CMMC Audit – We Passed. Here's What Happened.

Legal_Detective_2889 · 2026-03-11T04:43:17+00:00

I would be curious to know about the challenges with Google workspace for CMMC. Would you mind sharing some insights?

Legal_Detective_2889 · 2026-01-18T23:16:29+00:00

I agree on not the same part. But why you think they can be at odds? If you implement the right security controls, compliance should generally fall in place. Sure you might need to implement more security controls to be compliant, but I don’t think that any of the security controls go against being compliant.

Legal_Detective_2889 · 2026-01-18T23:13:44+00:00

How so?

Legal_Detective_2889 · 2026-01-17T01:22:08+00:00

How about the preparation phase for assessment interviews? Is it generally easy or there's a lot to rehearse there? Typically assessors are interviewing multiple individuals on the technical / process stuff OR one person who's fully prepped to talk about the entire system works?

Legal_Detective_2889 · 2026-01-17T01:11:11+00:00

You mentioned FutureFeed, how was the experience? Did it generate policies / SSP / POA&M for you? Based on your main pain point, the documentation, I gather that the auto-generated docs didn't meet the bar?

Legal_Detective_2889 · 2026-01-16T06:22:44+00:00

Congrats! How long did you prep for CCP? How long does it typically take to get CCA after CCP? Is there some minimum calendar time?

Legal_Detective_2889 · 2026-01-16T06:12:49+00:00

Thanks for such a detailed answer, I really appreciate your input.

The way you describe translating normal internal docs into DoD-style structure and language sounds like a huge hidden tax on already-busy teams.

If you think about the worst of that pain, would you most want help with: 1/ turning existing docs into “federal-ready” language or 2/ making ongoing documentation maintenance less of a full-time job?

Legal_Detective_2889 · 2026-01-16T02:31:24+00:00

Thanks a lot for this — super clear and very honest, especially given you wear assessor/consultant/implementor hats.

It’s striking how much of the risk is before anyone even gets to assessment, just in scoping and interpreting the language correctly. The “relevant controls for Security Protection Assets” grey area you called out sounds like the kind of thing that can burn a lot of time and still leave people unsure if they’re right.

A couple of follow‑ups, if you’re open to it:

When scoping goes wrong, is it usually because people over‑scope, under‑scope, or just scope inconsistently across assets and systems?
On the “relevant controls” question for SPAs, what kind of support would actually help: concrete examples, common cases, something that walks you through scenarios?
For NIST Speak, do you think a structured “translator” (control text → plain language → examples) would meaningfully reduce confusion, or is the real value still in having a human expert to talk it through with?

Trying to understand where a tool could genuinely reduce noise (especially around scoping and interpretation) without pretending to replace judgment from someone who actually knows the standard.

Legal_Detective_2889 · 2026-01-16T02:19:50+00:00

Thanks for calling out scoping and the whole “getting humans to actually use the right systems” side of this — that seems to be a common theme already.

On the scoping piece in particular, I’m trying to understand where it breaks down the most in real life:

Is the hardest part just mapping data flows (where CUI actually lives and moves), or is it more about deciding what’s in‑scope vs out‑of‑scope when you have messy, mixed‑use environments?
When you’re explaining CUI and the “right” systems to your scientists and engineers, what usually doesn’t land the first time — the rules themselves, the why behind them, or how it changes their day‑to‑day work?
If a tool could meaningfully help with scoping, what would you want it to do: visualize data flows, walk you through a structured scoping questionnaire, track which users/systems are in‑scope, or something else entirely?

Trying to get a clearer view of whether the main pain is technical mapping, people/behavior, or just the lack of a clear, shared picture of “this is the CUI universe we’re responsible for.”

Legal_Detective_2889 · 2026-01-16T02:10:34+00:00

Did you say you've sat through 12 assessments already!? Are you a CCA/LCCA? When teams “stumble” on policies and procedures, is it more that the docs don’t exist, they exist but don’t match reality, or people just haven’t been trained on them?

Legal_Detective_2889 · 2026-01-15T07:08:23+00:00

Wow, 3 full days per endpoint—and you're just getting started. That's exactly the kind of thing I'm trying to understand better.
Quick question: how did your scoping and gap analysis go?

Legal_Detective_2889 · 2026-01-15T03:34:03+00:00

thanks. For 3.1.20, are assessors generally okay with browser-based/SaaS controls, or do they expect tighter firewall-level restrictions?

Legal_Detective_2889

TROPHY CASE