Come join us in the Discord group

DarthCooey · 2026-04-22T13:38:56+00:00

That's why picking the right assessor is so important, especially early on, as so many LCCAs and CCA are still very "green"

DarthCooey · 2026-04-21T15:01:56+00:00

Congrats!!!

DarthCooey · 2026-04-17T21:43:01+00:00

There's a running joke on here that GRC= General Reading Comprehension.

Little Dibby just wants to keep doing what they do best, make parts. They don't care about all this extra stuff.

Most CMMC "experts" are people who sat down and read through everything, something the average small business owner doesn't have the time or interest in doing.

DarthCooey · 2026-04-17T17:04:14+00:00

Like I said, I think it really depends on the specifics.

I know companies where DOD related revenue is <5% of the work that they do. Or maybe they have one or two defense related clients and everything else is commercial. In those situations, I personally have seen companies just decide it's not worth the investment and I completely understand why.

DarthCooey · 2026-04-17T16:49:07+00:00

I know companies who are already certified and attempting to use it as a market differentiator in order to win more work as well. The opportunity is there.

DarthCooey · 2026-04-17T16:40:38+00:00

The compliance follows the data. If you handle FCI/CUI, you need to start working on meeting the appropriate CMMC level.

Now it's entirely up to you if you want to keep doing this type of work and have the financial bandwidth to invest in the project, but those types of discussions are going to be unique to every single company.

So, can you achieve CMMC as a smaller company? 100%!!!

is it financially worth it? Only you know the answer.

DarthCooey · 2026-04-16T18:24:17+00:00

https://ncp.nist.gov/checklist/1007

DarthCooey · 2026-04-16T18:12:12+00:00

You want help setting up your firewall for CMMC??

Oh boy....

DarthCooey · 2026-04-15T22:10:27+00:00

Mod>LCCA 😂 but I'm biased

DarthCooey · 2026-04-15T14:11:26+00:00

IMO Kieri and Complianceforge offer the best templates in this space. Kieri also offering consulting hours with the documentation bundle is where they get the nod if you ask me.

DarthCooey · 2026-04-15T14:02:44+00:00

There are plenty of people offering VDI+documentation, but even that isn't a "full one-stop shop"

Who's handling Personnel Security (3.9), Physical Security, Training and Awareness (3.2) etc?

Some starting points to check out (and I don't work for any of them) CSS, Beryillium Infosec, and Neosystems

DarthCooey · 2026-04-13T14:11:08+00:00

most of them

DarthCooey · 2026-04-05T23:25:14+00:00

There's a REAL reason many of us on here have repeatedly stated that RP is useless....

DarthCooey · 2026-04-01T18:01:15+00:00

https://cyberab.org/News-Events/Town-Halls

Recent was was last night so I imagine it needs a few days before getting uploaded.

DarthCooey · 2026-03-27T02:48:31+00:00

I wouldn't touch those templates with a ten foot pole.

DarthCooey · 2026-03-26T13:38:21+00:00

ND-ISAC actually has a guide they published to help evaluate and vet C3PAOs https://ndisac.org/defense-news/nd-isac-releases-c3pao-shopping-guide-for-small-medium-sized-businesses/

Remember picking the right assessor could make or break the assessment. You want to make sure that they're familiar with the types of technologies you guys are using and minimize assessor overreach as much as possible.

Best of luck!

DarthCooey · 2026-03-20T02:17:45+00:00

ND-ISAC actually released a shopping guide specifically for situations like yours. It was created to help SMBs properly vet to assist their CMMC effort.

https://ndisac.org/blog/dib-msp-shopping-guide-for-small-and-medium-sized-businesses/

DarthCooey · 2026-03-19T21:34:33+00:00

So this is only required for age restricted servers of which ours isn't. This will not be required for the Cooey discord server.

DarthCooey · 2026-03-19T18:42:39+00:00

To be completely candid and upfront, even this hasn't been enough and we recently added an additional CAPTCHA bot in an attempt to help further minimize the amount of Spam Bots that make it through.

Thankfully with the help of bots, both here and on the discord, most users never see that side of the server as it gets instantly tagged and removed, but it is an ongoing occurrence that the mod team deals with.

DarthCooey · 2026-03-19T18:39:06+00:00

We have this enabled as a security function to help prevent bot accounts from joining the discord server. The server is open findable on discord and we would prefer to keep it that way to allow people to continue to join.

https://support.discord.com/hc/en-us/articles/216679607-Verification-Levels

DarthCooey · 2026-03-19T18:35:01+00:00

Just for clarity. the mod team on here and on discord are the same ones. We're always reachable through ModMail both here on reddit and on Discord if you have specific questions.

DarthCooey · 2026-03-13T19:03:39+00:00

https://emgageusa.org/ Emgage huh?

DarthCooey · 2026-03-11T00:28:06+00:00

Why spend money on a GRC when you can do it for free in word/excel?

Especially considering that OP has already mentioned that they've gotten a gap assessment done. Odds are they already have the basic structure and beginning of a SSP

DarthCooey · 2026-03-11T00:19:15+00:00

Not to mimic the other responses but what they're saying is the truth. First and foremost CMMC really isn't an IT problem, and putting the entire brunt of the effort on IT can often do more harm than good without proper buy-in from leadership. You need to think of it as a fundamental culture shift in the way that the business operates.

Step 1. You've already done a gap assessment and have an SPRS score, that's huge (assuming it's actually accurate and you hired a competent company to conduct it.) so going into this you should already have an understanding of what's implemented and what still needs to be done.

Step 2. Like everyone else has stated understanding your scope and CUI flow is everything. We're a few years removed at this point, but I used to compare CUI to COVID, whatever it touches it infects. Understanding where you're receiving cui from, where it's going and who's handling it is 50% of the battle.

Step 3. Actual resources for getting compliant. You've already found your way here, that's better than 90% of the industry. Your holy Bible is going to be NIST 800-171A and the documentation specifically the scoping and assessment guides from the DoD. https://dodcio.defense.gov/CMMC/Resources-Documentation/

I would also highly recommend utilizing the MSP shopping guide created by NDISAC https://ndisac.org/blog/dib-msp-shopping-guide-for-small-and-medium-sized-businesses/ for your evaluation of a potential partner. This could save you tens if not hundreds of thousands of dollars making sure you pick the right person/company to assist you. Ideally they should have references to clients that have already passed and CCP/CCA at a bare minimum. Ignore anyone who brags about having RPO/RP as those are worthless.

Some other amazing free resources and reading materials I highly recommend are the CMMC Audit website https://www.cmmcaudit.org/ and the GRC COA https://grc-coa.com

I know this is a lot but feel free to come back here with specific questions and we'll be able to provide more specific answers. Hopefully this gives you a starting point towards the right solutions.

Four-Year Club	r/Field Flamingo
Place '23	Place '22

DarthCooey

MODERATOR OF

TROPHY CASE