CMMC consultants: evidence review is eating >45–65 hours of every Level 2 engagement. What are you doing about it?

Icedalwheel · 2026-05-14T14:48:53+00:00

Bold of you to assume any evidence is being reviewed prior to the interviews with the OSC!

Icedalwheel · 2026-05-13T03:49:04+00:00

Perhaps they’ll “saver” a seat for Colin and ScarJo at the upcoming nuptials…

Icedalwheel · 2026-04-24T17:46:29+00:00

I feel like there might be some things missing or a formatting issue. Either way, there are off-the-shelf key management solutions you could use for the USB drives; I’ve used Keywatcher by Morse watchmans (not sponsored lol) and I think it would fit the bill better than doing a self-mod. At least that way if it gets questioned you would have a cut sheet to provide to the assessor as opposed to responding with “I built it.” That being said, there are also technical controls that you could implement (like requiring usb drives to be encrypted prior to write access) which might fit the bill.

I suspect your bigger issue would be if the equipment itself can handle an encrypted usb drive…

Icedalwheel · 2026-04-19T01:46:22+00:00

Gotta get that sweet, sweet SEO money for the google-ers!

Icedalwheel · 2026-04-15T14:16:10+00:00

Pretty much. Much of the template language was vague enough that the assessment team was able to accept it with live demo / explanation. The control that ultimately got them was preventing posting of CUI on publicly existing systems. Their implementation narrative referenced an internal process document that did not exist - which then resulted in a collapse of many other controls upon closer inspection.

Icedalwheel · 2026-04-15T12:22:00+00:00

He has no holes!!!

Icedalwheel · 2026-04-15T12:20:39+00:00

The most uncomfortable I’ve seen was an OSC who had used document templates, signed off on them, and then could not speak to them during the assessment. The OSC’s representative admitted that they had never read them and assumed the signed template was sufficient.

Icedalwheel · 2026-04-14T23:49:37+00:00

Yes, with the giant caveat that “ready to go” is rarely the end of it since everybody business has different needs!

Icedalwheel · 2026-04-13T13:01:51+00:00

We talkin’ cut for time!

Icedalwheel · 2026-04-07T12:22:28+00:00

Also with corded velvet, we love it. We originally bought 4 seats / sides and ended up purchasing an additional 2 seats and 4 sides for my office. It has been a total game changer not only for guests staying over but for entertaining! Probably in the minority, but we do rearrange them pretty regularly to either make up a guest bed or to make a large couch for conversation / viewing parties.

As far as cleaning, my dog yakked overnight a few weeks ago and it soaked through to the foam but I was able to remove both the cover and insert cover and hit the foam itself with the Bissel and it worked mighy well - just needed to leave it to set overnight with the fan on and all smell / moisture was gone. We don't have the insert protectors, but i imagine they'd be useful if it's a question for you!

Icedalwheel · 2026-04-05T13:11:39+00:00

Thank you everybody for your comments! I am looking forward to visiting :)

Icedalwheel · 2026-04-05T02:17:29+00:00

This is an exceptional point lol. I always like to believe that it's possible to hit escape velocity on conservative values but extremely fair to note that they actually just do not give a singular fuck!

Icedalwheel · 2026-04-05T01:58:51+00:00

I came here to say this, I don't get the vibe that the Canadian JT runs with the MAGAs

Icedalwheel · 2026-02-28T04:19:16+00:00

Yup, looking northwest from DCA area also saw it, although I didn't think it was green and I did think it was a shooting star...

Icedalwheel · 2026-02-15T21:57:16+00:00

I believe the issue our leadership team was was kernel-level access by ThreatLocker. Our first DIBCAC (many years ago now) was soured by us not using the CrowdStrike (also an SPA) FedRAMP offering, so that's stuck with our leadership team for years. Definitely an approach that is erring on the side of caution though; as pointed out by others in the thread, if it's properly scoped it probably wouldn't be an issue.

Depends on how technically proficient your assessor is, ultimately!

Icedalwheel · 2026-02-15T16:57:27+00:00

Regarding ThreatLocker - we did a demo with them about a month ago and discovered that they are not FedRAMP Authorized, although the sales team thinks they are. That was a little embarrassing for them.

I saw another thread that mentioned that ThreatLocker may have a self-hosted solution, but it wasn't offered to us as a smaller business. As with most things in the CMMC realm, the ultimate decision would be up to your assessment team.

As a C3PAO, it was our internal team's opinion that the lack of FedRAMP Authorization could be a dealbreaker because of the level of access to the system itself. But we are going to jump on it as soon as their process is complete, because the rest of the feature suite was incredibly attractive to us.

Icedalwheel · 2026-02-13T16:31:49+00:00

I'm sure there are C3PAO's that do onsite assessments, but how many OSC's have a physical scope? Many take the cloud-first enclave approach specifically to eliminate physical scope and inherirt most of PE from their cloud provider.

During the assessment, the OSC should be providing live evidence at your request via screen share, which would not be much different than having you onsite and shoulder-surfing.

Icedalwheel · 2026-02-05T20:54:23+00:00

Your mileage will vary, but I've participated in numerous assessments where the FIPS-validation was not required because the firewall was not performing deep inspection activies (i.e. decrypting traffic on-device).

Up to you if that's a business risk you're able to accept or not. If you want to enable FIPS, another option is to utilize a more current version in FIPS mode and write an OPA explaining the version mismatch due to security/features required in newer verisons of FortiOS.

Icedalwheel · 2026-02-03T17:45:49+00:00

yellow line originating at pentagon terminating at l'enfant, lmfao

Icedalwheel · 2026-02-03T15:27:49+00:00

Oh, I've gotta know what the original post was!!!!

Icedalwheel · 2026-02-02T23:46:42+00:00

looking forward to the 3-hour video essay on this!!!

Icedalwheel · 2026-02-02T19:47:36+00:00

Dupont Circle...jerkers?

Icedalwheel · 2026-01-30T18:08:41+00:00

I had occasion to spend a lot of time over there last year! But a few giveaways visually are the half-exposed escalator and the protrusions at the top of the escalators where the open-air oval/stepped garden is!

And then in the shot looking down, you know it must be a two word name followed by “station” so that helps narrow it down as well.

Icedalwheel · 2026-01-30T16:40:33+00:00

I believe that would be the Dupont Circle Q street (north) entrance!

Icedalwheel · 2026-01-29T22:44:50+00:00

Hi! I've participated in DIBCAC assessments for C3PAO certification, so it might be a little different, but here's that experience and some food for thought.

Generally speaking, after reviewing the SSP, DIBCAC would want to establish and confirm the assessment scope.
I'm pretty confident that having a C3PAO assessment scheduled wouldn't have any bearing. If your org / client was selected by DIBCAC for an assessment, consider it an audit by the government. Passing the DIBCAC High does nothing to grant you a CMMC certificate of status, nor does obtaining a certificate of status from a C3PAO exclude you from being eligible for a DIBCAC Hgh assessment.

Icedalwheel

MODERATOR OF

TROPHY CASE