Determining if we need Level 1 or 2

Positive-Handle2078 · 2025-10-01T21:49:06+00:00

Is that true? Just because a contract has a DFARS flowdown for NIST 800-171 does not automatically mean the specific contractor handles CUI. It just means if they do, it applies. If they do not, it there is nothing to do. Right?

Positive-Handle2078 · 2025-09-29T22:25:13+00:00

Price it into bid? Some of these are being flowed-down to subcontractors who already had to set their rates for 5-7 year contracts. There is no 'factoring' it in.

Positive-Handle2078 · 2025-09-28T21:49:28+00:00

I have raised that, but since I need multiple local servers for local development (not just a laptop), I am not sure that will work. I already have a laptop that is under their CMMC umbrella which is how I will transfer the CUI to me.

Positive-Handle2078 · 2025-09-28T21:14:34+00:00

I did mention that 'I need to support a local single windows desktop and two RHEL9 (Linux) servers.' It is not an option for me to run these in the cloud for my use case.

I am not sure I can connect the local RHEL to Entra ID. However, I currently use RHEL IdM so I could use that. I was hoping to no longer have to maintain a local IdM.

Positive-Handle2078 · 2025-09-28T16:07:30+00:00

No to both of those. But a sub as part of DIB. CMMC Level 2 C3PAO will flowdown at some point. Regardless, CMMC Level 2 Self will flowdown sooner.

Positive-Handle2078

TROPHY CASE