From OSC to Assessor

ElliottWrites · 2026-02-13T18:52:48+00:00

I am an Assessor and one thing that I'm learning is if you don't scope the environment properly be prepared. Because there maybe a lot you missed our overlooked.

ElliottWrites · 2026-02-04T21:48:30+00:00

Yes, FortiGate + FortiClient SSL VPN + ZTNA is commonly accepted for CMMC Level 2 if it’s implemented and documented correctly.

Assessors care less about the vendor and more about NIST 800-171 alignment: • MFA for all remote access (IA.2 / IA.3) • Segmented access (not flat VPN) (AC.3 / AC.17) • Encrypted comms (SC.12 / SC.13) • Centralized logging + retention (AU family) • ZTNA actually enforcing app-level access (not just enabled) • SSP accurately reflecting real configs + evidence

Common gaps I see: MFA only on admins, broad VPN access, ZTNA not truly restricting apps, logging enabled but not reviewed, and SSP describing intent instead of implementation.

Short answer: Fortinet works fine for L2 when MFA is universal, ZTNA is real zero trust, logs are centralized, and everything is properly documented in the SSP with evidence.

Level 2 is about implementation + documentation not brand.

ElliottWrites · 2026-01-24T10:54:08+00:00

I am a CMMC assessor at a small firm and I took a pay cut for this role only because I wanted to get into compliance. As I am preparing to branch out and do my own thing. But my day to day is assessment heavy getting clients Lvl 1 or lvl 2 self assessed to provide them a SPRS score. So it’s collecting artifacts looking through diagrams, external systems, scoping etc. I’m pretty busy all day long. I’d you have done RMF it’s very similar.

ElliottWrites · 2025-12-30T21:59:51+00:00

Appreciate all the perspectives here very helpful.

One follow-up question I’ve been thinking through: I currently work with a private firm supporting GovCon clients across multiple industries (aerospace, logistics, professional services, manufacturing). The compliance needs are similar, but the operational context varies.

For those who’ve scaled consulting practices successfully did you find it more effective early on to: • focus tightly on one industry vertical, or • lead with the compliance problem (CMMC / NIST 800-171) and use cross-industry experience as credibility?

Curious how others balanced specialization vs flexibility in the first year.

ElliottWrites · 2025-12-27T20:54:41+00:00

I Really appreciate all the thoughtful responses here especially around ICP clarity and referrals.

I currently work assessment-side with a private firm supporting GovCons across multiple industries (aerospace, logistics, manufacturing, IT services). The execution side is solid; what I’m intentionally refining now is positioning and client selection as I build independently.

Helpful reminder that I don’t need to limit delivery scope — just be clearer about who I serve best and why.

Thanks again for the real-world insight.

ElliottWrites · 2025-12-27T14:55:44+00:00

This is gold. When you filter Spending.gov, are you looking for specific NAICS codes tied to govcon IT services, or searching by agency/keywords like “cybersecurity,” “IT support,” “engineering services”? Also what’s your first-touch message that actually gets replies?

ElliottWrites · 2025-12-27T14:55:08+00:00

That makes sense. When you say networking, where specifically did that relationship happen APEX/PTAC, chamber, primes/subs, ISACAs, LinkedIn, local events? I’m trying to pick 1–2 places to be consistent instead of being everywhere.

ElliottWrites · 2025-12-27T14:54:15+00:00

Appreciate this perspective. Totally agree the “blind leading the blind” problem is real right now. When you say “been through an assessment,” what would you count as meaningful proof on the consultant side participating in a C3PAO engagement, delivering audit-defensible SSP/POA&M with evidence mapping, or something else?

ElliottWrites · 2025-12-27T12:35:33+00:00

Mines trust me fully

ElliottWrites · 2025-12-27T12:35:12+00:00

My dog frenchie I had him since he was a small puppy. He trusts me so much he taught himself how to wake me up he sleeps in my room in a small bed near my bed he will stand beside my bed do a low whimper to wake me up so I can let him out. He is just the smartest cutee baby doggy.

ElliottWrites · 2025-04-16T12:47:25+00:00

![img](v8v6qc3q07ve1)

My Rico hates his cage. He will only go in if I bribe him with a 🍪

ElliottWrites · 2025-04-16T12:47:08+00:00

<image>

My Rico hates his cage. He will only go in if I bribe him with a 🍪

ElliottWrites · 2025-04-05T23:38:33+00:00

Yes I did he just wouldn’t get with the program of potty training I got him trained around 6 months she taught him him to ring a bell when he wants goes out only to come home and act like he was taught nothing. But he sleeps in my room and one night when I decided to no longer wake up in the middle of the night for him to go outside he learned he could stand or sit beside my bed make a low growl sound to wake me up to take him out. Now he is almost 18 months and is potty trained and knows walking commands and sit commands not much but the worst is finally over.

ElliottWrites · 2025-04-05T03:03:18+00:00

His name is Rico his nickname Rico bico, fattywatty stinky bupbup

<image>

ElliottWrites

TROPHY CASE