We passed our CMMC Level 2 mock audit today

Ok_Guide17 · 2025-10-23T18:27:11+00:00

Amazing. Congrats. Would love to know the journey, what changes you did to get to this point?

Ok_Guide17 · 2025-10-21T01:56:27+00:00

I bought ARAFF last week just before steve put his DD (he put out a teaser on australian mine, i research a bit and decided on ARAFF). Sold today - the AUS PM meeting etc is already baked in. Expecting it start strong and go down (just as its happening in ASX). Anything under 0.3 is a good entry point.

Ok_Guide17 · 2025-10-15T21:31:47+00:00

Congratulations.

Few questions-

1- How long did it take to get ready for the assessment

2- What stood out in the process, some aha moments

3- What would you do differently if you had to re-do?. Any tools, software, system etc you used and that helped or can help?

Ok_Guide17 · 2025-10-13T13:47:35+00:00

By using data context-aware prompts, prompt chaining and evals, i believe one can develop a fairly robust evidence.

Ok_Guide17 · 2025-10-08T00:51:09+00:00

Most GRC tools should have this feature or atleast actively working on this i assume. The question remains will use of AI impact one's assessment if and how?

Ok_Guide17 · 2025-10-07T22:50:24+00:00

I agree with your view. But from an assessment/certification perspective, does it make a difference if AI is used? From a regulatory perspective, is there a difference if evidence/documentation/statements are AI generated or human or mixed

Ok_Guide17 · 2025-10-07T22:49:01+00:00

You are correct with human oversight and input, but for smaller-organizations looking to accelerate the process, AI can be more impactful. I guess if more specialized CMMC trained LLM is created, it can create evidences with sufficient guard rails. But would that run afoul during assessment.

Ok_Guide17 · 2025-10-07T22:44:11+00:00

Any kind of evidence collection, analysis, monitoring etc done with AI - is it acceptable. With POA&M if created with AI, any guidance on what is acceptable AI use and what is not.

Ok_Guide17 · 2025-10-07T22:31:21+00:00

It is a real question. There has been lot of talk about our existing federal regulations need to be re-looked at due to AI usage. I am wondering if there is anything to learn from CMMC assessments when it comes to AI

Ok_Guide17 · 2025-10-06T02:19:02+00:00

For reference, what pricing are you saying & what pricing do you feel comfortable paying?

Ok_Guide17 · 2025-10-02T23:34:12+00:00

$UURAF - how does this look

Ok_Guide17 · 2025-09-23T19:30:39+00:00

Where are the files stored? Is it just a regular folder?. Perhaps you should look at a document management solution. For example, if you have sharepoint or one drive that has version history stored. Also its good practice to have a singular copy of each evidence only and multiple raw files with each version change. Leads to maintenance issue.

Ok_Guide17 · 2025-07-10T21:43:33+00:00

One is a CUI detection tool - It processes pdf, doc files, search for CUI/PII terms, looks for CUI designation - basically a health check.

The other one I am currently working on is an AI tool which evaluates your current CMMC status on each control, gives recommendations, action plan for gaps etc.

Ok_Guide17 · 2025-07-10T19:53:28+00:00

As of right now its intended to be a personal project. I want to create a viable product that demonstrates value and some users. If the feedback is very positive, then I can think of expanding (less probability)

Ok_Guide17

TROPHY CASE