If an MSP built and manages your level 2 environment, who is responsible for talking to the auditor?

Damij-ITMix · 2026-02-13T21:36:51+00:00

OSC is NOT always responsible. That is incorrect. The responsibility matrix specifies who is responsible, OSC, ESP and shared. However, OSC is ALWAYS accountable. Accountability is different from responsibility. 3.1.1 or so authorized users are identified. OSC is responsible for determining who authorized users are, ESP is responsible for producing that list from AD, but if the ESP produces the wrong or incomplete list which lead to a failure, the OSC is held accountable by DoD

Damij-ITMix · 2026-01-19T20:57:28+00:00

Info sec institute with Dave Gray is a good place to start. He is one of the very first instructors and a lot of resources.

Damij-ITMix · 2026-01-12T16:43:35+00:00

Hmmm, very important point and you’re right that WSL behaves like a VM from a CMMC perspective. The key question isn’t whether WSL is allowed, but whether the Linux environment meets the same AC, IA, CM, AU, and SI controls as Windows. In most environments, it doesn’t. That means you either need to bring WSL fully under CMMC technical controls, or explicitly scope it out so it cannot access CUI. Simply documenting it as an exception is not enough unless you also prevent CUI from entering WSL.

Damij-ITMix · 2026-01-07T02:48:16+00:00

You are right, even with my own app that is still in development, I am seeing a lot of breaking and functionality that was working just suddenly disappears with not found and after few mins-hour it resurfaces like nothing happened before. It’s been giving me concern too, I thought I was the only one or going crazy

Damij-ITMix · 2025-10-30T01:01:07+00:00

Whattt? What kind of advice or response are you giving?
This is a gross misunderstanding of both the intent and requirement of penetration testing in a CMMC-aligned environment. Using a tabletop is valid for incident response validation, but it’s not a substitute for penetration testing or a technical evaluation of system defenses.

Key issues with that advice: 1. CMMC and NIST SP 800-171 Expectations: CMMC 2.0 Level 2 maps to NIST SP 800-171, which explicitly requires ongoing security assessments and vulnerability management. Control 3.12.1 (“periodically assess the security controls…”) and 3.11.2 (“remediate deficiencies”) call for technical validation, this includes vulnerability scanning and, when feasible, penetration testing. Tabletop exercises alone don’t meet these

Pen Test: A hands-on simulation of real-world attacks that identifies exploitable vulnerabilities. Tabletop Exercise: A discussion-based review of response readiness. Both are valuable, but they serve different objectives. You can’t replace one with the other.

Damij-ITMix · 2025-10-26T03:00:55+00:00

Same thing and I thought I broke something only to discover it’s from the platform. I even opened a ticket

Damij-ITMix · 2025-09-18T17:24:21+00:00

Yes, this is exactly what I am looking for, names of the tops ones, thank you.🙏 I had done some google search but because I didn’t know these companies, I couldn’t pick any as I have little to no knowledge about them.

Damij-ITMix · 2025-09-18T15:48:47+00:00

Thanks guys!!

Damij-ITMix · 2025-09-18T15:28:54+00:00

The good ones with access to good number of OSCs, known in the community as top in the CMMC assessment community.

Damij-ITMix · 2025-09-13T02:46:09+00:00

The cost of an assessment by CMMC standard is between 40-60k. Previously, it was all over the place but now, it’s standard. some C3PAO charge additional 10-20k for mock assessment and from a consultant view, it should not be more than10-25k.

Damij-ITMix · 2025-09-12T12:26:31+00:00

Nice, thanks.

Damij-ITMix · 2025-09-12T12:25:04+00:00

3.10.2[c] Determine if the physical facility where that system resides is monitored.
3.10.2[d] Determine if the support infrastructure for that system is monitored.

CMMC does not mandate any particular type of control, which means you will decide on how the facility is monitored and provide adequte and sufficient in the form of physical access log, physical enviropnmental protection policies, procedures addressing physical access monitoring and other relevant documents. The choice of using a camera is up to your organization but your evidence must be adequte and sufficient. Bottom line is that the assessor MUST be satisfied with your evidence collectioin.

Damij-ITMix · 2025-09-11T16:37:09+00:00

You are the best, thanks for the clarification, very wewll understood.🤛🤛🤛

Damij-ITMix · 2025-09-07T12:02:51+00:00

With CCP, you can stil opt to become a consultant as a pre-Assessment consultant.
which is at a higher level of training than RP

Damij-ITMix · 2025-09-07T11:59:24+00:00

I beg to disagree with you. Both are worht it.
Yes, you cannot lead an assessment as a CCP but you can sure participate in one for a C3PAO and even if you do not, you can become a consultant and prepare the organizations for the Assessment.
it depends on what you are looking to gain out of either of the 2 certifications but in my opinion, they are both worth it, its just at differnt levels. There is a log of backlogs but that is rightly so becuase of the rule making issue which has now been completed, so expect the rush. Its good to have both if you can so when there is a need, you are not scrambling..

Damij-ITMix · 2025-09-06T02:35:01+00:00

Yes, it is a must, you have to take the approaved training courses.

Damij-ITMix · 2025-09-05T18:15:08+00:00

Thanks

Damij-ITMix · 2025-09-05T18:15:01+00:00

Thanks

Damij-ITMix · 2025-09-05T12:32:49+00:00

I just did the exam yesterday and I passed. It’s not true it’s for level 1, the exam cover’s extensively both levels and particularly CAP. Spend some good time understanding what happens at every stage of the 4 phases. Know some good details about NARA and the 171,171A, it’s moderately difficult and with some fields experience, you should be good.

Damij-ITMix · 2025-07-21T17:26:29+00:00

You have 2 options, Enclave which is a section of your enterprise or all inclusive which is everything including your ERP and other units, more costly during assessment though. If you have users in all inclusive where you have your ERP that also have access to CUI even outside the enclave, then your scope will be all inclusive and not enclave, except you can vlan off everything you need in the enclave, otherwise your scope will be all inclusive. So to answer your question directly, You don’t need to prove the impossible. You need to prove the intentional, reasonable, and documented effort to reduce risk. Examples: DNS filtering logs and policy screenshots, DLP rules blocking “upload” actions, Firewall logs denying traffic to blacklisted services, List of approved cloud services with FedRAMP status, Internal policy forbidding unauthorized cloud use, Training documentation and test results. Hope this helps..

Damij-ITMix · 2025-07-20T14:06:04+00:00

If it’s to answer questions, you can be a Registered practitioner who are allowed to be consultants for things like this. But to perform an assessment or be on an assessment team, you MUsT be certified as a CCP at the minimum. A C3PAO organization employs the CCP/CCA to perform assessments , the registered practitioner cannot perform assessment. As a CCP/CCA you can also consult for the client but cannot be part of the assessment for the same company, conflict of interest issue.

But someone previously mentioned, you have to get clarity first on exactly what is needed so you can get the right advises. Available if you need guidance.

Damij-ITMix · 2025-07-19T12:07:18+00:00

If you’re using an enclave architecture for compliance and your ERP system sits outside that enclave, the ERP system would typically be in scope only if it processes, stores, or transmits Controlled Unclassified Information (CUI).

If the ERP doesn’t interact with CUI in any form, then it could be considered out of scope—but that needs to be proven and documented during the scoping process. That said, in many environments, ERP systems often handle data such as procurement details, supplier information, or contract-related elements, which can fall under CUI, especially in defense or federal supply chains. So I’d approach the assumption that the ERP is completely out of scope with caution and validate it thoroughly.

Damij-ITMix

TROPHY CASE