This is from the 32 CFR CMMC Final Rule and Scoping Guide for Level 2:

An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.

Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI.

So assuming that the company can justify it’s VDI client meets the requirements described above, the devices using the VDI client are out-of-scope assets.

How would these out-of-scope assets be treated when looking at Assessment Objectives such as:

AC L1-3.1.1 (c) Devices (and other systems) authorized to connect to the system are identified.

AC L1-3.1.1 (f) System access is limited to authorized devices (including other systems).

IA L1-3.5.1 (c) Devices accessing the system are identified.

IA L1-3.5.2 (c) The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Would it meet requirements to respond with something like the following?

Devices authorized to connect to the system are identified by unique identifiers [… examples here…], except those devices connecting through the company authorized VDI client which is configured to prevent any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client.

System access is limited to devices using the company authorized VDI client, or devices/systems that are specifically identified and authorized to access the system.

Can someone please provide clarification on a scenario regarding the role of the Organizational Scope of Certification (OSC) Point of Contact (POC) in the CMMC process?

If the designated OSC POC is not a citizen of the U.S., Australia, NATO countries, or South Korea, would this disqualify them from serving in this role?

Any insights or references to official guidelines would be greatly appreciated. Thanks.

The small business company I am helping with CMMC bills are racking up and we want to shift our gears toward the controls where no POAMS are acceptable for. Where can I find a list?

My firm is thinking of becoming a C3PAO.. the website says it would take about 4 months. Does anyone have any experience regarding how long it would take for a company to get accreditation for this if I would still have to get my CCP and CCA? Any insight would be helpful, thanks!

We are a small subcontracting company located outside mainland for a military project. We only have at least 7 US Citizens and the rest were H1b and H2b’s. In preparation for CMMC, I’d like to know if an H1b could manage our CMMC certification.

I have an employee who recently retired from the military in a relevant position raising questions about why we make it painful to access information from BYOD. Namely, the Navy's Flankspeed M365 system allows users to access DoD SharePoint that contains CUI from BYOD with the conditional access restriction that prevents downloads. So they can use the web apps in a browser to view and edit CUI documents from an unmanaged device without any virtualized container or VPN.

My understanding was that the DoD had to meet the same NIST 800-171 standards at a minimum as a requirement by congress. If that is the case, is this an option for contractors? How would I address about half of the controls in the SSP that are suddenly not applicable (even though they claim every control is applicable)? Do I just claim a PC is an alternative worksite, or how is the Navy pulling that off?

With the recent release of the CMMC final rule, I'm looking for clarity on the amendments to 48CFR. Could anyone help outline the key changes, critical deadlines, and the detailed descriptions of the phases and levels involved?

Hi all! I received a TJO for a Accessor position for DCMA, currently waiting on background to finish. I was wondering if there were any Accessors in this group that I could chat with and get some insight on how the culture is and what a typical day to day looks like. And even a mentor If all goes well I’ll be a first time govt employee.

Are others using conditional access policies to limit access to M365 services in GCC/GCC-H to specific IP addresses? We’ve been discussing whether or not we should restrict access to M365 to addresses that originate from our networks (e.g., managed endpoints on our internal network going through our controlled egress points or managed endpoints on VPN through our controlled egress points).

Hi,

Small company here (~10 users) looking to get our feet wet in CMMCv2. We are currently licensed with Microsoft 365 GCC G5. There are a lot of controls already in GCC G5 that have been implemented by default but there's plenty we need to do from a technical stand point for our side. I found this guide: Microsoft Technical Reference Guide for CMMC 2.0, is this a decent guide to start with in implementing the technical portion? There's a crap ton to do for sure. Looking to see if there are any other guidelines that will help to implement this.

If a business is looking to do DOD contract work and never have previously what would constitute CUI at this stage ?

For those of you who have deployed BitLocker in FIPS 140-2 compliance how are you backing up your recovery keys? I cannot for the life of me figure out how to do this with available GPO settings. Are you automating it with PowerShell? If so are you then able to see the recovery key in AD for the computer or are you saving the keys to a file share? The GPO setting "Chose how BitLocker-protected operating system drives can be recovered" does not appear to have an option to only backup the recovery key to AD DS, unless I am missing something? Since recovery passwords cannot be used do I leave this GPO setting not configured? At this point I think I have tweaked the GPO in every way possible and have not been able to get BitLocker to go silently. My google fu has been failing me.

TIA

When auditors come to review, do they ask you what your CUI is, or do we tell them? How would they know? If we are told some items are CUI, but believe they are not, do we get to make a case with the auditors? How does this part work?

My company doesn't ever use paper CUI. Any CUI that would come in to the company would be handled and stored digitally. Consequently, we are planning to write in the PE section of our SSP that it is our policy not to authorize the printing or storage or any physical CUI, that we provide employees with specific training instructing them not to handle physical CUI, and that will have our in-scope systems configured to prevent connections to any printers. Is that allowed or would we be required to still have the capability to handle physical CUI?

How are you making sure that "personnel are adequately trained to carry out their assigned information security related duties, roles, and responsibilities."?

I've gone through 800-181 NICE Framework and the Workforce Framework for Cybersecurity (NICE Framework) | NICCS, along with the DoD's DoD 8140 spreadsheet. And we're not mature enough to follow these. We got a lot of people just winging it and only 2 or 3 out of 20 that are actually qualified by the DoD 8140 standard.

Also, the OSC has not allocated funds to train current staff or outsource any security related duties to a service provider.

Is there a resource anywhere where I could see a specific example of a software port protocol allow or deny list (essential/non-essential)? I realize they will be different for each organization, but I’d really love to see a sample that i can build on.

Our C3PAO has offered to do a “mini-mock assessment” of our evidence, prior to our early 2025 assessment.

Considering that we have those in GCC High SharePoint, which disallows Guest access, any solid advice on an approach to give them a look at the folders?

Note: This is absolutely not intended to be salesy. Moderator, please feel free to remove if you feel otherwise. I thought this was helpful insight from a small business that just passed their CMMC Level 2 assessment. None of the products discussed are from my company.

I wanted to share a real-world perspective from a small business in the DIB that recently successfully completed their CMMC Level 2 assessment. They faced the usual financial and operational burdens but took a unique approach to IT infrastructure, passing their assessment using Google Workspace—without any Microsoft products. We were discussing this in passing with him, and he agreed to share his team's experience in an interview.

Here’s their take:
"So I'm gonna say that again for all the people that tend to post on LinkedIn that it's impossible to use Google for CMMC. We passed the DOD CMMC assessment using Google Workspace with zero Microsoft products whatsoever."

There’s a lot of misinformation suggesting Microsoft GCC High is the only solution, but their experience shows otherwise. For those in similar situations, their journey offers valuable insights.

For more on their strategies and challenges, including a full interview, here’s the blog post: CMMC 2.0 Title 32 GoesLive: A Reality Check from the Front Lines.

I hope this may be helpful for those of you still on the journey that are contemplating whether you can make this work with Google Workspace or not.

Just as the title reads. Have a user that needs to remote in from home and use their computer.

Basically VDI but not "V" and hosted behind our Firewall.

Is there an application for that or what is the best way that is CMMC 2.0 L2 compliant?

We’re a small business (~20 employees) with 4 corporate computer potentially handling CUI, while 95% of our government work is done on GFE. Based on our assessment, we identified the need for a SIEM solution, move from google to Microsoft 365 GCC High, local computer MFA implementation, advanced antivirus with centralized reporting, establishing group policies for local computers, and a firewall device.

However, the quotes for implementation and ongoing costs feel like overkill—seeming to require a full SOC for just 4 computers. For those who’ve successfully navigated the CMMC Level 2 process, what are your insights? Any strategies to balance compliance with practicality?

I’m curious if anyone knows how CMMC applies to joint ventures? If a JV is bidding on a contract that has the CMMC requirements would both companies have to be compliant? I’m assuming they would have to be.

Has anyone here hired C3 Integrated Solutions for achieving CMMC compliance? If so, can I hear more about your experience? Costs? Process? Thank you in advance!