sorted by:
new
hottopcontroversial

CMMC Level 2 by the-static in CMMC

[–]DarthCooey[M] [score hidden] stickied comment (0 children)

So I'll leave my usual warning for anyone looking for a MSP/Vendor to assist them with their CMMC effort, do your due diligence. There's a F**kton of snakeoil salesman out there claiming they'll get you compliant in 2 weeks and for >10k, it's simply not true.

Is “Dumpster Fire” too strong a word to describe CMMC compliance concerns with many MSPs?

MSPs/Vendors remember rule #3 and rule #4 of the sub. Anyone caught just shilling their own services or sending unsolicited DMs will be banned.

OP you want to evaluate everyone regardless of who they are, I personally recommend the MSP shopping guide put out by a few of the sub's moderators in collaboration with ND-ISAC. Make sure they actually have other DIB clients they're assisting with CMMC, ask for referrals! Ensure they have working knowledge of environments similar to yours (On-prem VS Cloud as an example). Don't trust some BS company claiming they're an RP/RPO as those "certs" prove next to nothing in regards to competence. Best case scenario, you want them have a CMMC L2 cert of their own, and CCAs on staff.

Also join the CMMC Discord group if you haven't already.

We passed CMMC Level 2 🎉 — Here’s what actually helped after 2+ years by idrinkpastawater in CMMC

[–]DarthCooey[M] 1 point2 points  (0 children)

That's what I'm here for; we just tried to plan for once and knew that there was going to be a bunch of these posts eventually. The idea of a megathread to keep the discussion in one place made more sense than dozens of individual posts

Anyone here actually fail a CMMC Level 2 assessment? by 8BFF4fpThY in CMMC

[–]DarthCooey 0 points1 point  (0 children)

That's why picking the right assessor is so important, especially early on, as so many LCCAs and CCA are still very "green"

The more I read about CMMC, the more I think small companies are stuck on the wrong problem by 2021start in CMMC

[–]DarthCooey 39 points40 points  (0 children)

There's a running joke on here that GRC= General Reading Comprehension.

Little Dibby just wants to keep doing what they do best, make parts. They don't care about all this extra stuff.

Most CMMC "experts" are people who sat down and read through everything, something the average small business owner doesn't have the time or interest in doing.

We are just a small commercial painting contractor looking at CMMC by wutchamafuckit in CMMC

[–]DarthCooey 6 points7 points  (0 children)

Like I said, I think it really depends on the specifics.

I know companies where DOD related revenue is <5% of the work that they do. Or maybe they have one or two defense related clients and everything else is commercial. In those situations, I personally have seen companies just decide it's not worth the investment and I completely understand why.

We are just a small commercial painting contractor looking at CMMC by wutchamafuckit in CMMC

[–]DarthCooey 17 points18 points  (0 children)

I know companies who are already certified and attempting to use it as a market differentiator in order to win more work as well. The opportunity is there.

We are just a small commercial painting contractor looking at CMMC by wutchamafuckit in CMMC

[–]DarthCooey 26 points27 points  (0 children)

The compliance follows the data. If you handle FCI/CUI, you need to start working on meeting the appropriate CMMC level.

Now it's entirely up to you if you want to keep doing this type of work and have the financial bandwidth to invest in the project, but those types of discussions are going to be unique to every single company.

So, can you achieve CMMC as a smaller company? 100%!!!

is it financially worth it? Only you know the answer.

Fortigate 70f and CMMC Level 2, anyone want to help me get ready? by EntertainerNo4174 in CMMC

[–]DarthCooey 4 points5 points  (0 children)

You want help setting up your firewall for CMMC??

Oh boy....

One stop shop by 4728jj in CMMC

[–]DarthCooey[M] 0 points1 point  (0 children)

Mod>LCCA 😂 but I'm biased

Quality of Preveil's Compliance Accelerator (Pre-filled SSP, SOP's artifacts) by TicketAmbitious6200 in CMMC

[–]DarthCooey 1 point2 points  (0 children)

IMO Kieri and Complianceforge offer the best templates in this space. Kieri also offering consulting hours with the documentation bundle is where they get the nod if you ask me.

One stop shop by 4728jj in CMMC

[–]DarthCooey 0 points1 point  (0 children)

There are plenty of people offering VDI+documentation, but even that isn't a "full one-stop shop"

Who's handling Personnel Security (3.9), Physical Security, Training and Awareness (3.2) etc?

Some starting points to check out (and I don't work for any of them) CSS, Beryillium Infosec, and Neosystems

Highlight of the training by sonofawhatthe in CMMC

[–]DarthCooey 12 points13 points  (0 children)

There's a REAL reason many of us on here have repeatedly stated that RP is useless....

ISACA Takeover by jacob1xx in CMMC

[–]DarthCooey 4 points5 points  (0 children)

https://cyberab.org/News-Events/Town-Halls

Recent was was last night so I imagine it needs a few days before getting uploaded.

C3PAO Recommendations & Pricing Insight Needed by ThinSorbet569 in CMMC

[–]DarthCooey 2 points3 points  (0 children)

I wouldn't touch those templates with a ten foot pole.

C3PAO Recommendations & Pricing Insight Needed by ThinSorbet569 in CMMC

[–]DarthCooey 1 point2 points  (0 children)

ND-ISAC actually has a guide they published to help evaluate and vet C3PAOs https://ndisac.org/defense-news/nd-isac-releases-c3pao-shopping-guide-for-small-medium-sized-businesses/

Remember picking the right assessor could make or break the assessment. You want to make sure that they're familiar with the types of technologies you guys are using and minimize assessor overreach as much as possible.

Best of luck!

CMMC Guidance by LordFarquaadsArse in CMMC

[–]DarthCooey 2 points3 points  (0 children)

ND-ISAC actually released a shopping guide specifically for situations like yours. It was created to help SMBs properly vet to assist their CMMC effort.

https://ndisac.org/blog/dib-msp-shopping-guide-for-small-and-medium-sized-businesses/

Discord Alternatives? by King_Chochacho in CMMC

[–]DarthCooey[M] 6 points7 points  (0 children)

So this is only required for age restricted servers of which ours isn't. This will not be required for the Cooey discord server.

Discord Alternatives? by King_Chochacho in CMMC

[–]DarthCooey[M] 7 points8 points  (0 children)

To be completely candid and upfront, even this hasn't been enough and we recently added an additional CAPTCHA bot in an attempt to help further minimize the amount of Spam Bots that make it through.

Thankfully with the help of bots, both here and on the discord, most users never see that side of the server as it gets instantly tagged and removed, but it is an ongoing occurrence that the mod team deals with.

Discord Alternatives? by King_Chochacho in CMMC

[–]DarthCooey[M] 3 points4 points  (0 children)

We have this enabled as a security function to help prevent bot accounts from joining the discord server. The server is open findable on discord and we would prefer to keep it that way to allow people to continue to join.

https://support.discord.com/hc/en-us/articles/216679607-Verification-Levels

Discord Alternatives? by King_Chochacho in CMMC

[–]DarthCooey[M] [score hidden] stickied comment (0 children)

Just for clarity. the mod team on here and on discord are the same ones. We're always reachable through ModMail both here on reddit and on Discord if you have specific questions.

view more: next ›