At a minimum, every 3 years for Level 2, but sooner if there’s a significant change to your environment. Per the CMMC Level 2 Scoping Guide (Page 11, under “Separation Techniques”), that means changes to your architecture or assessment boundary, like:

• Mergers or acquisitions
• Changes to CUI scope or boundaries
• Shifts in how or where CUI is stored, processed, or transmitted

If the change materially impacts your assessed environment, a new assessment is required. Bottom line: your Affirming Official is responsible for determining if a change is “significant,” and that decision carries real weight (including False Claims Act implications). Always document changes and check with your C3PAO if you’re unsure. They can give a professional opinion, but not advisory direction.

Treat your SSP like a living document, not a trophy.

Review it at least during your annual risk assessment, and update it whenever meaningful changes happen to your environment, tooling, policies, boundary, assets, or service providers. If the environment changed, the SSP should catch up reasonably soon, especially for anything security-impacting.

A good artifact is easy to map, easy to trust, and easy to verify.

It should be clearly labeled, tied to the control, current, and consistent with your policy, SSP, and actual system behavior.

The reason that matters is that assessors validate controls through examine, interview, and test, so the best artifacts support the story across all three, not just as a random screenshot dump.

If you allow printing of CUI, you pull the physical domain into the assessment, which usually means an onsite visit during an assessment.

Best practice is to keep printing limited, controlled, and intentional: restrict who can print, place printers where output is not exposed to unauthorized people, secure printed CUI like any other media, and have a process to ensure nothing is left sitting in trays. 

FedRAMP is about the cloud service. CMMC is about your implementation.

A FedRAMP-authorized provider can help satisfy part of the requirement, but it does not make the contractor automatically compliant.

If a CSP processes CUI, it must meet the applicable FedRAMP requirement, and the OSC still has to document the relationship, define responsibilities in a CRM/shared responsibility model, and secure everything that remains the contractor’s job.

Cybersecurity costs should be built into your bid rates, that was always the intent. When DFARS 7012 came out, the DoD made it clear they expected rates to increase to account for these new requirements. The reality is many companies didn’t raise rates to stay competitive and are now feeling that gap.

• If you have multiple contracts, the most practical approach is to spread costs across contracts and CAGE codes over the 3-year certification period.
• If you only have one contract, those costs will hit much more directly.

Bottom line: your proposal and contracts team needs to track and allocate these costs properly so you’re not absorbing them out of pocket.

Not automatically, but it’s not automatically okay either.

Microsoft shows Azure OpenAI in scope for FedRAMP High and DoD IL4/IL5 in Azure Government. But here’s the catch: Azure Gov being FedRAMP High does NOT mean everything running in it is CMMC-safe.

CMMC cares about your actual implementation, including:

• Whether the service is within your authorized boundary
• How CUI is handled and flows
• Your shared responsibility model
• Whether you can defend the use in your SSP and assessment evidence

Bottom line: authorized service ≠ approved use case.

Play it safe. Don’t put CUI into OpenAI, even in Azure Gov, unless you’ve fully validated the service, boundary, data flow, and contract/customer expectations.