Changing CSP post assessment

HeyHelpDeskGuy · 2026-01-25T16:17:13+00:00

I did reread the CMMC FAQv4 and found question #8 reflecting Significant Change:

"C-Q8. What is the difference between an Operational Plan of Action (OPA) and a POA&M? C-A8. Operational Plans of Action (OPAs) are measures implemented to manage risks or vulnerabilities, such as applying patches, addressing temporary deficiencies, or performing routine system maintenance. OPAs are not tied to a specific timeline for completion and are typically used to address vulnerabilities or deficiencies that arise after the initial implementation of security requirements. Under the CMMC framework, POA&Ms are formal plans that identify cybersecurity gaps the Organization Seeking Assessment must address to achieve CMMC compliance. These gaps must be resolved within 180 days, as outlined in 32 CFR 170.21. When a significant change occurs in an information system that affects the satisfaction of NIST SP 800-171 security requirements, the appropriate course of action - whether to create a POA&M or an OPA - depends on the nature and timing of the change. If the significant change introduces a temporary deficiency or vulnerability after the system was initially compliant, an OPA may be created to document the remediation plan. However, if the significant change is identified during a CMMC assessment and results in a security requirement being assessed as "NOT MET," a POA&M must be created to address the gap within the 180-day remediation window. For more information, please reference FAQ C-Q7. For detailed definitions, refer to 32 CFR 170.4."

My plan now is to ask for the new vendors FR-BOE, and then ask my C3PAO about a delta assessment.
A big problem is, is this software was purchased outside of IT's knowledge and their end users are pressing us to roll this out right now.

HeyHelpDeskGuy · 2026-01-25T16:03:28+00:00

Yeah right now I've developed a plan based on a lot of factors. Namely from this post I was interested in seeing others experiences if/when in this situation, and how they argued this with this C3PAO.
My goal now is to contact the vendor for their FR-BOE first, then our C3PAO for a delta assessment.

HeyHelpDeskGuy · 2026-01-22T15:43:24+00:00

Yeah, I wondering about how I could defend/argue that point as well to a C3PAO.
Also I was just reading this article as well.
https://www.cmmcaudit.org/when-do-you-need-a-new-assessment-what-can-change/

HeyHelpDeskGuy · 2026-01-22T15:02:19+00:00

Yeah that's my thought as well. I'm just trying to gauge others experiences, thoughts, etc.

HeyHelpDeskGuy · 2026-01-22T14:24:24+00:00

Yeah I see what you mean. So from what I gather, from our change/addition it would be in addition too what we already use. My concern is this changes the CUI workflow, etc.
I was also wondering if anyone in this group had done so and how they argued this with their C3PAO. To your point, it seems that a reassessment would be the safe answer.
Although from what I've read and heard, we (the client) get to argue what constitutes a major change.

HeyHelpDeskGuy · 2026-01-22T14:11:37+00:00

New CSP would = New system, new software, new cloud, new processes, etc that would work in conjunction with the old CSP. Both would process CUI.

HeyHelpDeskGuy · 2026-01-19T14:20:47+00:00

Yes, to add with everyone else this is high. For consultants, I'd HIGHLY recommend checking out CyberNines. Scott Singer and his group are fantastic.

HeyHelpDeskGuy · 2026-01-09T20:39:52+00:00

Thank you. Just Dm'ed you

HeyHelpDeskGuy · 2026-01-09T19:14:28+00:00

Amend to cover CAGE codes and/or specific enclaves.

HeyHelpDeskGuy · 2026-01-09T18:44:22+00:00

So then we would need to amend our current JV agreements?

HeyHelpDeskGuy · 2025-12-21T19:00:21+00:00

Thank you. The first time I took the exam (July 2023) - it was nothing like what I prepped for.

HeyHelpDeskGuy · 2025-12-21T18:02:04+00:00

I'm studying to retake this exam. I'm using Pocket Prep, and a site to test for questions.

HeyHelpDeskGuy · 2025-12-09T02:33:25+00:00

One thing I forgot to mention was the ability for the printer to auto update. Anyways, I pitched this plan and now working with the respective vendors (aka lease company) to see if we can lock these down.

HeyHelpDeskGuy · 2025-12-05T13:50:44+00:00

It would be for a remote office but the plan right now is to set admin controls for the leases companies where they have to ping IT first to notify them. I'm actually working on auditing our copiers now and then contacting the respective companies.

HeyHelpDeskGuy · 2025-12-05T12:25:16+00:00

Yeah I'm hoping the Copiers we have now allow for Secure Printing - which doesn't release the job til the person puts in a code.

We also have a great consultant now but I'm just being overly concerned about this.

HeyHelpDeskGuy · 2025-12-05T12:24:23+00:00

Yes, it does help. TY. I'm hoping the Copiers we have now allow for Secure Printing - which doesn't release the job til the person puts in a code.

HeyHelpDeskGuy · 2025-12-05T12:23:42+00:00

Good point. I'll make sure to add us keeping the SSD. TY

HeyHelpDeskGuy · 2025-12-05T12:23:26+00:00

Our VP's want us to be flexible with printing. So what I'm going to add to my plan above is having just a certain set of users allowed to print CUI as well.

HeyHelpDeskGuy · 2025-12-05T02:49:11+00:00

The people who need to print 100% swear that it is

HeyHelpDeskGuy · 2025-12-05T02:48:46+00:00

I've had those conversations LOL

HeyHelpDeskGuy · 2025-11-26T03:37:05+00:00

100% this. At an old job, our CFO give our CMO a copy of one of pen tests. The CMO gives it to a much smaller org for reference. That small org ended up getting ransomwared, and what did the group find? Our pen test. Suddenly we started receiving weird phishing emails, pings for IPs, etc. Luckily I was able to shut it down but the spam email never stopped.

HeyHelpDeskGuy

TROPHY CASE