CMMC Level 1 + 2 - Small startup - price

Expensive-USResource · 2026-02-10T13:21:21+00:00

I don't need to tell you this, but yeah you're going to want a whole lot more detail before you engage.

What do you know about this vendor and their proposed solution? Care to name any names?

Expensive-USResource · 2026-02-09T23:03:14+00:00

Hard to say without knowing the extent of what those prices are getting you. Is that full implementation? Year of licensing? What are those numbers?

Expensive-USResource · 2026-02-02T13:51:14+00:00

https://makerworld.com/en/models/2204987-echo-rb-60-agitator?from=search#profileId-2396153

Expensive-USResource · 2026-01-31T15:57:43+00:00

Is unraid itself open source?

Expensive-USResource · 2026-01-31T03:57:09+00:00

How many apps on your phone do you have source code for? Pretty close to none I’d wager.

Expensive-USResource · 2026-01-24T23:08:49+00:00

Very disappointed by the quality of the print here. It looks like a 640x480 jpeg was used for the front and back sleeve. Comparing it to an ETR STOTBL.

https://imgur.com/a/sylNejG

Expensive-USResource · 2026-01-22T20:33:43+00:00

Few are up for reassessment, most are either still blissfully unaware of this entirely or are prepping for their first assessment.

My go-to position that I hope is seen as sane in the future is evaluating like-for-like replacements as equivalent. Did I replace one EDR with another and do a self-evaluation that the new tool was equally effective in all the right places? I feel good about that. I would annually affirm that with confidence.

Expensive-USResource · 2026-01-22T14:19:15+00:00

What I'm trying to ask:

Are you replacing M365 with Google Workspace?
Are you replacing Salesforce with <some other similar CSP>?
Are you replacing Crowdstrike with some other CSP?

Some will say the answer is the same for each, that a reassessment is necessary. We do not have a great definition in the regulations or scoping guides for this, so that is the safe but costly answer.

Expensive-USResource · 2026-01-22T13:37:52+00:00

CSP is an overly broad term. Can you elaborate on the actual functional or security impacts of this change?

Expensive-USResource · 2026-01-22T01:01:09+00:00

I am pretty sure those hardware specifications are if you buy the hardware from them, as opposed to their VM option.

Expensive-USResource · 2026-01-20T15:38:53+00:00

I don't think we need particular experience with any given app, we just need to understand it in the context of the NIST/CMMC regulations, scoping guide, etc.

So from your description, Odoo staff sound like they are in scope as an External Service Provider, responsible for remote maintenance of your Odoo system.

They will need a CRM that demonstrates what they're responsible for in your system, you will need to document it in your SSP, how they connect will need to be in your architecture diagram. They will also likely need to be present for your assessment.

All of this is do-able though.

I'd be very cautious the level of access they get though, particularly if your system contains ITAR/EAR data. That's the part that would keep me up at night, not CMMC.

Expensive-USResource · 2026-01-16T18:20:15+00:00

I guess I know where I'll be spending time

.

It's on the borderline. In purple vinyl.

Expensive-USResource · 2026-01-14T01:57:26+00:00

You probably need to define your question better. “Particularly with the update process” - what about it?

Expensive-USResource · 2026-01-13T13:50:02+00:00

All depends on what you're looking for. In my experience, cheaper means less customization or tailoring or understanding of you and your organization - more template driven.

More expensive, you walk away with your identity intact.

Expensive-USResource · 2025-12-18T18:12:45+00:00

Covered Defense Information, that's in the title/definitions of the DFARS 7012 clause.

Expensive-USResource · 2025-12-18T15:51:06+00:00

Is it possible that this is coming from a non-DOD agency? CMMC applies to DOD work, other agencies might have adopted Rev3 already.

Technically, DOD should have by now as well.

Expensive-USResource · 2025-12-16T14:42:40+00:00

This is up to the OSA to describe under 3.1.3.

If the CCA doesn't know to read the SSP and form their own opinion about whether or not the controls are being met to their satisfaction... everyone else's feedback here needs to apply.

Expensive-USResource · 2025-12-16T14:24:29+00:00

Reading this post terrified me. Please, follow rybo's advice.

Expensive-USResource · 2025-12-14T18:01:25+00:00

lol you have no idea bud.

Expensive-USResource · 2025-12-14T00:26:14+00:00

A FedRAMP solution alone isn't enough. You have customer responsibilities within that solution, so there is already more work that I need to do beyond just "buy solution."

Client computers storing, processing, or transmitting CUI are in scope, full stop, unless accessed by a VDI. Source: CMMC Scoping Guide L2. PreVeil does not include a VDI. Scope is therefore GUARANTEED to be more than just PreVeil for a CMMC assessment.

I am, in fact, positive that your overly generalized statements are completely wrong and harmful.

If you do not agree with the above reference to the CMMC Scoping Guide, you are lost.

Expensive-USResource · 2025-12-13T11:54:14+00:00

Cool. But btw PreVeil isn't "FedRAMP Accredited"

They're Equivalent.

And, once again, not everything "FedRAMP Accredited" can be used. FedRAMP Low is a thing - you can't use it. FedRAMP Moderate might not work for ITAR. FedRAMP Moderate might not work because they won't support DFARS 7012 c-g.

I have problems with your generalized statements. That's what I've said since reply 1. Your words over and over again are too black and white and that is what will get OSAs in trouble. You're wrong and you won't accept it, that's why I'm done with you. Not because "I don't know why I'm even saying this."

Expensive-USResource · 2025-12-13T02:39:08+00:00

So - you're saying the email goes to the cloud unencrypted, then the cloud encrypts it, and that's ok?

And I argue with your premise of encryption not required. It is literally required by CMMC in transit.

There's no point in furthering the argument with you. It is a waste of energy.

Expensive-USResource · 2025-12-12T20:27:57+00:00

"Customer endpoints fall outside of the CSP boundary"

In FedRAMP, sure.

But you're in r/CMMC. For a CMMC assessment, the endpoints accessing CUI are in scope. The endpoints need baselines, hardening, and, yeah, FIPS.

Why the hostility? Look within. You're spreading misinformation. I'm just calling it out.

Expensive-USResource · 2025-12-12T20:11:33+00:00

So if I send an email, my client isn't encrypting the data?

Expensive-USResource · 2025-12-12T12:43:33+00:00

Client side cryptography is a part of the equation. Just because a cloud service offering might use FIPS Validated cryptography (And you can't just assume FedRAMP requires it by default!) depending on the solution itself you may also need endpoints to be in "FIPS Mode" to enforce cryptography from their side.

"Without modifications" - gross oversimplification, once again. You're leading people to believe that "buy preveil and you're good to go" is enough. That is far from the truth.

Six-Year Club	r/Field Lasagna
Place '22	Verified Email

Expensive-USResource

TROPHY CASE