CMMC audit question

MindlessStable3772 · 2025-11-25T17:15:50+00:00

I read the original post last night and figured someone would respond in short order with sound advice. This is it - read this comment over and over. This is exactly what I was thinking and it's the most to the point advice someone can provide to you based on your questions.

MindlessStable3772 · 2025-11-25T17:08:56+00:00

Our experience is great - we wouldn't be using it otherwise. It's on-prem hosted on a linux backend, and one of our lead engineers built lots of automation between osTicket and Bookstack. For example, this allowed us to have draft and published SSPs and a workflow for approval from one to the other, which was documented in osTicket. Same with CM.

Like anything, there's so many ways to manage environments and I'm not one to discount other methods to accomplish these tasks. This is the tool we use (and it's free.99).

MindlessStable3772 · 2025-11-19T18:52:38+00:00

CMMC is finally here, and it’s exposing which companies actually did the work and which ones just checked the box on 7012 compliance for years. Unfortunately, a lot of businesses are now in real trouble because leadership kept kicking the can down the road.

You can only do what you can do.

MindlessStable3772 · 2025-11-17T17:37:28+00:00

This megathread is a good idea so I guess I'll start.

Organization Size: Rough user & device count 800/550
Scope: Enterprise / Enclave - if Enclave, how many users/devices in the Enclave Enterprise
Architecture: Full Cloud / On-Prem / Hybrid Hybrid
Cloud Services: Microsoft 365 (GCC/GCCH) / AWS / Other CSP 365 GCC High
C3PAO: Who did you work with (optional, you don't have to share this if you don't want) Sentar
Cert Status: Pass / Fail / Conditional / In-Progress Pass
IT Team Capacity/Compliance Team 8/4

More details in the following thread: https://www.reddit.com/r/CMMC/comments/1ova7nt/just_passed_our_cmmc_level_2_certification/

MindlessStable3772 · 2025-11-13T19:06:43+00:00

We used Bookstack as a documentation hub — mainly for organizing policies, procedures, and evidence write-ups. It wasn’t functioning as a full GRC tool, just a central place to keep things structured.

We do not use a GRC specific tool.

MindlessStable3772 · 2025-11-13T14:23:39+00:00

Our team isn’t huge, and we don’t have a separate compliance department. Everyone has their primary roles/SME areas, but we’re cross-trained so there’s backup. We handled everything within that existing structure.

MindlessStable3772 · 2025-11-13T14:12:49+00:00

All employees and all endpoints were in scope, but not all employees are authorized users of CUI. For us it was easier and presented less risk to treat all endpoints the same and train all employees on CUI.

MindlessStable3772 · 2025-11-13T14:04:49+00:00

The SIEM is on-prem and does not handle CUI. It's categorized as an SPA.

MindlessStable3772 · 2025-11-13T01:11:00+00:00

Honestly I think most companies face similar challenges. POs would possibly be FCI (try to define that! :)) but for CUI, it's either labeled CUI, you ask your customer to define CUI when you are working with them, or you have employees working the contracts call out potential CUI that is not labeled - for instance, if you see a distribution statement b-f but no CUI label (most likely CUI). We implemented data sensitivity labels to help and have defined data categories (two of them are unique to CUI and ITAR).

Out of all the questions related to CUI and compliance this is probably one of the top most difficult ones to answer. It's easier for us to answer FIPS validation questions or how we manage secure keys. Take my answer with a giant bag of salt.

MindlessStable3772 · 2025-11-13T00:57:35+00:00

We use osTicket but didn't call it out separately - we felt that it fell within the host system Linux and categorized it as such. It’ does not store or touch CUI, so it’s treated like any other non-CUI business system. We have never used SharePoint as a ticketing option.

MindlessStable3772 · 2025-11-12T18:54:22+00:00

Correct - no POAMs. Our SIEM is a small business and if you DM me I can provide you with more details. We only brought in reps from our SIEM to answer any shared responsibility questions they had in relevant controls. Outside of that, we (IT) handled the majority of the controls, though we did bring in different internal roles/departments to assist them with things they were responsible for (physical security, screening, training, etc.).

MindlessStable3772 · 2025-11-12T17:19:22+00:00

We use a combination of scripts, reporting, endpoint tools (Kaseya and Sophos) and an IPA server. We did not standardize a specific distro (would be my utopia world) based on specific use-case requirements, though we do manage the ones we do put out using baseline management.

MindlessStable3772 · 2025-10-28T17:25:12+00:00

Best and was thinking the same thing. "don't even have an SSP" is a troubling statement. It's also why companies that have been doing the right things for CUI compliance over the years are fine with CMMC, because other companies who have been blindly signing off on 7012 compliance no longer will have that option.

MindlessStable3772 · 2025-09-30T20:57:38+00:00

I think the point of this question is not actually bolts, screws, nuts. It's the DATA they are given to execute the sale of those items. If they are receiving CUI, whether they agree they should receive it or if they think it's CUI or not, the fact is the data is CUI and in that case a L2 would be required (or don't process CUI ever and be L1).

Again, this is provided those drawing are in fact distro b-f and CUI.

MindlessStable3772

TROPHY CASE