Myself and a coworker are struggling to find an answer to this. He believes FedRAMP is intended to apply to any/all federal information that is processed/stored/transmitted in a CSP.

However, if I'm sticking strictly to government sources, the only mandated FedRAMP requirement is in DFARS 7012, and the CMMC FAQ, which applies to CDI and CUI respectively. My understanding of CDI is that it is a subset of CUI, and CUI is a subset of FCI.

In my logic, that means that the FCI that CMMC Level 1 deals with is not subject to requiring a CSP (that is processing/storing/transmitting it for a contractor) to meet any FedRAMP levels.

If anyone has any knowledge or answers for this and can back it up with a source, I'd really appreciate it. Thank you.

Hi all,

I have a CNC Programmer client that is on a GCC High Tenant. They want to work with a local vendor here in the US that is not on GCC High. There does not appear to be any way to configure the GCC High Tenant to share folders or files to this individual. From my research, there is no way around this limitation.

They were previously using a system called Preveil but had a LOT of problems with it.

I'm curious about your recommendations for them to share files with this vendor.

Thanks,

Paul

Hi all

I am 48 year-old male looking to change careers. I have read about the forecast of demand for CMMC.

However I do not have any experience with computer science, coding, software engineering, etc. in my 20’s I was an aircraft mechanic I am a private pilot. I went back to school than did pharma sales. Got an MBA, own a midsize Construction firm and founded/exited a crowd funding platform. I’m a mixed bag.

Can someone like me get into this field? Thank you.

Hi,

Wanted to know how in your current organization you identify and/or labe CUI. Is it done received by your automatically labeled as CUI or somebody in your organization who receives this document labels it as such. Is this done manually or you use an automated tool?

I bet if upper management had to attach their bonus dollars to CUI as a label then it would get the appropriate attention. This would also spur management to buy into the program to track access to these docs. We could use a system like 5 bucks for basic cui and 100 dollar bills on limited dissemination CUI.

I would assume many contracts before this main push on compliance occurred were ignored or not followed properly in labeling CUI per the contract specs. I mean it seems to me that someone should be trained and designated to know the label process in and out but my previous working for manufacturers suggested people didn't have a clue and probably didn't label CUI in many cases or did it wrong. What happens with these cases?

Hi folks!

I manage contracts for a NASA contractor and have been keeping an eye on CMMC developments over the last few years. With the final rule now in effect for DoD contractors, I can’t help but wonder when—or if—we’ll see similar requirements creeping into regulations for non-DoD agencies, especially those funded through the NDAA.

In my experience, once requirements like these are established, it’s not long before civilian agencies start adopting them, either directly or with their own variations. I've heard talk of a potential FAR rule that could mandate cybersecurity standards for contractors handling Controlled Unclassified Information (CUI) across all federal agencies.

I’m curious—how do you think these requirements might make their way to non-DoD contractors? Do you think it’ll happen through FAR updates, agency-specific clauses, or something else entirely? Are there any signals that civilian agencies like NASA, DOE, or others are already moving in this direction?

Looking forward to hearing your perspectives and insights!

So, we are using a Customer Responsibility Matrix (CRM) with a tool we are using from a ESP. There are objectives that are covered completely by the ESP in that CRM. We are looking at changing our continuous monitoring program to include that new tool. For those objectives, would we still perform continuous monitoring on those objectives or would they not just be skipped and say "Responsibility of ESP"? Just curious what everyone else may be doing for this. Thanks in advance!

Just some gossip i got from a government agent today. Anyone thats used the scaps and stigs program knows these things are the best when it comes to hammering down nails in an environment. It automatically creates an action list based on scans it does on local machines and lets you know EXACTLY what needs to be done to get compliant.

Hi Folks,

I had a great conversation with Stacy Bostjanick (Director of the CMMC program at DoD CIO) on my podcast, and she said a few things about NIST 800-171 r3 that I thought were very interesting and wanted to share here:

1. Rulemaking for NIST 800-171 r3 has already begun

Yay for more rulemaking!

2. NIST 800-171 r3 ODP Working Group

They have been working on populating the ODPs with the DIB SCC. The next step is to send it through DoD to get concurrence on the recommendations, and then through the Federal CISO Council so that other federal agencies can (hopefully) be on the same page.

She is hoping the ODPs will be part of the rulemaking process so that everyone can comment on the ODP values.

For those who don't know, ODPs are variables in the control text (ie lock the system after [x] amount of time of inactivity).

3. DoD's intent is to allow for CMMC 2.0 assessments based on NIST 800-171 r3 environments

Stacy said that if a company was starting from scratch, she'd recommend that they implement NIST 800-171 r3, not r2.

She said they plan to issue guidance (in coordination with the Cyber AB) to C3PAOs instructing them on "how to perform a CMMC 800-171 rev 2 assessment in an 800-171 r3 compliant environment."

I followed up on this, and my understanding is that they plan to map the 800-171 r2 to 800-171 r3 controls / assessment objectives as part of this assessment guidance.

This sounds like it is in the very beginning stages, so keep that in mind. I'm not certain how long it will take for this guidance to go live. It would be a good question to ask at a CyberAB townhall.

I will say that her staff reviewed the episode before it went live, and they didn't ask for this segment to be removed, so they must be pretty certain that is the plan.

Here is the episode in case you want to see the full conversation (NIST 800-171 r3 discussion starts at 37:32): CMMC 2.0 Is FINALLY Here - What Happens Next (with Stacy Bostjanick) - Podcast - GRC Academy

Jacob Hill

If one has a network diagram referencing systems where CUI is located dies thst network diagram then become CUI even though the gov didn't create the diagram???

This is from the 32 CFR CMMC Final Rule and Scoping Guide for Level 2:

An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.

Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI.

So assuming that the company can justify it’s VDI client meets the requirements described above, the devices using the VDI client are out-of-scope assets.

How would these out-of-scope assets be treated when looking at Assessment Objectives such as:

AC L1-3.1.1 (c) Devices (and other systems) authorized to connect to the system are identified.

AC L1-3.1.1 (f) System access is limited to authorized devices (including other systems).

IA L1-3.5.1 (c) Devices accessing the system are identified.

IA L1-3.5.2 (c) The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Would it meet requirements to respond with something like the following?

Devices authorized to connect to the system are identified by unique identifiers [… examples here…], except those devices connecting through the company authorized VDI client which is configured to prevent any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client.

System access is limited to devices using the company authorized VDI client, or devices/systems that are specifically identified and authorized to access the system.

Can someone please provide clarification on a scenario regarding the role of the Organizational Scope of Certification (OSC) Point of Contact (POC) in the CMMC process?

If the designated OSC POC is not a citizen of the U.S., Australia, NATO countries, or South Korea, would this disqualify them from serving in this role?

Any insights or references to official guidelines would be greatly appreciated. Thanks.

The small business company I am helping with CMMC bills are racking up and we want to shift our gears toward the controls where no POAMS are acceptable for. Where can I find a list?

My firm is thinking of becoming a C3PAO.. the website says it would take about 4 months. Does anyone have any experience regarding how long it would take for a company to get accreditation for this if I would still have to get my CCP and CCA? Any insight would be helpful, thanks!

We are a small subcontracting company located outside mainland for a military project. We only have at least 7 US Citizens and the rest were H1b and H2b’s. In preparation for CMMC, I’d like to know if an H1b could manage our CMMC certification.

I have an employee who recently retired from the military in a relevant position raising questions about why we make it painful to access information from BYOD. Namely, the Navy's Flankspeed M365 system allows users to access DoD SharePoint that contains CUI from BYOD with the conditional access restriction that prevents downloads. So they can use the web apps in a browser to view and edit CUI documents from an unmanaged device without any virtualized container or VPN.

My understanding was that the DoD had to meet the same NIST 800-171 standards at a minimum as a requirement by congress. If that is the case, is this an option for contractors? How would I address about half of the controls in the SSP that are suddenly not applicable (even though they claim every control is applicable)? Do I just claim a PC is an alternative worksite, or how is the Navy pulling that off?

With the recent release of the CMMC final rule, I'm looking for clarity on the amendments to 48CFR. Could anyone help outline the key changes, critical deadlines, and the detailed descriptions of the phases and levels involved?

Hi all! I received a TJO for a Accessor position for DCMA, currently waiting on background to finish. I was wondering if there were any Accessors in this group that I could chat with and get some insight on how the culture is and what a typical day to day looks like. And even a mentor If all goes well I’ll be a first time govt employee.

Are others using conditional access policies to limit access to M365 services in GCC/GCC-H to specific IP addresses? We’ve been discussing whether or not we should restrict access to M365 to addresses that originate from our networks (e.g., managed endpoints on our internal network going through our controlled egress points or managed endpoints on VPN through our controlled egress points).

Hi,

Small company here (~10 users) looking to get our feet wet in CMMCv2. We are currently licensed with Microsoft 365 GCC G5. There are a lot of controls already in GCC G5 that have been implemented by default but there's plenty we need to do from a technical stand point for our side. I found this guide: Microsoft Technical Reference Guide for CMMC 2.0, is this a decent guide to start with in implementing the technical portion? There's a crap ton to do for sure. Looking to see if there are any other guidelines that will help to implement this.

If a business is looking to do DOD contract work and never have previously what would constitute CUI at this stage ?

For those of you who have deployed BitLocker in FIPS 140-2 compliance how are you backing up your recovery keys? I cannot for the life of me figure out how to do this with available GPO settings. Are you automating it with PowerShell? If so are you then able to see the recovery key in AD for the computer or are you saving the keys to a file share? The GPO setting "Chose how BitLocker-protected operating system drives can be recovered" does not appear to have an option to only backup the recovery key to AD DS, unless I am missing something? Since recovery passwords cannot be used do I leave this GPO setting not configured? At this point I think I have tweaked the GPO in every way possible and have not been able to get BitLocker to go silently. My google fu has been failing me.

TIA