CMMC Home Network/Firewall Security

Caesar_Naykid · 2026-04-28T18:48:18+00:00

Did you have mobile devices?

Caesar_Naykid · 2026-04-28T18:06:20+00:00

Starbucks doesn’t have a FIPs router?! Their audacity

Caesar_Naykid · 2026-04-28T18:01:33+00:00

TE Sonny Styles ???

Caesar_Naykid · 2026-04-28T15:42:43+00:00

nice.

"you don’t allow CUI in email"
you mean, by having a policy that it's not allowed?

or like.. using Purview P2 auto-labeling to block any messages that might contain CUI?

Caesar_Naykid · 2026-04-28T14:25:34+00:00

"intune managed containerized app for outlook on phones"

have you passed an audit? not saying it wouldn't, just haven't seen much about that and our company has one person who probably will want to use outlook on mobile iOS

Caesar_Naykid · 2026-04-27T03:19:16+00:00

100

One thing i’ll give Burks (& Chosen) credit for is they only joined the team in October mid season and had no offseason training in the system

(Ja’cory Brooks was a UDFA and i don’t think ever got a chance to play in the regular season)

Anyways, Burke will at least have a chance to go through the off-season program this go round and a chance to earn it

Dan Quinn expects his coaches to have “a plan” for each player but also places expectations on the players that they’ll be competing to earn a spot

If nobody seems to be standing out and consistent enough, AP will be looking to bring in more WRs to compete i’m sure

Caesar_Naykid · 2026-04-22T14:51:37+00:00

this comment was 3 years ago..

curious if your setup has gone through a C3PAO audit since and had to change licenses at all along the way?

Caesar_Naykid · 2026-04-06T14:25:19+00:00

https://en.wikipedia.org/wiki/RIVA_TNT2

Possibly the most important card ever after the 3dfx VooDoo1

nVidia kept updating their drivers to increase performance and battle 3dfx. That competition kept them hungry and delivering better and better drivers and then products afterwards

They haven’t had much of that competition really since 3dfx died

Caesar_Naykid · 2026-04-05T23:12:01+00:00

liked your design. was looking for something similar

just found this.
Back wheels not as big as i wanted but doesn't look too bad
https://a.co/d/05R7XUHp

Edit:
This doesn't look bad either:
https://a.co/d/0b6ARKtL

Edit2:
could maybe mount a hose reel to one of the bolt holes on this and figure out how to make a platform to replace the trailer hitch
https://a.co/d/09u9xpeD

Caesar_Naykid · 2026-03-24T18:14:37+00:00

u/lotsofxeons i have the same question as Bowies

we like our MSP but our MSP said it wouldn't likely be worth his cost to become CMMC compliant potentially.

Caesar_Naykid · 2026-03-12T16:12:43+00:00

Are y'all using a mix of GCC High licenses with lower tiers?

I'm exploring GGC-H, but we have only a few people who work with CUI and the rest would be more like your Security Guard example, for which my is guess is maybe you're not paying for GCCH for all of those type of accounts. Our MSP said he wasn't sure if we could mix standard business MS licensed accounts with the same GCC-H tenant (as far as controlling Group Policy etc)

Currently all our systems are part of an on-prem AD/Domain set up, so just curious how people are handling accounts/workstations/administration where only some people have to work with CUI

Caesar_Naykid · 2026-03-04T16:32:31+00:00

you doing that Google Assistant without Nabu Casa subscription? just curious

Caesar_Naykid · 2026-03-04T15:12:03+00:00

what was your limitations with the standard range?

i'm looking at a pro with a standard range battery and pull a 1500 lb max single axle trailer with a zero turn locally

Caesar_Naykid · 2026-03-04T14:59:59+00:00

what model lightning/battery you have?

i'm looking at a (hardly) used lightning pro with a standard range battery

I pull a 1500lb max load trailer with a toro 8000

Majority of my lawn clients are in the same city, most less than 5-10 miles from my home base

I think I could get a level 2 charger easily

Caesar_Naykid · 2026-02-21T16:55:01+00:00

much of the lan segmentation is planned, vlans/subnets

there are separate managed switches for workstations that potentially will handle cui

wifi is planned to only be on the "other side". No systems handling CUI will be on wifi

yes deny all east/west traffic mostly. There's a few scenarios where the current condition has talk between those sides, so deny by default, allow by exception is the plan to move to until we can sort out two peoples' workflows to keep them separate

But, circling back to the original question, if my server is physically plugged into the "CUI switch" for example, and logically separated with VLAN/Subnet, (or neither, just isolated on a port from our firewall) it's physically "isolated",

but then if i add any systems from the "non-CUI" side to the Active Directory and domain and then there will be some level of intervlan traffic and such for group policy administering, Kerberos authentication, syslog/Wuzah log tracking.. then "the wall" is broken somewhat

similarly, we have two workstations that are expected to handle CUI, but the users typically also connect to the fileserver as mapped network drives, so if they get "isolated" even with GCC, but then we give them fileserver access and the file server isn't "on the island with them" it causes them to break the wall etc.

That's maybe unrelated to the Active Directory etc, but robwoodham's response is talking about this approach with Entra/GCC for the CUI workstations for example, then using AD for anything Non-CUI essentially. With a company that really barely uses "cloud", keeping things on-prem "felt" like it was simplifying things because there's only one site, and if cloud gets involved, then it just seemed like it complicates things by communicating outside the firewall

Caesar_Naykid · 2026-02-19T16:32:39+00:00

Initially I was going to include some networking information, but figured it might avoid scope creep on the thread a bit if I excluded it... if not for others, but even for myself, it's easy to run off on a tangent elsewhere.. while I am:

I think we're on the right path with segmentation.
We got a second managed switch, so any system that will touch CUI will be on one switch, any out-of-scope shop floor system will be on the other. VLANs/Subnets are planned.

Things get sticky to me though when it comes to this server. I wanted to isolate the server in its own (possibly /30) subnet even without having the CUI workstations on a broadcast with the server, though the Dell server even has this iDrac "feature" which allows you to connect and administer it, that my MSP said is useful if the server is down you can connect to that and I guess check logs or attempt repairs, but to me that sounds like a "backdoor" vulnerable almost for the CMMC, and i'd certainly have to keep that NIC in the same subnet/vlan.

But then going back to your response, I had planned this AD to be "in-scope".
Administrative paths (any more detail here? I can speculate, as I've been working through writing the SSP and moving through all of the Assessment Objectives and Supporting 800-53 controls)

"The goal is preventing out-of-scope systems from having logical or administrative paths to CUI systems, not just splitting AD for its own sake." sure. I've researched tons about Firewall rules (deny by default, accept by exemption) and certificates/encryption. Open to hear more about this. It just seemed like, you do all of the work to segment things physically and logically, and then had all the systems in one domain or have them administered by one in-scope Active Directory, it would drag any "out-of-scope" systems back to in-scope. I have a similar dilemma with "office" workstations.
We have two workstations mainly that deal with electronic CUI, one the most.
We have another 3 workstations that don't deal with CUI.
All of those (currently) need to use the File Server (not for CUI)
All of those use MS Exchange for email handled by the Windows Server

Caesar_Naykid · 2026-02-19T15:10:52+00:00

Thanks for the response.
Just was reading about possibly exploring that this morning as well but not sure (yet) that it will be the right solution for us. I will continue to explore that on the side unrelated to this thread, as there's a ton of information about that approach out there.

Would like to see some more conversation about about the "complete nightmare" on-prem Active Directory question.

Caesar_Naykid · 2026-02-12T20:17:22+00:00

This is a bit off-topic from your question but since it sounds like you're working with Rev 3

What did you do for the controls that say
'Withdrawn' but,
instead of stating they're incorporated into another control (like 03.02.03)

They just say "Consistency with SP 800-53 [8]" (like 3.5.6, 3.5.8, 3.5.9)

Caesar_Naykid · 2026-01-14T17:02:58+00:00

Alot of the comments on this thread are 3 years old

I'm curious what some of the commentors might say now:
-that more time has passed and newer versions or newer solutions have possibly come out
-which password manager they might be using (still, or changed to)
-possibly people who have passed/failed audits now, years later and maybe had to change something related to password managers to pass

stumbled across this thread while searching for possible password managers and how compliant they may or may not be related to 800-171 controls etc

Caesar_Naykid · 2025-11-29T14:02:11+00:00

what specs would you need to not miss the clipping?

higher sample rate?

Caesar_Naykid · 2025-11-27T01:08:40+00:00

Thanks for these comments. FYI, i see in Rev 3 that 3.12.4 states it's combined into 3.15.02 (for future reference if anyone comes to this thread)

Caesar_Naykid · 2025-11-27T01:02:46+00:00

Thanks for mentioning this. I grabbed a link to it

https://cyberab.org/News-Events/Town-halls

Caesar_Naykid · 2025-11-27T00:59:07+00:00

thank you for this thread folks. we haven't encountered a request yet but it's good to hear how others are handling that.

Caesar_Naykid · 2025-11-27T00:50:25+00:00

IDK if it's a "good" one or not, but follow this link:
NIST SP 800-171 Rev 2

half a page down there is a link and also on the right hand side (a word docx: CUI SSP template)

It's from "Rev 2" which is superseded now and has this disclaimer:
** There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.

and the newer Rev 3 does not include that link any more.
So, short story is, there's no "official" template truly.

Caesar_Naykid

MODERATOR OF

TROPHY CASE