…to avoid failing right out of the gate and thereby costing double for the assessment (assuming you even get it right the second time)?

Start with a good internal gap assessment. That’s where you figure out if what you’re doing actually aligns with what the assessors are going to look for. But even more importantly, test your evidence. Pretend you’re under assessment and go find the documents, policies, screenshots. Can you actually produce it on demand? That’s the difference between ‘I think we’re ready’ and actually being ready.

Azure Gov is FedRAMP High, but that doesn’t automatically mean everything that runs inside of it is CMMC-safe. We don’t yet have clarity from DoD or Cyber AB on how to evaluate these models for CUI. So play it safe: don’t put CUI in OpenAI, even in Azure Gov.

Yes if that vulnerability data relates to systems that store, process, or transmit CUI. That information becomes sensitive by association. And if the scanning tool is storing that data, it needs to be in a FedRAMP-authorized cloud or equivalent. If it’s just giving results locally and not storing anything, that’s a different story.

Zero-knowledge platforms are interesting. The problem is, from a compliance standpoint, it’s not just about what the provider can see, it’s about where the data is stored. If they’re a cloud service, they still need to be FedRAMP authorized to store or process CUI, even if it’s encrypted. For FCI or SPD, the bar is a little lower, but you’d still want contractual assurances and good security hygiene.

You’re not going to get dinged for compliance if your subs have an SPRS score and can show they’re working toward implementation. CMMC requires validation, yes, but 7012 was self-attestation. So if the subs have an SSP, a POA&M, and they’re tracking their progress, that’s aligned with DFARS expectations right now (March, 2025)

If you’re dealing with CTI that has a no-foreign-national restriction, you’re in GCCH territory. For regular CUI, GCC is acceptable. GCCH becomes necessary when there’s an ITAR component or a DFARS clause that imposes stricter access control. Look at the contract and the flowdown. That’s where the answer is.

Basic research is usually exempt from DFARS 7012, and by extension, CMMC. But that’s only if the research is truly fundamental and not tied to specific DoD deliverables. The problem is when it starts as basic research and then morphs into something applied or specific—then you’re in scope. Always check with the KO or contracting office.

If a bolt is used in a DoD program, it becomes CUI when associated with that project. The same bolt used commercially is not CUI. It’s the context and use that determine whether it becomes CUI, not the part itself.

Non-U.S. citizens cannot handle ITAR data unless specifically authorized. Even if a lab is ITAR-restricted, your tech staff must be U.S. persons to support anything involving ITAR.

LAN encryption isn’t explicitly required, but any data leaving the boundary must be protected with FIPS 140-2 validated encryption. Internal controls and segmentation still matter.

Any cloud service that stores or transmits CUI must be FedRAMP authorized or equivalent. If you’re unsure about whether something like a Meraki client touches CUI, treat it as in-scope until proven otherwise.

VPNs are highly recommended, especially when staff are traveling (airports, hotels). However, alternatives exist, like Virtual Desktop Infrastructures (VDIs), which can take laptops out of scope. If using any remote solution to protect CUI, it must have FIPS 140-2 validated encryption.

While the rollout period is officially specified as 3 years, what should subcontractors be prepared for in terms of flow-downs from bigger primes which may be directly impacted earlier in the rollout?

The three-year phased rollout is a DoD implementation timeline, but primes are not bound by it. Some primes are already requiring all their subcontractors to be Level 2 to strengthen their bids. If a prime requires it, you need to comply earlier than the official rollout.

If you receive unexpected CUI, protect it immediately and notify the sender. Best practice: do not reply to the same email with CUI. Instead, send a separate message informing them they sent CUI. When 32 CFR is finalized, contracting officers will be required to specify what CUI is covered in a contract.

Implementation costs were considered covered under DFARS 7012, but assessment costs can be factored into future contracts. The DoD expects some cost increases due to compliance, and primes will need to account for these expenses in their bids.

Yes, every FedRAMP-authorized Cloud Service Provider (CSP) should have a Customer Responsibility Matrix (CRM) as part of their Authority to Operate (ATO) package. However, these matrices are typically not public. You must request them, often under NDA. If an ESP or MSP refuses to provide a CRM, it is a red flag.

There is no official “approved” solution stack. The only firm requirement is that CSPs must be FedRAMP authorized (or equivalent). If a provider claims they are on an “approved” list, they are not being truthful—there is no such list.

Primes face challenges ensuring their subcontractors remain compliant. Some primes provide their subs access to CRT tools (e.g., Cyturus, FutureFeed) to monitor compliance. If a sub fails an assessment, it can jeopardize the prime’s contract.

Printing: Secure print solutions (badge-based release) are recommended. If that is not available, enforce a policy where staff check and remove printouts containing CUI daily.

ERP: Keep ERP outside the CUI boundary if possible. If CUI must be in the ERP, ensure proper safeguards and documentation.

…so I can get in on assessments and obtain my CCA. Just wanting to hear other viewpoints. Looking for any gotcha’s for a small company completely leveraging GCCH and Office 365.

Suitability investigations (T5/T3) are severely delayed—some are waiting six months or more. This is a major bottleneck for the ecosystem, and there are ongoing discussions with DoD to fix this. Contact the CACO for status updates.

If PII is classified as CUI under your contract, then your HR software provider must also be compliant. If it is cloud-based, it must be FedRAMP authorized or equivalent.

Non-compliance means you can’t work! Just kidding, kind of.  This is not just a future rule, NIST 800-171 has been required for years. The phased rollout means delays will only hurt your eligibility later.

Secure software must be developed in an isolated environment, with defined procedures in the SSP. Assessors will check:

…Identifying ports/protocols/services. (We have identified firewall policies on the firewall, must we copy these policies into an excel?) Can we simply identify any nonessential service as anything that is not identified as essential? Exceptions or acceptable levels of least user privilege in small shops with 3-5 IT guys? (domain admin on the entire IT team is acceptable?)

Identifying Essential vs. Nonessential Functions & Ports/Protocols/Services:

Essential functions are those necessary for business operations and security. Examples include domain controllers, authentication services, and email servers.

Nonessential functions can be identified as anything not explicitly marked as essential. Instead of listing all nonessential services, it’s acceptable to state that any service not identified as essential is considered nonessential.

If you’ve already identified ports, protocols, and services within firewall policies, you do not need to manually copy them into an Excel sheet. A screenshot or a live demonstration during an assessment should suffice.

Exceptions & Acceptable Levels of Least Privilege in Small IT Teams:

In small IT teams (3-5 people), strict role separation can be challenging, but best practices should still be followed.

A better alternative to giving everyone domain admin access is to assign primary and backup responsibilities. For example:

Network devices: One person as primary, another as backup.

Cloud services: A separate primary and backup.

Having all IT members as domain admins is generally not acceptable unless there’s strong justification and compensating controls (such as logging and monitoring).

Follow the NARA Marking Handbook or the DoD Marking & Labeling Guide. During assessments, assessors will check that documents containing CUI are marked properly. They typically do not review entire folder structures, but they will verify compliance when reviewing a sample document.

You can appeal the KO’s decision to the next level. Most contracts include a DFARS clause by default because CUI may be generated later, even if it is not present at contract award. Check the contract details and escalate if necessary.

Since GCC High is only available in the U.S., international companies usually certify their U.S.-based subsidiary or partner first. Microsoft is aware of the issue and may develop global solutions, but no official alternative exists yet.

Intune is commonly used for pushing security policies and managing mobile devices. Assessors may request a full device list, not just screenshots, to verify compliance. This is also cross-checked with user training records.

Suitability investigations can take up to six months, slowing down assessments. The CMMC community has asked DoD to allow third-party background checks, but for now, you can check your status with the CAICO office.

If these systems store, process, or transmit CUI, they cannot remain in commercial Azure, even though it meets NIST 800-171. They must be moved to GCC or GCC High, depending on data sensitivity.

3.2.2 does not specifically address insider threats (that falls under 3.2.3), but security awareness training applies to all users and staff, not just InfoSec personnel. Those who directly handle CUI should receive more specialized training.

In a nutshell, whether it’s basic or advanced research, it all depends on the terms of your contract. If your contract includes a DFARS 7012 clause, the DoD expects CUI to be part of the work. If you’re unsure whether your research involves CUI, your best resource is your contracting officer (your “KO”). The standard form in the proposed CUI FAR rule may also help clarify this.

It all depends. If the newly proposed Federal CUI rule remains as written, the reporting timeframe will decrease from 72 hours to 8 hours (or one business day) from discovery to incident reporting. That’s a significant change. However, SPRS reporting requirements remain unchanged and continue to be an annual obligation.

The question is a little ambiguous. But from a scoring perspective, point values are available for each requirement. There are nuances from FIPS/MFA, but the scoring breakdown is available to everyone and we are happy to discuss them with you if needed.

As assessors, we prefer to have both the policy section and the full policy itself. The more context and documentation, the better!

CMMC is a compliance framework that requires you to demonstrate strong security practices. Certification costs depend on the complexity and scope of your company, including factors like onsite visits, whether your operations are on-premises or in the cloud, and more. One way to reduce costs is by leveraging a cloud environment or minimizing your CMMC footprint to a single environment.

Jeremy is happy to discuss a quote with you one-on-one!

Think of it like creating a path through a maze for the mouse to reach the cheese—you need a clear plan and documentation. Structure your system around the 320 assessment objectives, outlining them in your SSP and policies. Organize your evidence carefully to ensure none of the 320 controls are overlooked.

Redspin offers a Technical Mock Assessment, where one of our assessors reviews only the 3- and 5-point items—those that cannot be “POA&Mable.” We verify that they are implemented in a compliant manner and determine whether each is “met” or “not met.” Please note that this is a mock assessment, so we cannot provide consulting.

Certification requirements depend on the type of data an ESP stores, processes, or transmits, rather than whether they have a direct DoD contract. However, there is growing interest in certification. There are different opinions on this topic, and we recommend listening to the full discussion in the podcast replay, this question is addressed at 18:24.

The National Archives and Records Administration (NARA)  best defines CUI, this is a good place to start. When is CUI no longer considered CUI? That decision is up to the Executive Agent (which isn’t always the DoD) responsible for that specific CUI. It’s important to distinguish between designation and classification—CUI is designated by a contracting officer (KO), and its status depends on contractual obligations and security requirements. The standard form requirement in the proposed CUI rule will help clarify this.

The CMMC Level 2 scoping guide from the DoD is a great starting point. Taking a CCP course can also be helpful, but if you’re getting started, focus on identifying what stores, processes, or transmits CUI within your organization. Map out the data flow of your CUI and consider the security protection assets in place within that scope. Also, think about ways to narrow your scope to simplify compliance.

There are many tools available! The first that comes to mind is Cyturus, a GRC tool backed by The Cyber AB. When choosing a tool, response time is key—setting it up can be challenging, so you’ll want something with fast support. If you’re using a tool for CMMC compliance, make sure it has features to help you manage compliance even after certification before committing.

If you’re allowing the printing of CUI, it brings the physical domain into scope, which means your assessor will need to conduct an onsite visit. Many organizations are shifting toward secure printing solutions. One common approach is designating a specific group authorized to print, with a designated individual conducting nightly walkthroughs to ensure no CUI is left unattended. There are many ways to implement secure printing effectively. 

If you completely lock down your environment (disabling printing, USBs, and mobile devices) you can remove the physical domain from scope, eliminating the need for an onsite visit.

However, instead of marking requirements as “not applicable” (which requires CIO approval), document them as addressed by your controls. For example, if cell phones are blocked, state that they are blocked rather than marking them as “not applicable.”

For organizations operating entirely in the cloud, you can document that all operations occur within GCC High, with nothing maintained physically. However, if you allow printing or removable media, the physical domain comes back into scope.

When documenting, keep it simple, just answer the questions directly. No need to overcomplicate it!

GCC meets all the requirements for CMMC Level 2 certification when handling CUI Basic.

However, when dealing with CUI Specified, ITAR, or other restricted data types, GCC High is required.

If you handle NOFORN data, you must use GCC High.

If no on-premises environment is in scope, the cloud environment and FedRAMP requirements apply. For more considerations and a more detailed discussion and  on this topic, check out the podcast replay starting at 36:29.

One possible implementation is using AI for continuous monitoring. Requirement 3.12.3 addresses secure control monitoring, which is where AI could play a role.

Ultimately, you need full visibility into where your data is going, if you feed it into AI, you must understand where AI sends it and what it does with it.

• Level 1: Contracts without DFARS 7012 requirements can self-attest. This is mostly for organizations handling only Federal Contract Information (FCI).
• Level 2: Most contracts with DFARS 7012 require Level 2 certification, especially those involving Controlled Unclassified Information (CUI).
• Level 3: Still unknown. This is a DIBCAC lead assessment and will most likely be a flowdown requirement from your prime or direct DoD involvement.

• Utilize cloud solutions for inherited security controls.
• Minimize the CUI scope to simplify management and ensure cost-effectiveness.
• Consider having internal staff trained in CCP to maintain long-term compliance

Awesome! 

• Courses must be taken through Licensed Training Providers (LTPs) listed on the Cyber AB website.
• CCP is a prerequisite for CCA certification.
• Organizations should consider training at least one or two staff members in CCP for foundational CMMC knowledge

…If a 1-point control isn’t met, you POA&M it, correct it, and re-assess. If a 3 or 5-point control isn’t met, the audit is over (FAIL). I could see scoring the 1-pointers…in other words, if you have too many 1-pointers not met, then they should probably fail you. But why the 3 and 5-points…why score them at all?

• 3-point and 5-point controls are pass/fail and cannot be included in a POA&M, unlike 1-point controls.
• Scoring helps achieve a 110-point maximum, but missing critical controls results in failure.
• These rules ensure readiness but can increase costs and delays.

• 88 controls must be met out of 110 for Level 2 certification.
• Exceptions include a few specific controls, listen to the podcast episode for more detail!

• Phone systems must comply with FIPS or NIST standards only if processing, storing, or transmitting CUI. Non-CUI systems may be exempt
• For tools like Kaseya EDR, compliance depends on vendor-provided evidence (e.g., FedRAMP equivalency or documentation.

• Artifacts should be:
1. Clearly labeled, including control numbers and relevant details.
2. Clean and easy to review without unnecessary information.
3. Relevant and consistent with organizational policies.
• Avoid submitting unrelated or outdated evidence

• Certificates are issued via EMASS starting January 2, 2025, depending on whether DoD or C3PAOs upload assessment data

• FedRAMP: Validates external service providers for secure DoD data handling.
• CMMC: Focuses on internal organizational security for handling DoD information.
• Both emphasize compliance but address different aspects of the supply chain

For separate environments like MS GCC High (Level 2) and MS Commercial (Level 1), boundaries depend on what the system stores, processes, or transmits (CUI or FCI). Start with identifying assets related to CUI and define the boundary, often at a firewall or demarcation point. Consider external service providers (CSPs, MSPs) as part of your scoping efforts.

Security protection assets are those directly related to protecting CUI. Specialized assets, like isolated machinery or proprietary systems, may not meet all controls but require defined usage and access limitations. Ensure clear documentation and isolation.

The latest CAP (version 5.6.1) was only available through CCA training. A new version compliant with 32 CFR is in the final stages of review and should be available before December 16, 2024.

Building an enclave can simplify scope, but tools like ticketing systems might expand the scope. Engage with a C3PAO to align your scope with compliance needs and consider whether a full or partial enclave is best.

Organize your SSP around the 14 domains and 110 controls, linking evidence clearly to objectives. Include clear diagrams (network and data flow) and avoid unnecessary navigation between documents. Naming conventions and access to linked evidence help assessors.

Isolate such systems with VLANs, apply access controls, and ensure zero-trust principles. Address this in risk assessments and provide compensating controls like segmenting and enhanced security configurations.

MFA is not required for WiFi access. Protect WiFi networks using encryption (WPA2 AES-256), and ensure guest WiFi is isolated from internal networks.

Use a structured folder system: organize by domain, then by control, and include evidence directly tied to objectives. Reference cross-domain evidence where applicable.

No official matrix exists yet. Start with NIST 800-172 requirements (Level 3). Use a workbook to map controls and objectives.

Based on updates, the 48 CFR rule is anticipated to become effective in late Q1 or early Q2 of 2025. The rule has cleared necessary review stages, indicating a probable start in spring 2025. This aligns with a typical phased rollout approach.

It’s risky to wait until mid-2026, especially if you’re both a prime and a subcontractor.

Prime contractors are likely to start pushing down certification requirements by 2025 to ensure they meet the phase two rollout. For companies operating exclusively as primes, it might be feasible to delay until late 2025, but it’s not without risk, especially with provisions allowing for early certification based on contract sensitivity.

Level 3 certification is generally expected for only the top 1% of contracts, often for high-stakes sectors like nuclear or classified operations.

If your company deals with highly sensitive DoD information or critical systems, preparing for Level 3 might be wise. Otherwise, Level 2 may suffice, but decisions should be contract-specific and guided by the contracting officer.

Defining CUI often depends on the contracting officer’s designation in each contract. Typically, only information directly tied to the contract’s sensitive parts needs to be marked. For practical purposes, when unsure, treat data as CUI and label it accordingly until further clarification is available. Specific terms in clauses 7012 and 7021 can clarify CUI expectations, with additional guidance available on the NARA website.

FCI (Federal Contract Information) generally includes contract and related documents, requiring Level 1 safeguarding. This scope is broader than CUI but only requires basic protections, not the full extent of CUI-level security measures. Treat FCI with essential safeguarding but without the rigorous controls required for CUI.

Emergency responders are typically out of scope for CMMC requirements since they are not federal contractors. Therefore, no additional background checks are necessary. Treat emergency personnel as out-of-scope for CMMC assessments.

An SSP should clearly outline operational workflows, boundary controls, and CUI data flow. Including as much detail and as many diagrams as necessary will streamline the assessment process. Consider converting the final document into a PDF with diagrams to illustrate these elements clearly. Referencing assessment guides can provide specific content expectations.

The G-code itself isn’t necessarily CUI. However, data like specifications or design inputs that inform the G-code may be classified as CUI. Thus, focus on securing the information used to generate the G-code rather than the G-code itself.

The quality of C3PAOs varies, so choose one that aligns with your company culture and has experience. Look for C3PAOs that have a strong background in CMMC, extensive knowledge of DIB requirements, and a collaborative approach to assessments.

Options like YubiKey for multi-factor authentication and solutions compatible with GCC High environments for data loss prevention (DLP) can help secure O365. For printed CUI coversheets, follow standard templates as required by contract guidelines or DoD templates.

FedRAMP equivalency offers smaller cloud providers access to DoD contracts without full FedRAMP certification, which is resource-intensive. This approach maintains security while allowing more providers to support the defense industrial base without monopolizing the market.

The CMMC rule (32 CFR) has finished its review and is now in the prep stage for Congress to review. The public comment period for the related 48 CFR rule is still ongoing and closes on October 15th. Organizations new to CMMC compliance should immediately contact a C3PAO because many are already backlogged, and certification could be delayed until 2025. It’s important to reach out now to get on the schedule, even if you’re not ready for certification yet.

The editing period depends on the volume of public comments received, but past experiences show that highly technical rules can be edited in less than 60 days. It’s possible that this rule could be edited and published by Thanksgiving, depending on the comment volume.

Microsoft 365 Government Cloud (GCC) has the foundation to meet or exceed CMMC requirements, but it must be properly configured and managed. Unique configurations may be needed depending on the client’s specific environment, technology usage, and how the tools are implemented.

Technically, for CMMC Level 1, you may use Microsoft Commercial Cloud, but Microsoft strongly advises against using it for any government-related data. For CMMC Level 2 (involving CUI), you must move to Government Cloud. The complexity of lifting and shifting depends on the environment, data, and integrations involved, but it is generally doable.

The most common licensing tiers are G5 or G3 with G5 security add-ons. The services needed vary by the client’s specific requirements and could include things like Azure virtual desktops or virtual servers, depending on how the company operates and manages CUI.

If you have DFARS 252.204-7012 in your contract but no Controlled Unclassified Information (CUI), you may only need to comply with CMMC Level 1, which applies to the protection of Federal Contract Information (FCI). However, the presence of CUI in the future could change this requirement, so it’s crucial to assess your environment regularly and know the type of data you handle.

Encrypted data is still considered CUI unless it is specifically excluded or marked otherwise. During CMMC assessments, the focus is on how the data is protected, not whether it is encrypted. CUI remains CUI even if encrypted, and assessors will check if it is properly marked and handled, as well as how encryption is applied.

For a construction company, printed CUI material must be physically controlled. This includes limiting access, secure storage when not in use, and preventing unauthorized access.

For data flow, the organization must identify where CUI enters, is processed, and exits the system. Understanding these flows is critical for setting the scope of the assessment and ensuring proper protections.

IT consultants with admin privileges to a CUI network are not typically considered security protection assets themselves. However, their access is governed by controls related to access control, identification, authentication, and audit requirements under CMMC, ensuring only authorized personnel handle CUI.

If a prime contractor shares CUI with a supplier by mistake, which is then compromised from the supplier’s infrastructure, the incident must follow established incident response processes. This includes notifying the DoD within 72 hours and preserving relevant data for investigation. Responsibility ultimately lies with the party handling the data, but legal counsel should be consulted to clarify obligations.

For ensuring CMMC compliance with cloud services like Salesforce or O365, it’s essential to configure these services properly and confirm they meet FedRAMP Moderate or equivalent standards. A shared responsibility matrix should define which controls are handled by the cloud provider and which are the client’s responsibility. The correct configuration of the cloud services is vital to meeting CMMC requirements.

The government has taken steps to help small businesses by offering resources like Manufacturing Extension Partnership (MEP) centers, which provide training and support. Additionally, some compliance-related costs can be submitted as allowable costs under certain contracts. Small businesses are encouraged to use these free resources and work with reputable providers to minimize the burden of compliance.

When will subcontractors need to be fully (no POA&M) self-certified to receive awards of certain government contracts?

Certification can start once the rule is finalized, which is expected around September 2024 . Joint surveillance assessments are anticipated to end at that time, allowing formal CMMC certifications to begin. Contractual requirements, enforced through 48 CFR, may start as early as March or April 2025, depending on the sensitivity of the contract. 

Subcontractors may be required to be fully certified (with no Plans of Action & Milestones, or POA&Ms) by prime contractors as soon as CMMC goes live. Prime contractors can impose certification requirements on their subcontractors at any time once CMMC becomes mandatory, and it’s likely that primes will push to get their subcontractors certified before the DoD formally includes CMMC requirements in its contract. 

A common point of confusion is the difference between fiscal year and calendar year in government timelines. When the DoD refers to Q1 of 2025, they mean the fiscal year, which begins on October 1, 2024. This is often misinterpreted as the calendar year, but in reality, CMMC requirements could begin to appear in contracts as early as October 2024​. 

Since everyone is expecting 32 CFR to be out in Oct. Will we be able to schedule a JSVAP in the time between 32 CFR being published and into effect?

As of August 2024, Joint Surveillance Assessments (JSVAPs) are still being scheduled through October 2024, with a major ecosystem stress test planned during the week of October 21-25, 2024. During this test, 30 assessments will take place. However, there is uncertainty about whether JSVAPs will continue after the CMMC rule (32 CFR) is finalized, which is expected to happen around September or October 2024​. 

Scheduling JSVAPs After 32 CFR is Published: Once the rule is published, it’s expected that CMMC certifications will begin, and JSVAs may no longer be conducted. Therefore, the opportunity to schedule a JSVAP between the publication of 32 CFR and when it goes into effect may be very limited. It’s recommended to schedule assessments as early as possible before the final rule is published, as the transition from JSVAPs to formal certifications is anticipated to happen quickly.

How small businesses can get CMMC certification without breaking the bank.

The costs for CMMC certification will vary depending on the scope and complexity of the business’s environment. Factors like the number of locations and the scope of CUI data involved will influence the assessment cost. Small businesses can reduce costs by minimizing their CUI footprint.​

CMMC compliance in commercial cloud environments (e.g., Microsoft Commercial Cloud) may not meet certain requirements, particularly for more sensitive types of CUI data. It is recommended to use GCC or GCC High for environments dealing with CUI data with dissemination limitations.

Redspin offers cloud solutions and Managed Service Provider (MSP) services for CUI hosting. They do not host clients in their own enclave, but they can assist with consulting and help small businesses prepare for CMMC certification.

If so, what would the specific control requirements be (e.g., administrative: AUP/owner security responsibility, technical via organization mdm, etc.)?

BYOD (Bring Your Own Device) can be allowed, but it requires strict controls, especially when accessing a secure cloud enclave. This includes controlling the flow of CUI data to devices and implementing encryption, audit logs, and strict security policies. VDI (Virtual Desktop Infrastructure) may also be a solution to restrict device capabilities. 

• Administrative Controls:
  • Acceptable Use Policy (AUP): Establish and enforce an Acceptable Use Policy that clearly defines the security responsibilities of the device owner and what actions are permitted when accessing the CUI enclave.
  • Owner Security Responsibility: Device owners must be informed and held accountable for adhering to security protocols, including reporting any potential security incidents or device loss.
• Technical Controls:
  • Mobile Device Management (MDM): Implement an organization-wide MDM solution to manage and secure BYOD devices. This ensures that security settings, such as encryption, password policies, and remote wipe capabilities, are enforced on all devices accessing CUI.
  • Virtual Desktop Infrastructure (VDI): Use VDI to limit the interaction between the device and the CUI. VDI allows for a virtual environment where the device acts only as an interface (keyboard and display) while keeping CUI securely within the cloud.
  • Encryption: Ensure all data transmitted to and from the device is encrypted, both at rest and in transit, to maintain the confidentiality of CUI.
  • Access Control: Implement role-based access controls (RBAC) to restrict access to CUI based on job function and ensure that only authorized personnel can view CUI.
  • Audit Logs: Continuously monitor and audit device usage logs to ensure no unauthorized actions are being taken and to maintain compliance with security requirements.

FIPS mode should always be enabled when handling CUI. The only exception is when devices have been upgraded to FIPS 140-3, which is still in the testing phase.

While this is a growing concern, it is up to NIST to decide when mobile application security will be formally included in audits. However, the issue has been raised, and organizations are encouraged to contact NIST directly for guidance via email to: cyber4R&D@NIST.gov.

CMMC 2.0 looks inward, focusing on how organizations protect their own environments and CUI data, while FedRAMP focuses outward on the authorization of cloud services to operate securely in external environments. FedRAMP uses NIST 800-53, while CMMC uses NIST 800-171.

For Level 1, general user training based on industry best practices is sufficient. For Level 2, organizations need more targeted training, including security and CUI-specific training for all employees, and role-based training for administrators and executives​.

If CUI is not marked, organizations should reach out to their contracting officers for clarification. In the meantime, it’s better to err on the side of caution and treat the data as CUI until confirmation is received​.

Yes, encrypted data is still considered CUI, as encryption only protects the confidentiality of the data, not its classification​.

The CMMC program applies to all types of data centers, whether owned by the organization or a colocation. The primary concerns are physical protection and technical controls, such as cameras, badging systems, and access control.

Organizations under Partnership Intermediary Agreements should review their contracts to determine whether cybersecurity requirements like DFARS 7012 or NIST 800-171 apply. If these clauses are included, CMMC will likely be required.

There is no specific requirement for using particular tools to manage CMMC compliance. Organizations can use whatever tool works best for them as long as they meet control objectives and can document evidence of compliance. This can include tools like Smartsheet, Teams, or Apptega.

Thomas: FCI and CUI are two separate designations of data. When you’re going through CMMC Level 2, it doesn’t eliminate your Level 1 responsibilities because CMMC builds on the levels. For example, to achieve Level 3, you must first schedule and pass Level 2.

Level 1 focuses on FCI, and once all updates are made into SPRS, you will need to update those requirements annually. Is this documented? Absolutely. However, I can’t provide the document numbers off the top of my head, and Tara might be disappointed in me for that, but there are distinct regulations governing this.

In short, FCI will not become CUI, as they are different designations of data.

…Is that C3PAO operating normally by charging extra?

Tara: This situation highlights the importance of thoroughly reading your contracts with any prospective vendors providing CMMC assessment services. Here are some key questions you should be asking your C3PAO:

• What happens if there is an item that needs to be placed on a POA&M, and someone has to come back in 180 days?
• Is that covered by the outlined costs in the fee breakdown?

As an OSC, it’s not just your right but also your responsibility to clarify these things. At Redspin, we strive to be as transparent as possible with our fees, but it’s essential to understand these details with any C3PAO you work with. If a C3PAO demands a high fee to validate or close out a POA&M, you do have options. Under the CMMC assessment process, you can choose another C3PAO if you find their fees unreasonable. Often, other C3PAOs may offer more competitive pricing for such tasks.

Jeremy: The simple answer is, you don’t. You either find new subcontractors or apply enough pressure for them to implement the necessary changes and become certified. If you’re flowing down DFARS 7012 requirements, your supply chain must comply with CMMC requirements, just like your team. They will need to get certified as well. If they refuse, you may need to find a new vendor to fill that role within your supply chain. I’ve encountered this issue frequently with clients, especially when dealing with MSPs. Some MSPs may say, “You’re our only DIB client, so we’re not going through CMMC just for you.” In such cases, clients have had to find new vendors to perform those services. Ultimately, CMMC compliance is a series of business decisions, and you might need to part ways with long-time partners if they’re not willing to participate in CMMC

Jeremy: This question ties into the previous discussion on flow downs and supply chain management. Once the CMMC rule is live and assessments are in place, the easiest way to vet your suppliers will be to check if they are CMMC compliant. Until then, the tried-and-true method is using security questionnaires. While they may not be the highlight of our day, they serve a very valid purpose. If you have a supply chain of subcontractors to whom you’re flowing down DFARS 7012 requirements, it’s essential to have a vendor management program in place. Don’t just send out the questionnaires—ensure they get completed and returned. Review the answers thoroughly, and don’t hesitate to follow up with additional questions. For instance, if a supplier provides an answer that needs more detail, ask for clarification or their plans to improve on areas that don’t meet your standards. Until CMMC certifications are fully operational and easily trackable, these security questionnaires remain your best bet for vetting suppliers.

Tara: So, I think portion marking is often misunderstood. Whenever you have a question about how to mark our documentation or any media, the best place to start is nara.gov. NARA, the National Archives and Records Administration, is the executive agent over the CUI program. They make all the rules and decisions regarding how to mark things. Now, about portion marking: it’s a way to further delineate types of CUI or other classified data within a document. It’s not required, though. You can choose to mark your entire document as CUI or whatever classification applies without using portion markings. However, if you decide to use portion markings, you need to do it consistently. This means marking each table,figure, drawing, and paragraph separately to show how each part should be handled. So, while portion marking isn’t mandatory, if you use it, you must apply it consistently throughout the document.

Robert: Not at this time. NIST SP 800-171 Rev 3 will not be incorporated into the CMMC program for at least a year, likely until the end of next calendar year. This delay is due to the extensive updates needed. The rule and associated documents must first be realigned with NIST SP 800-171 Revision 2. As part of this transition, all the assessor training and documentation will need to be updated. There’s a lot to be done, so it won’t be happening soon. However, I believe Vicki and Ron from NIST are already working on a new document that can be used once the updated version becomes active within the CMMC program. But as of now, there’s nothing available for anyone to use.

Jeremy: If you have a CMMC requirement, and choose not to pursue CMMC, the consequence is that you will no longer be eligible for DoD contracts. It’s a straightforward decision, but it involves more than it seems at first glance. CMMC compliance is a business decision. I’ve spoken to companies where DoD contracts make up a minimal part of their business, and they chose to let those contracts go instead of pursuing CMMC. On the other hand,for companies where DoD contracts are a significant portion of their business, it makes complete sense to pursue CMMC. Be aware that CMMC is not going away. It will become a contractual requirement for newly issued contracts, particularly Level 2 contracts involving CUI. These requirements will be part of Phase Two of the rollout. In Phase Three, CMMC requirements will be retroactively incorporated into multi-year contracts already in place. So, if you want to do business in the defense industrial base, CMMC compliance will be necessary. Opting out of CMMC means opting out of the DIB space entirely.

Thomas: The short answer, is that it’s considered CUI until the executive agent says otherwise. The executive agent is the only one who can change the designation of CUI information. Now, will a single line still be considered CUI? The line itself, no, but in the context of the contract, ifit was provided to you as CUI, it remains CUI until the executive agent changes it. If you encounter such a situation, you need to have a conversation with your contracting officer. However, keep in mind that the contracting officer or even the DoD may not be the executive agent. They might be working with other departments, like the Department of State or other branches within the DoD, and will need to seek clarification from the executive agent. CUI is a federal designation created to facilitate communication and information sharing between different federal agencies. This sometimes requires going not just up the chain within the DoD, but also laterally to other organizations.

• Jeremy referenced a hot take in July of folks asking for a quick, easy CMMC Implementation Strategy checklist. Well, we created one!
  • Download here
• Tara Referenced good practices to vet a C3PAO. Check out our “5 Time-Saving Tips for Evaluating an MSP, ESP, or C3PAO” white paper
  • Download here
• Written by Tara, this collection CMMC Assessment Interview Guides is packed with questions you/your team could be asked during an assessment (there are 14 individual guides, 1 for each of the 14 domains)
  • Download here
• Tara shared an image in the chat: CMMC Asset Categories Overview
  • View here
• We’d love your feedback! Please fill out our CMMC Connect Follow-Up Survey
  • Fill it out here!

How long will it last? Are we required to be compliant with NIST 800-171 Revision 3 for CMMC Level 2, once the CMMC rule is effective?

Currently, we will continue to follow Revision 2. The exact timeframe is uncertain at this moment. However, we are aware that there are changes between Revision 2 and Revision 3. For more details, please refer to the white paper linked here. We are not required to comply with NIST 800-171 Revision 3 for CMMC Level 2 at this time.

Yes. The data doesn’t change whether it is encrypted or not. CUI data remains CUI data regardless of its encryption state.

The DoD has been aiming for the end of the fiscal year 2024 (September 30th, 2024)for CMMC finalization. As of today (July 1st), the DoD is adhering to this timeline, with the latest update indicating that all 32 CFR public comments have been adjudicated. The rule has now progressed back to OIRA/OMB. Will it be required for non-DoD work? We don’t know yet, but there are rumors that other agencies might adopt CMMC once it is finalized. We are closely monitoring the Department of Education and other agencies for any mention of “NIST 800- 171,” as this could indicate a shift towards CMMC. Recently, the General Services Agency (GSA)issued a solicitation specifically referencing “CMMC,” which is a significant indication. Given that CUI is a designation, it wouldn’t be surprising if CMMC appears in requirements from other agencies for reciprocity.

Yes, we have assessed subcontractors under JSVA. Subcontractors do have DFARS 7012 requirements. If you are wondering if you qualify, reach out to us!

• DFARS 252.204-7012
• Class Deviation Memo
• CCP Training

Maybe. When considering scoping, you are looking at the boundaries of your assessment. You can use solutions like remote desktop, VDI, etc.,for CMMC implementation. If you do not want your endpoints to be in scope, you must lock down those virtual instances to ensure that nothing can be copied or saved from that virtual interface. If you can achieve this, prove it, and demonstrate it, then your endpoints would not be in scope. However, if capabilities such as copy and paste, download, print, or screenshotting are still enabled, then your endpoints are likely still in play. It all depends on how tightly you lock down that remote or virtual interface.

There are many good solutions for this, but one that stands out is a GRC (Governance, Risk, and Compliance) tool like Cyturus. The Cyturus CRT tool allows you to map data back to one another and offers many other usefulfeatures. Another example of a GRC tool is FutureFeed. Tools like these let you store your documentation (such as your SSP) and other documents, then grant your subcontractors access. Any time they make a change, the tool provides a warning so you can review it. This approach ensures secure information sharing and compliance management.

There are no prerequisites for CMMC Certified Professional(CCP) training itself, but there are requirements if you plan to sit for the CCP certification.

One prerequisite is having a college degree or 2 years of equivalent experience. It is also suggested that you have a certification such as CompTIA Security+.

You must complete the CCP class before taking the CCP exam. If you want to go further and become a CMMC Certified Assessor (CCA), there is another set of requirements. For more details please visit: 

CCP training

CCA training

The Cyber AB’s CCP Blueprint 

This is always a challenge, right? The bottom line is that CMMC is merely a validation of requirements that are already in place. Upper management should be aware of this. By getting certified now, you are giving yourself a competitive advantage for bidding on contracts. The advantages of being proactive are significant compared to waiting, especially with potential logjams that may occur after rulemaking becomes final. If you wait to get certified until CMMC becomes final, you might end up in a queue for certification that could potentially last a year or two, depending on how things go. Another option is to get on a call with us! We are happy to learn about your unique business and explain the CMMC process to your leadership. At the end of the day, if you want to participate in the DIB space and secure DoD contracts, CMMC will provide you with a competitive advantage, particularly if you are a subcontractor. Subcontractors will see CMMC requirements in contracts from their primes long before the DoD mandates them. We have already heard from subcontractor clients that their primes are telling them the first to get CMMC certified will get all the primes’ business for 2025, and they will reassess in 2026 once things settle down. So there you go.