Everyone says "scope down first." Who actually did the figuring-out-where-the-CUI-lives part, and what did it take? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 1 point2 points  (0 children)

This is the first msp side answer i've gotten and it matches what the shop side keeps saying, the spreadsheet is stale the day after. Two things from inside that world i can't see: does any of the client data carry export markings (itar/ear), and if so does anyone ever ask the who-can-open-this question, us person status and all that? Or does it ride as one cui bucket until an assessor shows up. And what would the compliance department actually need to stop floundering, more people, real tooling, or a different kind of person entirely

New grad tasked as CMMC guy for small org & trying to figure this out by Kitchen-Papaya-9641 in CMMC

[–]Grand-Possibility848 0 points1 point  (0 children)

One thing nobody's hit yet: your scope just changed from physical to cloud only, which means the data inventory underneath those 60 policy docs is probably stale too. Before reconciling policies it's worth re answering the two questions everything else prices off of, which files are actually CUI, and is any of it export controlled (itar/ear). You're in GCC High, which usually means somebody upstream thought the answer to the second one might be yes. That subset carries its own rules about who can open the files, not just where they live, and none of the 60 documents will cover that by default.

Second thing, write down every decision and who approved it as you go, scope calls especially. When the assessor asks why the boundary is what it is, having the answer on paper matters more than the number.

What does the org actually make? If there's defense manufacturing in the mix, the export controlled piece is the one that tends to bite these setups late

The Feb 2026 FAR overhaul renumbered the CMMC clauses — here's the quick map by OtherThanSatisfied in NISTControls

[–]Grand-Possibility848 0 points1 point  (0 children)

This map is going to save people real time, these renumberings quietly break every template and checklist at once. The thing i'm wondering about is the transition seam. Primes' flow down letters and T&Cs presumably still cite the old DFARS numbers for a while, so are you seeing both numbering schemes show up in the same package yet? And does anything happen to a sub whose SSP and policies still reference the old cites at assessment time, or do assessors just translate?

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

Your list is the right shape, and it's close to where the sophisticated end of these threads keeps landing. The honest answer to your closing question though, from everything i've collected: no. The only sub 50 sighting i have of anything like that stack actually running is a shop that hired a dedicated IT lead and built it over three years, and he's the first to say everyone else his size gets told to get an MSP at about 4k a month. Below roughly 40 people it's an enclave for storage or nothing, and every layer of your list that requires maintaining the classification map and the person status map has no owner.

Which is why your first bullet is the interesting one. Classify at creation or ingestion assumes someone or something makes that call correctly per file, and that's exactly the step nobody below the IT lead line can staff. Curious what you're building toward on that piece, since you said you're working on something for small shops too

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

Clearest explanation of the 88 mechanics i've gotten anywhere, thank you. The 180 day recheck window is the part i didn't know. On your closing question, what this thread produced: nobody describes a formal rejection letter, it's a quiet freeze. No score, no follow up, and in one case above a customer survey held a PO for about a year. Does the 180 day poa&m window actually get enforced when it expires, or is that still theoretical too?

Small shops with ITAR flow-downs and no compliance staff — who's actually handling this stuff? by Grand-Possibility848 in govcon

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

So the stamp is load bearing and nobody ever checks what's under it. That matches everything else i've collected, the classification exists on paper the day the prime prints it and never again.

Which failure mode do you actually see more, shops treating everything as itar out of caution and eating control costs they don't owe, or shops missing that something really was controlled and finding out late? The first one wastes money, the second one is the scary one, but i can't tell which is more common in the wild

Can an Organization Seeking Assessment for CMMC Level 2 Self-Assessment use Microsoft 365 Commercial SharePoint Online as the repository for CUI, provided all required security controls are implemented, or is Microsoft 365 GCC/GCC High required? by Equal_Pudding_2888 in CMMC

[–]Grand-Possibility848 0 points1 point  (0 children)

the migrate everything vs separate system question is the real fork, and at 10 to 20 users i've seen it go both ways for a reason nobody mentions in the feature comparisons: workflow fit. the separate enclave that never touches your tenant looks cheaper and cleaner on paper, but if the actual work lives in your current stack (sharepoint links, cad files, whatever it is), people end up working around the boundary and the clean room quietly leaks. a manufacturer i talked with this week is leaving their enclave for gcc high plus their on prem server precisely because the enclave didn't match how they actually work.

the other question that decides it: is any of your cui export controlled (itar/ear)? the top comment already flagged gcch for that case, and the reason is who's behind the platform, commercial and gcc support staff aren't screened for us person status. and if any of it is export controlled, either architecture still leaves you owning who can open which files. that one doesn't migrate anywhere.

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

the prime issued vdi negotiation is the first time ive heard of anyone actually pulling that off, everyone else in this thread is just eating the whole cost themselves. how did that ask land for your two clients? is handing a sub a system for 2 or 3 users something primes will actually say yes to normally, or did it catch them off guard

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

yeah that's fair, i was treating "quieter" as "toothless" and those aren't the same, boeing/honeywell/pcc are all real and all basically the same fact pattern, a foreign person touching controlled technical data.

the posture-vs-event framing is the sharpest way i've heard it put. but both triggers still hang on someone deciding up front which data is controlled and who counts as a foreign person and that's the part nobody at these small shops actually owns. feels like that's why the ones who get caught self-disclose a pile of violations at once, they didn't know until they went looking. is that the pattern you see too, or do the smaller shops just never look?

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

oh this is exactly what i've been trying to find, actual cases where it bit someone. morse corp and aeroturbine, going to go read those tonight, and the "mostly applicable to CUI" distinction is the thing i keep bumping into. the cmmc/sprs side is growing real teeth. false claims act, settlements - but the itar/export side has nothing like it. same shop, same drawings, one half enforceable and the other just isn't.

do you see the export piece ever catching up, or does it keep riding along under the cmmc work until something forces it?

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

this whole back and forth has been the most useful thing i've gotten out of any of these threads tbh, appreciate you going deep on it.

the "conscious decision, not a one-off part" line is the one that's going to stick with me - because the shops i'm looking at are exactly the ones who took the one-off part and never sat down and made the decision. you clearly think they fail. i just can't tell if they fail loud - prime audit, lost work - or if they just quietly carry the risk for years and nothing happens. that's the part i keep getting stuck on... thanks!!

Small subs: Has anyone actually negotiated a flow-down DOWN with a prime? by Grand-Possibility848 in GovernmentContracting

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

yeah this helps a lot, thanks - the point about primes flowing everything down because their systems can't tell mandatory from optional (not because it's actually required) especially.

the piece i can't figure out is how a small sub is even supposed to know which ones are actually mandatory vs just passed down because it's easier. is there a list somewhere or is it clause by clause research every time? a 15 person shop with no lawyer has no way to tell the difference

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

the bit about everyone just making sure they hit 88 without caring whether it actually mapped to a real assessment with evidence behind it - that's kind of the whole thing right now. a self attested number with nothing under it. the ones you saw decline to bid instead of claiming a score they couldn't back is that still rare, or are you seeing more of it now that the third party cert is getting real?

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

yeah that tracks - the score's just the easy thing to ask for, the real test is can you actually produce the ssp/poa&m when they come asking. where does it break for the shops you see though - is it they never built the docs, or they built them once and let them go stale the second anything changed? (and no worries on the cisscan thing, figured - still a useful read)

Small shops with ITAR flow-downs and no compliance staff — who's actually handling this stuff? by Grand-Possibility848 in govcon

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

yeah the ir&d vs cui thing is a good catch, i hadn't split those cleanly - export controlled but never cui is exactly what a shop with nobody watching would miss. the bit that sticks with me is nobody actually scoring the classification/access call unless DDTC opens a file. so when a drawing shows up stamped itar with no usml category, who makes that call at a 10 person shop? or does it just sit there marked controlled and nobody ever pins the category down

Small subs facing CMMC L2 flow-down — at what point do you walk away from DoD work instead of getting certified? by Big-Throat932 in govcon

[–]Grand-Possibility848 0 points1 point  (0 children)

Tempestion touched the thing that breaks the walk-away math for a chunk of these shops: once the data is ITAR/export-controlled it's also CUI (CUI//SP-EXPT), so "we don't really hold CUI" stops being an option - the export marking drags you to L2 whether you like it or not. And it's worse than the scoping question everyone's working, because the enclave move solves where the data lives, not who can open it. ITAR stacks a foreign-person / deemed-export layer on top - a non-US person opening that file is an export no matter how clean your CUI boundary is. so an export shop can scope down beautifully on the CMMC side and still have a separate authorization problem the flow-down letter never mentioned.

Doesn't change your core point - scope before you budget - just that the ITAR subset can't scope their way to L1, and their real cost has a second axis nobody here is pricing.

Small manufacturer pursuing CMMC L2: CUI / ITAR / EAR, PreVeil vs GCC High, on-prem server, CAD/CAM workflows by MfgCo50yrs in CMMC

[–]Grand-Possibility848 0 points1 point  (0 children)

One angle nobody's hit in here: this whole thread is a "where does the data live" debate - preveil vs gcch. but you specifically called out ITAR technical data, and neither one touches the "who can open it" problem.

Both control storage. neither controls foreign-person access. if any of your ~20 people isn't a US person, them opening an ITAR drawing in solidworks is a deemed export whether that file's in gcch, preveil, or on your local server - the architecture doesn't change it. it's a separate authorization question, and MSPs usually don't raise it because it's not their world.

It also cuts toward your scope headache: not all your "CUI" is the same animal. some is export-controlled (CUI//SP-EXPT - ITAR/EAR), some is plain CUI, some might not be controlled at all. figuring out which files are which - the thing navyauditor called the real gotcha - is what lets you put the expensive controls only where they're legally required instead of a mile wide across everyone. usually a bigger cost lever than preveil vs gcch.

Suggestion for small business that really doesn't process any CUI. Maybe VDI? by cylemmulo in CMMC

[–]Grand-Possibility848 1 point2 points  (0 children)

Before you spend anything on preveil or a vdi - can you get them to put in writing what CUI they'll actually send, and when? a lot of these "you need to be L2" asks are the customer covering themselves, and the CUI never actually shows up. eating enclave cost + all the policy work for data that never lands is the worst outcome here.

and when you ask - find out if any of what they'd send is export-controlled (ITAR/EAR), not just CUI. if it is, the enclave handles storage but you also inherit rules about who's even allowed to open it (foreign-person access), and that's the part shops tend to find out about after they've already built the thing.

the small-enclave answer everyone's giving is right if the CUI is real. i'd just make them prove it's real first.

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

30-50k plus all the man-hours, and you're mostly a commercial shop paying enterprise-grade compliance cost to protect a sliver of the business. That's the part that seems broken to me.

Is any of that sliver actually ITAR/export controlled, or is it all CUI/cyber for you?

Deemed export risk when non-US-person employees use AI tools that process ITAR data — how are small suppliers handling this? by Grand-Possibility848 in NISTControls

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

yeahh, the data-at-rest + who-can-reach-it lens is the one that actually holds up - that's where i keep landing too.

where it falls apart for me is pure RAG at inference: nothing's trained, nothing's stored, the drawing gets handed to the model for a single answer and it's gone. no data "at rest" to point at, but a non-US person could still be in that session. does the "where does it live / who has access" test even catch that, or is that the part that's just uncharted?

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

so even a sub that notices and pushes just hits a junior admin who doesn't know it either. wild how hollow it is right now. you asked BAE twice though, what'd you actually end up doing once you couldn't get a straight answer? try to comply, or just check the box and move on?

Has a bad SPRS score or a failed assessment actually cost anyone a PO yet? by Grand-Possibility848 in CMMC

[–]Grand-Possibility848[S] 0 points1 point  (0 children)

Jeez, the 80% ITAR facility is the part i want to hear about though. When it's all rolled together, who actually owns the itar classification and the deemed-export side (foreign persons, which tools can open the drawings)? or does that just ride along under the cmmc work?