CMMC Connect

Monthly replays & FAQs

Listen to our CMMC Connect podcast replays to hear our experts dive deep into the most pressing questions from each session. 

Prefer a quick read? You can find concise summaries of key questions and answers below the podcast link.

CMMC Connect is best experienced live! This is just a recap, join us live for access to the (very) active chat and real-time Q&A.

We’re on every last Thursday, 1–2 PM ET!

March 2025

Are there any suggestions for how to really know if you are ready for an assessment...

…to avoid failing right out of the gate and thereby costing double for the assessment (assuming you even get it right the second time)?

Start with a good internal gap assessment. That’s where you figure out if what you’re doing actually aligns with what the assessors are going to look for. But even more importantly, test your evidence. Pretend you’re under assessment and go find the documents, policies, screenshots. Can you actually produce it on demand? That’s the difference between ‘I think we’re ready’ and actually being ready.

 

Would using Azure OpenAI with CUI data in an Azure Gov environment go against CMMC compliance?

Azure Gov is FedRAMP High, but that doesn’t automatically mean everything that runs inside of it is CMMC-safe. We don’t yet have clarity from DoD or Cyber AB on how to evaluate these models for CUI. So play it safe: don’t put CUI in OpenAI, even in Azure Gov.

If you are using a cloud SaaS application for vulnerability scanning, does the vulnerability data need to be stored in a FedRAMP cloud?

Yes if that vulnerability data relates to systems that store, process, or transmit CUI. That information becomes sensitive by association. And if the scanning tool is storing that data, it needs to be in a FedRAMP-authorized cloud or equivalent. If it’s just giving results locally and not storing anything, that’s a different story.

Could zero-knowledge cloud platforms (e.g., password managers, GRC tools) be considered compliant if they have no access to the unencrypted data? Would they be acceptable for CUI or only SPD/FCI?

Zero-knowledge platforms are interesting. The problem is, from a compliance standpoint, it’s not just about what the provider can see, it’s about where the data is stored. If they’re a cloud service, they still need to be FedRAMP authorized to store or process CUI, even if it’s encrypted. For FCI or SPD, the bar is a little lower, but you’d still want contractual assurances and good security hygiene.

Until the new requirement shows up in a contract, are we considered compliant with 7012 as long as all our subs (that we share CUI with) have an SPRS entry and can demonstrate they are working toward certification?

You’re not going to get dinged for compliance if your subs have an SPRS score and can show they’re working toward implementation. CMMC requires validation, yes, but 7012 was self-attestation. So if the subs have an SSP, a POA&M, and they’re tracking their progress, that’s aligned with DFARS expectations right now (March, 2025)

I'm a bit confused about GCC vs GCCH requirement: If I process CTI, do I need GCC or GCCH? Other than ITAR, when is GCCH required?

If you’re dealing with CTI that has a no-foreign-national restriction, you’re in GCCH territory. For regular CUI, GCC is acceptable. GCCH becomes necessary when there’s an ITAR component or a DFARS clause that imposes stricter access control. Look at the contract and the flowdown. That’s where the answer is.

Expectations of agencies and assessors of requirements governing "basic research"

Basic research is usually exempt from DFARS 7012, and by extension, CMMC. But that’s only if the research is truly fundamental and not tied to specific DoD deliverables. The problem is when it starts as basic research and then morphs into something applied or specific—then you’re in scope. Always check with the KO or contracting office.

How should we handle situations where CUI might be embedded in common components like bolts or fans used in both DoD and commercial projects?

If a bolt is used in a DoD program, it becomes CUI when associated with that project. The same bolt used commercially is not CUI. It’s the context and use that determine whether it becomes CUI, not the part itself.

What are the rules for non-U.S. persons handling ITAR data in labs or technical environments?

Non-U.S. citizens cannot handle ITAR data unless specifically authorized. Even if a lab is ITAR-restricted, your tech staff must be U.S. persons to support anything involving ITAR.

What about LAN encryption—do internal (LAN) communications need to be FIPS encrypted?

LAN encryption isn’t explicitly required, but any data leaving the boundary must be protected with FIPS 140-2 validated encryption. Internal controls and segmentation still matter.

Can non-FedRAMP applications (like Meraki clients) be used in CUI environments?

Any cloud service that stores or transmits CUI must be FedRAMP authorized or equivalent. If you’re unsure about whether something like a Meraki client touches CUI, treat it as in-scope until proven otherwise.

Feburary 2025

Is VPN a must for remote users (staff and vendors) or are their other solutions available i.e. Connectwise SASE?

VPNs are highly recommended, especially when staff are traveling (airports, hotels). However, alternatives exist, like Virtual Desktop Infrastructures (VDIs), which can take laptops out of scope. If using any remote solution to protect CUI, it must have FIPS 140-2 validated encryption.

Expectations regarding CMMC phased rollout...

While the rollout period is officially specified as 3 years, what should subcontractors be prepared for in terms of flow-downs from bigger primes which may be directly impacted earlier in the rollout?

The three-year phased rollout is a DoD implementation timeline, but primes are not bound by it. Some primes are already requiring all their subcontractors to be Level 2 to strengthen their bids. If a prime requires it, you need to comply earlier than the official rollout.

 

How can we address contracts or agreements where the Fed Agency or Non-Federal Sponsor with Fed flow down sends us CUI that is not explicitly specified in a contract?

If you receive unexpected CUI, protect it immediately and notify the sender. Best practice: do not reply to the same email with CUI. Instead, send a separate message informing them they sent CUI. When 32 CFR is finalized, contracting officers will be required to specify what CUI is covered in a contract.

Recovering cost in future contracts

Implementation costs were considered covered under DFARS 7012, but assessment costs can be factored into future contracts. The DoD expects some cost increases due to compliance, and primes will need to account for these expenses in their bids.

Customer responsibility matrices - available for every FedRamped ESP?

Yes, every FedRAMP-authorized Cloud Service Provider (CSP) should have a Customer Responsibility Matrix (CRM) as part of their Authority to Operate (ATO) package. However, these matrices are typically not public. You must request them, often under NDA. If an ESP or MSP refuses to provide a CRM, it is a red flag.

Understanding the approved solution stack.

There is no official “approved” solution stack. The only firm requirement is that CSPs must be FedRAMP authorized (or equivalent). If a provider claims they are on an “approved” list, they are not being truthful—there is no such list.

Subcontractor CMMC compliance challenges for the Prime contractor.

Primes face challenges ensuring their subcontractors remain compliant. Some primes provide their subs access to CRT tools (e.g., Cyturus, FutureFeed) to monitor compliance. If a sub fails an assessment, it can jeopardize the prime’s contract.

Integration with Enclave with ERP solutions and onsite printing - how to be compliant.

Printing: Secure print solutions (badge-based release) are recommended. If that is not available, enforce a policy where staff check and remove printouts containing CUI daily.


ERP: Keep ERP outside the CUI boundary if possible. If CUI must be in the ERP, ensure proper safeguards and documentation.

A fellow CCP waiting for my T5 to be acknowledged…

…so I can get in on assessments and obtain my CCA. Just wanting to hear other viewpoints. Looking for any gotcha’s for a small company completely leveraging GCCH and Office 365.

 

Suitability investigations (T5/T3) are severely delayed—some are waiting six months or more. This is a major bottleneck for the ecosystem, and there are ongoing discussions with DoD to fix this. Contact the CACO for status updates.

How does PII need to be covered in order to comply with CMMC? If we use a third-party HR software, does that third party need to be compliant as well?

If PII is classified as CUI under your contract, then your HR software provider must also be compliant. If it is cloud-based, it must be FedRAMP authorized or equivalent.

What are, and how do consequences elevate for non-compliance?

Non-compliance means you can’t work! Just kidding, kind of.  This is not just a future rule, NIST 800-171 has been required for years. The phased rollout means delays will only hurt your eligibility later.

How to document and execute requirements surrounding the 13.2 b & f - secure software development techniques

Secure software must be developed in an isolated environment, with defined procedures in the SSP. Assessors will check:

Examples of identifying essential and nonessential functions…

…Identifying ports/protocols/services. (We have identified firewall policies on the firewall, must we copy these policies into an excel?) Can we simply identify any nonessential service as anything that is not identified as essential? Exceptions or acceptable levels of least user privilege in small shops with 3-5 IT guys? (domain admin on the entire IT team is acceptable?)

 

Identifying Essential vs. Nonessential Functions & Ports/Protocols/Services:

Essential functions are those necessary for business operations and security. Examples include domain controllers, authentication services, and email servers.

Nonessential functions can be identified as anything not explicitly marked as essential. Instead of listing all nonessential services, it’s acceptable to state that any service not identified as essential is considered nonessential.

If you’ve already identified ports, protocols, and services within firewall policies, you do not need to manually copy them into an Excel sheet. A screenshot or a live demonstration during an assessment should suffice.

Exceptions & Acceptable Levels of Least Privilege in Small IT Teams:

In small IT teams (3-5 people), strict role separation can be challenging, but best practices should still be followed.

A better alternative to giving everyone domain admin access is to assign primary and backup responsibilities. For example:

Network devices: One person as primary, another as backup.

Cloud services: A separate primary and backup.

Having all IT members as domain admins is generally not acceptable unless there’s strong justification and compensating controls (such as logging and monitoring).

What is the best way to mark files and folders on a server as CUI?

Follow the NARA Marking Handbook or the DoD Marking & Labeling Guide. During assessments, assessors will check that documents containing CUI are marked properly. They typically do not review entire folder structures, but they will verify compliance when reviewing a sample document.

What is the process for challenging a contracting officer's (KO) decision if they say CUI is required in a contract, but we believe it should not be?

You can appeal the KO’s decision to the next level. Most contracts include a DFARS clause by default because CUI may be generated later, even if it is not present at contract award. Check the contract details and escalate if necessary.

What options exist for Canadian or non-U.S. companies that support the DoD but cannot use GCC High?

Since GCC High is only available in the U.S., international companies usually certify their U.S.-based subsidiary or partner first. Microsoft is aware of the issue and may develop global solutions, but no official alternative exists yet.

How does AC.3.1.8 relate to using Intune for mobile device management?

Intune is commonly used for pushing security policies and managing mobile devices. Assessors may request a full device list, not just screenshots, to verify compliance. This is also cross-checked with user training records.

What happens if a contractor’s suitability investigation (T3/T5) is delayed?

Suitability investigations can take up to six months, slowing down assessments. The CMMC community has asked DoD to allow third-party background checks, but for now, you can check your status with the CAICO office.

If we host Dynamics CRM, Business Central, and other Microsoft products in a commercial Azure environment, do we need to move them to GCC High?

If these systems store, process, or transmit CUI, they cannot remain in commercial Azure, even though it meets NIST 800-171. They must be moved to GCC or GCC High, depending on data sensitivity.

January 2025

Does 3.2.2 "provide security awareness training on recognizing and reporting potential indicators of insider threat" apply to all users or just those with InfoSec. focused roles?

3.2.2 does not specifically address insider threats (that falls under 3.2.3), but security awareness training applies to all users and staff, not just InfoSec personnel. Those who directly handle CUI should receive more specialized training.

What are the expectations of agencies and assessors of requirements governing "basic research"?

In a nutshell, whether it’s basic or advanced research, it all depends on the terms of your contract. If your contract includes a DFARS 7012 clause, the DoD expects CUI to be part of the work. If you’re unsure whether your research involves CUI, your best resource is your contracting officer (your “KO”). The standard form in the proposed CUI FAR rule may also help clarify this.

How should we reconcile reporting requirements between DFARS/CMMC and what needs to be reported where and when?

It all depends. If the newly proposed Federal CUI rule remains as written, the reporting timeframe will decrease from 72 hours to 8 hours (or one business day) from discovery to incident reporting. That’s a significant change. However, SPRS reporting requirements remain unchanged and continue to be an annual obligation.

Will there be a way to quantify the requirements outlined in 32 CFR Part 170.5 ?

The question is a little ambiguous. But from a scoring perspective, point values are available for each requirement. There are nuances from FIPS/MFA, but the scoring breakdown is available to everyone and we are happy to discuss them with you if needed.

Would you recommend including screenshots of policies as artifacts within your SSP for each control or simply reference the relevant section and paragraph within that policy?

As assessors, we prefer to have both the policy section and the full policy itself. The more context and documentation, the better!

Is there a minimum cost for an assessment, or can smaller companies reduce certification costs?

CMMC is a compliance framework that requires you to demonstrate strong security practices. Certification costs depend on the complexity and scope of your company, including factors like onsite visits, whether your operations are on-premises or in the cloud, and more. One way to reduce costs is by leveraging a cloud environment or minimizing your CMMC footprint to a single environment.

Jeremy is happy to discuss a quote with you one-on-one!

How can a company determine if they are ready for an assessment to avoid failing and paying twice?

Think of it like creating a path through a maze for the mouse to reach the cheese—you need a clear plan and documentation. Structure your system around the 320 assessment objectives, outlining them in your SSP and policies. Organize your evidence carefully to ensure none of the 320 controls are overlooked.

Redspin offers a Technical Mock Assessment, where one of our assessors reviews only the 3- and 5-point items—those that cannot be “POA&Mable.” We verify that they are implemented in a compliant manner and determine whether each is “met” or “not met.” Please note that this is a mock assessment, so we cannot provide consulting.

Are ESPs required to be certified even if they don't have DoD projects?

Certification requirements depend on the type of data an ESP stores, processes, or transmits, rather than whether they have a direct DoD contract. However, there is growing interest in certification. There are different opinions on this topic, and we recommend listening to the full discussion in the podcast replay, this question is addressed at 18:24.

What is the definition of CUI and when is it no longer considered CUI? How do I identify if my company is developing CUI?

The National Archives and Records Administration (NARA)  best defines CUI, this is a good place to start. When is CUI no longer considered CUI? That decision is up to the Executive Agent (which isn’t always the DoD) responsible for that specific CUI. It’s important to distinguish between designation and classification—CUI is designated by a contracting officer (KO), and its status depends on contractual obligations and security requirements. The standard form requirement in the proposed CUI rule will help clarify this.

How to scope your CMMC assessment to include CMMC asset types and control applicability?

The CMMC Level 2 scoping guide from the DoD is a great starting point. Taking a CCP course can also be helpful, but if you’re getting started, focus on identifying what stores, processes, or transmits CUI within your organization. Map out the data flow of your CUI and consider the security protection assets in place within that scope. Also, think about ways to narrow your scope to simplify compliance.

Can you recommend any tools to help manage evidence?

There are many tools available! The first that comes to mind is Cyturus, a GRC tool backed by The Cyber AB. When choosing a tool, response time is key—setting it up can be challenging, so you’ll want something with fast support. If you’re using a tool for CMMC compliance, make sure it has features to help you manage compliance even after certification before committing.

How should printers be and diagrammed in CMMC assessments, and what are best practices for on-site printing when using GCC High?

If you’re allowing the printing of CUI, it brings the physical domain into scope, which means your assessor will need to conduct an onsite visit. Many organizations are shifting toward secure printing solutions. One common approach is designating a specific group authorized to print, with a designated individual conducting nightly walkthroughs to ensure no CUI is left unattended. There are many ways to implement secure printing effectively. 

For a company that works 100% remote and uses cloud services for day-to-day operations, what is the best way to write your justification statements for the physical controls that are not applicable?

If you completely lock down your environment (disabling printing, USBs, and mobile devices) you can remove the physical domain from scope, eliminating the need for an onsite visit.

However, instead of marking requirements as “not applicable” (which requires CIO approval), document them as addressed by your controls. For example, if cell phones are blocked, state that they are blocked rather than marking them as “not applicable.”

For organizations operating entirely in the cloud, you can document that all operations occur within GCC High, with nothing maintained physically. However, if you allow printing or removable media, the physical domain comes back into scope.

When documenting, keep it simple, just answer the questions directly. No need to overcomplicate it!

I'm a bit confused about GCC vs GCCH requirement: If I process CTI, do I need GCC or GCCH?<br /> Other than ITAR, when is GCCH required?

GCC meets all the requirements for CMMC Level 2 certification when handling CUI Basic.

However, when dealing with CUI Specified, ITAR, or other restricted data types, GCC High is required.

If you handle NOFORN data, you must use GCC High.

If you are using a cloud SaaS application for vulnerability scanning, does the vulnerability data need to be stored in a FedRAMP cloud?

If no on-premises environment is in scope, the cloud environment and FedRAMP requirements apply. For more considerations and a more detailed discussion and  on this topic, check out the podcast replay starting at 36:29.

What are your insights/expectations of the impact of AI on sustaining CMMC/NIST compliance?

One possible implementation is using AI for continuous monitoring. Requirement 3.12.3 addresses secure control monitoring, which is where AI could play a role.

Ultimately, you need full visibility into where your data is going, if you feed it into AI, you must understand where AI sends it and what it does with it.

December 2024

Who needs to get certified at each level? What are the best practice approaches and rough timelines for achieving each level?
  • Level 1: Contracts without DFARS 7012 requirements can self-attest. This is mostly for organizations handling only Federal Contract Information (FCI).
  • Level 2: Most contracts with DFARS 7012 require Level 2 certification, especially those involving Controlled Unclassified Information (CUI).
  • Level 3: Still unknown. This is a DIBCAC lead assessment and will most likely be a flowdown requirement from your prime or direct DoD involvement.
How can companies balance compliance needs with programs that go beyond cert requirements?
  • Utilize cloud solutions for inherited security controls.
  • Minimize the CUI scope to simplify management and ensure cost-effectiveness.
  • Consider having internal staff trained in CCP to maintain long-term compliance
I want to take CCP/CCA courses...

Awesome! 

  • Courses must be taken through Licensed Training Providers (LTPs) listed on the Cyber AB website.
  • CCP is a prerequisite for CCA certification.
  • Organizations should consider training at least one or two staff members in CCP for foundational CMMC knowledge
I'm having issues wrapping my head around the purpose of scoring...

…If a 1-point control isn’t met, you POA&M it, correct it, and re-assess. If a 3 or 5-point control isn’t met, the audit is over (FAIL). I could see scoring the 1-pointers…in other words, if you have too many 1-pointers not met, then they should probably fail you. But why the 3 and 5-points…why score them at all?

 

  • 3-point and 5-point controls are pass/fail and cannot be included in a POA&M, unlike 1-point controls.
  • Scoring helps achieve a 110-point maximum, but missing critical controls results in failure.
  • These rules ensure readiness but can increase costs and delays.
What percentage of control compliance is enough to POA&M and keep operations going?
  • 88 controls must be met out of 110 for Level 2 certification.
  • Exceptions include a few specific controls, listen to the podcast episode for more detail!
Phone system compliance, does it have to be FIPS or NIST compliant? Is Kaseya EDR/RMM compliant?
  • Phone systems must comply with FIPS or NIST standards only if processing, storing, or transmitting CUI. Non-CUI systems may be exempt
  • For tools like Kaseya EDR, compliance depends on vendor-provided evidence (e.g., FedRAMP equivalency or documentation.
What makes a good artifact?
  • Artifacts should be:
    1. Clearly labeled, including control numbers and relevant details.
    2. Clean and easy to review without unnecessary information.
    3. Relevant and consistent with organizational policies.
  • Avoid submitting unrelated or outdated evidence
What is the process for JSVAP participants receiving CMMC certification?
  • Certificates are issued via EMASS starting January 2, 2025, depending on whether DoD or C3PAOs upload assessment data
CMMC and FedRamp???
  • FedRAMP: Validates external service providers for secure DoD data handling.
  • CMMC: Focuses on internal organizational security for handling DoD information.
  • Both emphasize compliance but address different aspects of the supply chain

November 2024

What are the CMMC boundary considerations when you have separate systems/environment for Level 1 and Level 2. i.e: MS GCC High Level 2 and MS Commercial for Level 1. Talk about cloud-based ERP vendor compliance.

For separate environments like MS GCC High (Level 2) and MS Commercial (Level 1), boundaries depend on what the system stores, processes, or transmits (CUI or FCI). Start with identifying assets related to CUI and define the boundary, often at a firewall or demarcation point. Consider external service providers (CSPs, MSPs) as part of your scoping efforts.

Talk about defining assets and scoping guidance. Mainly, how would I determine the difference between a security protection asset and a specialized asset?

Security protection assets are those directly related to protecting CUI. Specialized assets, like isolated machinery or proprietary systems, may not meet all controls but require defined usage and access limitations. Ensure clear documentation and isolation.

How do I get hold of the latest CAP version? It's not on CyberAB today (Nov. 14th, I might have it by the time this call starts).

The latest CAP (version 5.6.1) was only available through CCA training. A new version compliant with 32 CFR is in the final stages of review and should be available before December 16, 2024.

As an MSP with no DoD clients, how can we best prepare for Level 2 compliance? Yes, we know we don't have to, but we would like to be. Is building an enclave the best route for a small MSP and allow that to be the scope for the 3rd party assessment?

Building an enclave can simplify scope, but tools like ticketing systems might expand the scope. Engage with a C3PAO to align your scope with compliance needs and consider whether a full or partial enclave is best.

Talk about the basic mechanics of how we can make the life of an auditor easy i.e: organization of the SSP, pictures, graphs, artifacts...

Organize your SSP around the 14 domains and 110 controls, linking evidence clearly to objectives. Include clear diagrams (network and data flow) and avoid unnecessary navigation between documents. Naming conventions and access to linked evidence help assessors.

Talk about approaches to handling endpoints that are on unsupported operating systems running propriety software or specific software versions that are not supported in newer operating systems.

Isolate such systems with VLANs, apply access controls, and ensure zero-trust principles. Address this in risk assessments and provide compensating controls like segmenting and enhanced security configurations.

Is MFA required for WiFi access as part of CMMC compliance?

MFA is not required for WiFi access. Protect WiFi networks using encryption (WPA2 AES-256), and ensure guest WiFi is isolated from internal networks.

What is the best way to prepare evidence and documents for a CMMC compliance audit to ensure a smoother process?

Use a structured folder system: organize by domain, then by control, and include evidence directly tied to objectives. Reference cross-domain evidence where applicable.

Mapping to CMMC level 3 - looking for a matrixed table that shows all controls and their liked relationships.

No official matrix exists yet. Start with NIST 800-172 requirements (Level 3). Use a workbook to map controls and objectives.

October 2024

What is your best guess on when the effective date for 48 CFR will be?

Based on updates, the 48 CFR rule is anticipated to become effective in late Q1 or early Q2 of 2025. The rule has cleared necessary review stages, indicating a probable start in spring 2025. This aligns with a typical phased rollout approach.

Can we wait until mid-2026 to get certified without risking a C3PAO assessment not happening and preventing a prime contract win?

It’s risky to wait until mid-2026, especially if you’re both a prime and a subcontractor.

Prime contractors are likely to start pushing down certification requirements by 2025 to ensure they meet the phase two rollout. For companies operating exclusively as primes, it might be feasible to delay until late 2025, but it’s not without risk, especially with provisions allowing for early certification based on contract sensitivity.

 

Should we aim for Level 2 or Level 3? What is the "real" bar-raiser for Level 3?

Level 3 certification is generally expected for only the top 1% of contracts, often for high-stakes sectors like nuclear or classified operations.

If your company deals with highly sensitive DoD information or critical systems, preparing for Level 3 might be wise. Otherwise, Level 2 may suffice, but decisions should be contract-specific and guided by the contracting officer.

Do we need to label every document every user creates, including documents that don’t contain CUI? Is there certain language in the 7012 and 7021 clauses that help determine Basic vs. higher levels?

Defining CUI often depends on the contracting officer’s designation in each contract. Typically, only information directly tied to the contract’s sensitive parts needs to be marked. For practical purposes, when unsure, treat data as CUI and label it accordingly until further clarification is available. Specific terms in clauses 7012 and 7021 can clarify CUI expectations, with additional guidance available on the NARA website.

Definition and safeguarding of FCI data: What level of safeguarding is necessary for FCI information?

FCI (Federal Contract Information) generally includes contract and related documents, requiring Level 1 safeguarding. This scope is broader than CUI but only requires basic protections, not the full extent of CUI-level security measures. Treat FCI with essential safeguarding but without the rigorous controls required for CUI.

How do we handle building access for emergency responders (police, fire) if they are not authorized to view CUI?

Emergency responders are typically out of scope for CMMC requirements since they are not federal contractors. Therefore, no additional background checks are necessary. Treat emergency personnel as out-of-scope for CMMC assessments.

Suggestions on formatting an SSP and including helpful diagrams?

An SSP should clearly outline operational workflows, boundary controls, and CUI data flow. Including as much detail and as many diagrams as necessary will streamline the assessment process. Consider converting the final document into a PDF with diagrams to illustrate these elements clearly. Referencing assessment guides can provide specific content expectations.

Is CNC G-code considered CUI, especially in contexts where OT uses G-code?

The G-code itself isn’t necessarily CUI. However, data like specifications or design inputs that inform the G-code may be classified as CUI. Thus, focus on securing the information used to generate the G-code rather than the G-code itself.

Can you discuss the quality of C3PAOs?

The quality of C3PAOs varies, so choose one that aligns with your company culture and has experience. Look for C3PAOs that have a strong background in CMMC, extensive knowledge of DIB requirements, and a collaborative approach to assessments.

 

Recommended solutions for DLP and O365 GCC High, and coversheets for CUI printing?

Options like YubiKey for multi-factor authentication and solutions compatible with GCC High environments for data loss prevention (DLP) can help secure O365. For printed CUI coversheets, follow standard templates as required by contract guidelines or DoD templates.

FedRAMP Equivalency: Why require CMMC equivalency with a federal authorization framework?

FedRAMP equivalency offers smaller cloud providers access to DoD contracts without full FedRAMP certification, which is resource-intensive. This approach maintains security while allowing more providers to support the defense industrial base without monopolizing the market.

Is CCP certification worth the investment?

Yes, the CCP certification can be highly beneficial, especially for at least one individual in every contractor organization pursuing a CMMC Level 2 certification. Not only does it assist with preparation for the certification, but it also equips that person to develop an ongoing compliance maintenance program. After achieving Level 2 certification, organizations enter a three-year recertification window where they must continuously archive evidence to demonstrate compliance. Having a CCP-certified individual on the team helps ensure readiness for this, as they can effectively manage the necessary compliance documentation and processes.

Are CMMC 2.0 flow downs relevant for COTS subcontractors?

Commercial off-the-shelf (COTS) items are generally not in scope unless specifically modified or configured for a federal contract.

As a small company with limited resources, how can we leverage available tools and resources efficiently?

Focus on scope reduction—store, process, and transfer CUI in a minimized infrastructure where feasible. Many requirements can be met through manual processes, especially for smaller organizations. Use free resources like DIBNet, assessment guides, and contract requirements to prioritize cost-effective solutions.

September 2024

Can you share an update on where CMMC is at, and where to start for organizations just beginning to look into becoming CMMC compliant?

The CMMC rule (32 CFR) has finished its review and is now in the prep stage for Congress to review. The public comment period for the related 48 CFR rule is still ongoing and closes on October 15th. Organizations new to CMMC compliance should immediately contact a C3PAO because many are already backlogged, and certification could be delayed until 2025. It’s important to reach out now to get on the schedule, even if you’re not ready for certification yet.

How many days to expect editing after close of Public Comments (48 CFR)? Last (32 CFR) was done in less than 60 days, [Christmas-Valentines] so could this rule be edited/published by Thanksgiving?

The editing period depends on the volume of public comments received, but past experiences show that highly technical rules can be edited in less than 60 days. It’s possible that this rule could be edited and published by Thanksgiving, depending on the comment volume.

Is MSFT 365 in Government Cloud enough to meet the security of CUI communications? Or, is there a unique configuration needed?

Microsoft 365 Government Cloud (GCC) has the foundation to meet or exceed CMMC requirements, but it must be properly configured and managed. Unique configurations may be needed depending on the client’s specific environment, technology usage, and how the tools are implemented.

Is there any way to make my Microsoft commercial cloud instance work to meet CMMC requirements? If not, how hard is it to lift and shift to Gov Cloud?

Technically, for CMMC Level 1, you may use Microsoft Commercial Cloud, but Microsoft strongly advises against using it for any government-related data. For CMMC Level 2 (involving CUI), you must move to Government Cloud. The complexity of lifting and shifting depends on the environment, data, and integrations involved, but it is generally doable.

What's the most common licensing tier needed in Gov Cloud for Microsoft and what are services to get the mainstream security required by CMMC?<br />

The most common licensing tiers are G5 or G3 with G5 security add-ons. The services needed vary by the client’s specific requirements and could include things like Azure virtual desktops or virtual servers, depending on how the company operates and manages CUI.

I have DFARS 252.204-7012 in a contract, but no CUI as part of that project or anywhere else.<br /> I do have FCI in the system.<br /> Does the 7012 requirement mean I should comply with Level 1?<br />

If you have DFARS 252.204-7012 in your contract but no Controlled Unclassified Information (CUI), you may only need to comply with CMMC Level 1, which applies to the protection of Federal Contract Information (FCI). However, the presence of CUI in the future could change this requirement, so it’s crucial to assess your environment regularly and know the type of data you handle.

In performing CMMC assessment scoping, do you consider encrypted data as CUI data?<br />

Encrypted data is still considered CUI unless it is specifically excluded or marked otherwise. During CMMC assessments, the focus is on how the data is protected, not whether it is encrypted. CUI remains CUI even if encrypted, and assessors will check if it is properly marked and handled, as well as how encryption is applied.

Controlling printed CUI material - especially for a construction company/Identifying CUI data flows

For a construction company, printed CUI material must be physically controlled. This includes limiting access, secure storage when not in use, and preventing unauthorized access.

For data flow, the organization must identify where CUI enters, is processed, and exits the system. Understanding these flows is critical for setting the scope of the assessment and ensuring proper protections.

Does an IT consultant fall into scope as a Security Protection Asset at Level 2 if they have admin privileges to a CUI network?<br />

IT consultants with admin privileges to a CUI network are not typically considered security protection assets themselves. However, their access is governed by controls related to access control, identification, authentication, and audit requirements under CMMC, ensuring only authorized personnel handle CUI.

Who bears the ultimate responsibility when in a contract with prime it is not required that the supplier is CMMC Level 2 compliant, but still the prime shares CUI with the supplier by mistake, which is later on compromised from the supplier's infrastructure?<br />

If a prime contractor shares CUI with a supplier by mistake, which is then compromised from the supplier’s infrastructure, the incident must follow established incident response processes. This includes notifying the DoD within 72 hours and preserving relevant data for investigation. Responsibility ultimately lies with the party handling the data, but legal counsel should be consulted to clarify obligations.

Sub Processors and ensuring CMMC compliance across cloud services (Salesforce, O365, etc...)

For ensuring CMMC compliance with cloud services like Salesforce or O365, it’s essential to configure these services properly and confirm they meet FedRAMP Moderate or equivalent standards. A shared responsibility matrix should define which controls are handled by the cloud provider and which are the client’s responsibility. The correct configuration of the cloud services is vital to meeting CMMC requirements.

How is the Government reacting to the high cost to small businesses to prepare for and get assessed for CMMC compliance?<br />

The government has taken steps to help small businesses by offering resources like Manufacturing Extension Partnership (MEP) centers, which provide training and support. Additionally, some compliance-related costs can be submitted as allowable costs under certain contracts. Small businesses are encouraged to use these free resources and work with reputable providers to minimize the burden of compliance.

August 2024

When are we able to get certified and when are we required to get certified (earliest possible contract requirement)?

When will subcontractors need to be fully (no POA&M) self-certified to receive awards of certain government contracts?

Certification can start once the rule is finalized, which is expected around September 2024 . Joint surveillance assessments are anticipated to end at that time, allowing formal CMMC certifications to begin. Contractual requirements, enforced through 48 CFR, may start as early as March or April 2025, depending on the sensitivity of the contract. 

Subcontractors may be required to be fully certified (with no Plans of Action & Milestones, or POA&Ms) by prime contractors as soon as CMMC goes live. Prime contractors can impose certification requirements on their subcontractors at any time once CMMC becomes mandatory, and it’s likely that primes will push to get their subcontractors certified before the DoD formally includes CMMC requirements in its contract. 

A common point of confusion is the difference between fiscal year and calendar year in government timelines. When the DoD refers to Q1 of 2025, they mean the fiscal year, which begins on October 1, 2024. This is often misinterpreted as the calendar year, but in reality, CMMC requirements could begin to appear in contracts as early as October 2024​. 

What is the current landscape is for JSVAP?

Since everyone is expecting 32 CFR to be out in Oct. Will we be able to schedule a JSVAP in the time between 32 CFR being published and into effect?

As of August 2024, Joint Surveillance Assessments (JSVAPs) are still being scheduled through October 2024, with a major ecosystem stress test planned during the week of October 21-25, 2024. During this test, 30 assessments will take place. However, there is uncertainty about whether JSVAPs will continue after the CMMC rule (32 CFR) is finalized, which is expected to happen around September or October 2024​. 

Scheduling JSVAPs After 32 CFR is Published: Once the rule is published, it’s expected that CMMC certifications will begin, and JSVAs may no longer be conducted. Therefore, the opportunity to schedule a JSVAP between the publication of 32 CFR and when it goes into effect may be very limited. It’s recommended to schedule assessments as early as possible before the final rule is published, as the transition from JSVAPs to formal certifications is anticipated to happen quickly.

Costs to small businesses to become CMMC 2.0 certified?

How small businesses can get CMMC certification without breaking the bank.

The costs for CMMC certification will vary depending on the scope and complexity of the business’s environment. Factors like the number of locations and the scope of CUI data involved will influence the assessment cost. Small businesses can reduce costs by minimizing their CUI footprint.​

Can CMMC compliance be achieved in commercial cloud?

CMMC compliance in commercial cloud environments (e.g., Microsoft Commercial Cloud) may not meet certain requirements, particularly for more sensitive types of CUI data. It is recommended to use GCC or GCC High for environments dealing with CUI data with dissemination limitations.

Does Redspin have a solution to host small business for CUI and if so, how does that work?

Redspin offers cloud solutions and Managed Service Provider (MSP) services for CUI hosting. They do not host clients in their own enclave, but they can assist with consulting and help small businesses prepare for CMMC certification.

BYOD: Allowed as an in-scope asset as a view only (i.e., view-only to a secure cloud CUI enclave)?

If so, what would the specific control requirements be (e.g., administrative: AUP/owner security responsibility, technical via organization mdm, etc.)?

BYOD (Bring Your Own Device) can be allowed, but it requires strict controls, especially when accessing a secure cloud enclave. This includes controlling the flow of CUI data to devices and implementing encryption, audit logs, and strict security policies. VDI (Virtual Desktop Infrastructure) may also be a solution to restrict device capabilities. 

 

  • Administrative Controls:
    • Acceptable Use Policy (AUP): Establish and enforce an Acceptable Use Policy that clearly defines the security responsibilities of the device owner and what actions are permitted when accessing the CUI enclave.
    • Owner Security Responsibility: Device owners must be informed and held accountable for adhering to security protocols, including reporting any potential security incidents or device loss.
  • Technical Controls:
    • Mobile Device Management (MDM): Implement an organization-wide MDM solution to manage and secure BYOD devices. This ensures that security settings, such as encryption, password policies, and remote wipe capabilities, are enforced on all devices accessing CUI.
    • Virtual Desktop Infrastructure (VDI): Use VDI to limit the interaction between the device and the CUI. VDI allows for a virtual environment where the device acts only as an interface (keyboard and display) while keeping CUI securely within the cloud.
    • Encryption: Ensure all data transmitted to and from the device is encrypted, both at rest and in transit, to maintain the confidentiality of CUI.
    • Access Control: Implement role-based access controls (RBAC) to restrict access to CUI based on job function and ensure that only authorized personnel can view CUI.
    • Audit Logs: Continuously monitor and audit device usage logs to ensure no unauthorized actions are being taken and to maintain compliance with security requirements.
When does equipment need to be in FIPS mode and when does it not?

FIPS mode should always be enabled when handling CUI. The only exception is when devices have been upgraded to FIPS 140-3, which is still in the testing phase.

When is NIST going to make mobile application security part of the audit since so many of the DIB do business via mobile devices and hold data there?

While this is a growing concern, it is up to NIST to decide when mobile application security will be formally included in audits. However, the issue has been raised, and organizations are encouraged to contact NIST directly for guidance via email to: cyber4R&D@NIST.gov.

Difference between CMMC 2.0 and FedRAMP Moderate Equivalency Memo

CMMC 2.0 looks inward, focusing on how organizations protect their own environments and CUI data, while FedRAMP focuses outward on the authorization of cloud services to operate securely in external environments. FedRAMP uses NIST 800-53, while CMMC uses NIST 800-171.

What training and training certificates are mandatory for Level 1 and for Level 2?

For Level 1, general user training based on industry best practices is sufficient. For Level 2, organizations need more targeted training, including security and CUI-specific training for all employees, and role-based training for administrators and executives​.

How can we identify CUI or what is our obligation if they are not marked CUI?

If CUI is not marked, organizations should reach out to their contracting officers for clarification. In the meantime, it’s better to err on the side of caution and treat the data as CUI until confirmation is received​.

In Performing CMMC Assessment Scoping, do you consider encrypted data as CUI data?

Yes, encrypted data is still considered CUI, as encryption only protects the confidentiality of the data, not its classification​.

How much of the CMMC program is geared towards different types of data centers.

The CMMC program applies to all types of data centers, whether owned by the organization or a colocation. The primary concerns are physical protection and technical controls, such as cameras, badging systems, and access control.

How will this affect organizations that are in Partnership Intermediary Agreement with the government rather than a government contract?

Organizations under Partnership Intermediary Agreements should review their contracts to determine whether cybersecurity requirements like DFARS 7012 or NIST 800-171 apply. If these clauses are included, CMMC will likely be required.

What are appropriate tools for our CMMC program - the collecting of artifacts, creation of SSP, basically a file repository? Smartsheet, Teams, Apptega, SmarterD? What controls should be considered when making a decision for what to use?

There is no specific requirement for using particular tools to manage CMMC compliance. Organizations can use whatever tool works best for them as long as they meet control objectives and can document evidence of compliance. This can include tools like Smartsheet, Teams, or Apptega.

July 2024

Will FCI now be considered CUI and have to be treated as such,when a company in the DIB graduates from just being NIST 800-171compliant, in order to achieve CMMC level 2?

Thomas: FCI and CUI are two separate designations of data. When you’re going through CMMC Level 2, it doesn’t eliminate your Level 1 responsibilities because CMMC builds on the levels. For example, to achieve Level 3, you must first schedule and pass Level 2.

Level 1 focuses on FCI, and once all updates are made into SPRS, you will need to update those requirements annually. Is this documented? Absolutely. However, I can’t provide the document numbers off the top of my head, and Tara might be disappointed in me for that, but there are distinct regulations governing this.

In short, FCI will not become CUI, as they are different designations of data.

I had a C3PAO tell me that they will charge extra if we have anyPOA&Ms that they have to come back and re-evaluate. So, havingPOA&Ms is not really an option for us small companies with very limited funds and resources...

…Is that C3PAO operating normally by charging extra?

Tara: This situation highlights the importance of thoroughly reading your contracts with any prospective vendors providing CMMC assessment services. Here are some key questions you should be asking your C3PAO:

  • What happens if there is an item that needs to be placed on a POA&M, and someone has to come back in 180 days?
  • Is that covered by the outlined costs in the fee breakdown?

As an OSC, it’s not just your right but also your responsibility to clarify these things. At Redspin, we strive to be as transparent as possible with our fees, but it’s essential to understand these details with any C3PAO you work with. If a C3PAO demands a high fee to validate or close out a POA&M, you do have options. Under the CMMC assessment process, you can choose another C3PAO if you find their fees unreasonable. Often, other C3PAOs may offer more competitive pricing for such tasks.

How do we flow down CMMC requirements to subs who are not willing or able to invest as necessary to become compliant?

Jeremy: The simple answer is, you don’t. You either find new subcontractors or apply enough pressure for them to implement the necessary changes and become certified. If you’re flowing down DFARS 7012 requirements, your supply chain must comply with CMMC requirements, just like your team. They will need to get certified as well. If they refuse, you may need to find a new vendor to fill that role within your supply chain. I’ve encountered this issue frequently with clients, especially when dealing with MSPs. Some MSPs may say, “You’re our only DIB client, so we’re not going through CMMC just for you.” In such cases, clients have had to find new vendors to perform those services. Ultimately, CMMC compliance is a series of business decisions, and you might need to part ways with long-time partners if they’re not willing to participate in CMMC

What are the best ways to vet suppliers to determine their capabilities of protecting CUI?

Jeremy: This question ties into the previous discussion on flow downs and supply chain management. Once the CMMC rule is live and assessments are in place, the easiest way to vet your suppliers will be to check if they are CMMC compliant. Until then, the tried-and-true method is using security questionnaires. While they may not be the highlight of our day, they serve a very valid purpose. If you have a supply chain of subcontractors to whom you’re flowing down DFARS 7012 requirements, it’s essential to have a vendor management program in place. Don’t just send out the questionnaires—ensure they get completed and returned. Review the answers thoroughly, and don’t hesitate to follow up with additional questions. For instance, if a supplier provides an answer that needs more detail, ask for clarification or their plans to improve on areas that don’t meet your standards. Until CMMC certifications are fully operational and easily trackable, these security questionnaires remain your best bet for vetting suppliers.

Is the CMMC rule going to incorporate portion marking?

Tara: So, I think portion marking is often misunderstood. Whenever you have a question about how to mark our documentation or any media, the best place to start is nara.gov. NARA, the National Archives and Records Administration, is the executive agent over the CUI program. They make all the rules and decisions regarding how to mark things. Now, about portion marking: it’s a way to further delineate types of CUI or other classified data within a document. It’s not required, though. You can choose to mark your entire document as CUI or whatever classification applies without using portion markings. However, if you decide to use portion markings, you need to do it consistently. This means marking each table,figure, drawing, and paragraph separately to show how each part should be handled. So, while portion marking isn’t mandatory, if you use it, you must apply it consistently throughout the document.

Will NIST provide an updated SSP template and SPRS calculationsheet for rev. 3 of NIST sp 800-171?

Robert: Not at this time. NIST SP 800-171 Rev 3 will not be incorporated into the CMMC program for at least a year, likely until the end of next calendar year. This delay is due to the extensive updates needed. The rule and associated documents must first be realigned with NIST SP 800-171 Revision 2. As part of this transition, all the assessor training and documentation will need to be updated. There’s a lot to be done, so it won’t be happening soon. However, I believe Vicki and Ron from NIST are already working on a new document that can be used once the updated version becomes active within the CMMC program. But as of now, there’s nothing available for anyone to use.

What are the consequences of not doing CMMC?

Jeremy: If you have a CMMC requirement, and choose not to pursue CMMC, the consequence is that you will no longer be eligible for DoD contracts. It’s a straightforward decision, but it involves more than it seems at first glance. CMMC compliance is a business decision. I’ve spoken to companies where DoD contracts make up a minimal part of their business, and they chose to let those contracts go instead of pursuing CMMC. On the other hand,for companies where DoD contracts are a significant portion of their business, it makes complete sense to pursue CMMC. Be aware that CMMC is not going away. It will become a contractual requirement for newly issued contracts, particularly Level 2 contracts involving CUI. These requirements will be part of Phase Two of the rollout. In Phase Three, CMMC requirements will be retroactively incorporated into multi-year contracts already in place. So, if you want to do business in the defense industrial base, CMMC compliance will be necessary. Opting out of CMMC means opting out of the DIB space entirely.

At what point could CUI not be considered CUI?

Thomas: The short answer, is that it’s considered CUI until the executive agent says otherwise. The executive agent is the only one who can change the designation of CUI information. Now, will a single line still be considered CUI? The line itself, no, but in the context of the contract, ifit was provided to you as CUI, it remains CUI until the executive agent changes it. If you encounter such a situation, you need to have a conversation with your contracting officer. However, keep in mind that the contracting officer or even the DoD may not be the executive agent. They might be working with other departments, like the Department of State or other branches within the DoD, and will need to seek clarification from the executive agent. CUI is a federal designation created to facilitate communication and information sharing between different federal agencies. This sometimes requires going not just up the chain within the DoD, but also laterally to other organizations.

References & Resources:
  • Jeremy referenced a hot take in July of folks asking for a quick, easy CMMC Implementation Strategy checklist. Well, we created one!
  • Tara Referenced good practices to vet a C3PAO. Check out our “5 Time-Saving Tips for Evaluating an MSP, ESP, or C3PAO” white paper
  • Written by Tara, this collection CMMC Assessment Interview Guides is packed with questions you/your team could be asked during an assessment (there are 14 individual guides, 1 for each of the 14 domains)
  • Tara shared an image in the chat: CMMC Asset Categories Overview
  • We’d love your feedback! Please fill out our CMMC Connect Follow-Up Survey

June 2024

What is your estimate of the 800-171 Revision 3 class deviation timeline...

How long will it last? Are we required to be compliant with NIST 800-171 Revision 3 for CMMC Level 2, once the CMMC rule is effective?

Currently, we will continue to follow Revision 2. The exact timeframe is uncertain at this moment. However, we are aware that there are changes between Revision 2 and Revision 3. For more details, please refer to the white paper linked here. We are not required to comply with NIST 800-171 Revision 3 for CMMC Level 2 at this time.

In Performing CMMC assessment scoping, do you consider encrypted data as CUI data? How long will it last?

Yes. The data doesn’t change whether it is encrypted or not. CUI data remains CUI data regardless of its encryption state.

When will CMMC be finalized? Will it be required for non-DoD work, if so, what are targeted agencies and timeline?

The DoD has been aiming for the end of the fiscal year 2024 (September 30th, 2024)for CMMC finalization. As of today (July 1st), the DoD is adhering to this timeline, with the latest update indicating that all 32 CFR public comments have been adjudicated. The rule has now progressed back to OIRA/OMB. Will it be required for non-DoD work? We don’t know yet, but there are rumors that other agencies might adopt CMMC once it is finalized. We are closely monitoring the Department of Education and other agencies for any mention of “NIST 800- 171,” as this could indicate a shift towards CMMC. Recently, the General Services Agency (GSA)issued a solicitation specifically referencing “CMMC,” which is a significant indication. Given that CUI is a designation, it wouldn’t be surprising if CMMC appears in requirements from other agencies for reciprocity.

Can second or third-tier subcontractors qualify for a JSVA?

Yes, we have assessed subcontractors under JSVA. Subcontractors do have DFARS 7012 requirements. If you are wondering if you qualify, reach out to us!

May 2024

Our users are using Remote Desktop to connect to GCC High (CUI) AVD machines using un/pw/mfa. Do the machines the users connect from fall in scope?

Maybe. When considering scoping, you are looking at the boundaries of your assessment. You can use solutions like remote desktop, VDI, etc.,for CMMC implementation. If you do not want your endpoints to be in scope, you must lock down those virtual instances to ensure that nothing can be copied or saved from that virtual interface. If you can achieve this, prove it, and demonstrate it, then your endpoints would not be in scope. However, if capabilities such as copy and paste, download, print, or screenshotting are still enabled, then your endpoints are likely still in play. It all depends on how tightly you lock down that remote or virtual interface.

What is the best solution for subcontractor information sharing and compliance?

There are many good solutions for this, but one that stands out is a GRC (Governance, Risk, and Compliance) tool like Cyturus. The Cyturus CRT tool allows you to map data back to one another and offers many other usefulfeatures. Another example of a GRC tool is FutureFeed. Tools like these let you store your documentation (such as your SSP) and other documents, then grant your subcontractors access. Any time they make a change, the tool provides a warning so you can review it. This approach ensures secure information sharing and compliance management.

Are there prerequisites for CCP training?

There are no prerequisites for CMMC Certified Professional(CCP) training itself, but there are requirements if you plan to sit for the CCP certification.

One prerequisite is having a college degree or 2 years of equivalent experience. It is also suggested that you have a certification such as CompTIA Security+.

You must complete the CCP class before taking the CCP exam. If you want to go further and become a CMMC Certified Assessor (CCA), there is another set of requirements. For more details please visit: 

CCP training

CCA training

The Cyber AB’s CCP Blueprint 

How can I get upper management to understand we shouldn't be waiting for CMMC to finalize?

This is always a challenge, right? The bottom line is that CMMC is merely a validation of requirements that are already in place. Upper management should be aware of this. By getting certified now, you are giving yourself a competitive advantage for bidding on contracts. The advantages of being proactive are significant compared to waiting, especially with potential logjams that may occur after rulemaking becomes final. If you wait to get certified until CMMC becomes final, you might end up in a queue for certification that could potentially last a year or two, depending on how things go. Another option is to get on a call with us! We are happy to learn about your unique business and explain the CMMC process to your leadership. At the end of the day, if you want to participate in the DIB space and secure DoD contracts, CMMC will provide you with a competitive advantage, particularly if you are a subcontractor. Subcontractors will see CMMC requirements in contracts from their primes long before the DoD mandates them. We have already heard from subcontractor clients that their primes are telling them the first to get CMMC certified will get all the primes’ business for 2025, and they will reassess in 2026 once things settle down. So there you go.

April 2024

Download Slides

This month, we answer audience questions such as flowdown requirements for subcontractors, timeline enforcement, and more… Tune in to learn.

March 2024

Download Slides

The group covers answers to audience questions including email requirements, sharing data when it comes to parent/child companies, and much (MUCH) more…

 

February 2024

Download Slides

We discuss the reality of the CMMC timeline, 48 CFR vs. 32 CFR, enclaves for small businesses, then open the floor to Q&A.

 

January 2024

Download Slides

A special 1 hour kickoff event covering the CMMC proposed rule, updates, timelines, and essential information. Then, our team hosts an interactive ‘Ask Me Anything’ (AMA) session addressing inquiries on MSP/ESP certification, training, CUI scoping, DIBCAC High certification, and more.

 

Get started with Redspin Today

Helping you navigate CMMC.