frustrating as obviously this is blocking me from doing any CMMC work and the process takes long enough as it is.

Hi everyone, looking for some assistance in understanding how to provide a Shared Responsibility Matrix. We are a completely virtual environment in GCC High, meaning we "partially inherit" a majority of our controls from Microsoft according to the CMMC 2.0 product placement map. Is the map itself an SRM? Is there somewhere that we need to request documentation from Microsoft to provide an SRM? I have access to the Microsoft Service Portal which provides some documentation, but I'm not sure if its exactly what I'm looking for.