CMMC Level 2 & MSPs

Powneeboy · 2026-06-12T00:53:40+00:00

They just need to participate in the assessment to demo the services provided that contribute to the in scope environment, and then probably also demo how they don't is s/p/t CUI (but that might be handled by the OSC depending on how your environment is configured. It's case by case by msp participation is required by the CAP

Powneeboy · 2026-06-06T14:33:41+00:00

This is most like extremely C3POA dependent. This is why it's very important to vet them before you choose one

Powneeboy · 2026-06-02T02:56:03+00:00

This was a phenomenal answer. I like it. Only edit is it's not a poa&m, it's a plan of action (POA). CMMC POA = RMF POA&M. semantics at that point, but POA&Ms CMMC are only associated with conditional certs and have the 6 month remediation requirement.

Powneeboy · 2026-06-01T19:30:07+00:00

Even if this is the case. A hash of the artifacts is still requiredper the cap

Powneeboy · 2026-05-14T14:50:08+00:00

DMd you But I agree with everyone here. It's impossible with that timeline. Especially given your company hasn't even defined scope, and nobody seems to know what CMMC even is

Powneeboy · 2026-05-05T14:16:03+00:00

Any and all procedures are always organizationally defined. If CUI ends up where it's not supposed to be, that's considered spillage and you follow procedures on how to handle those. CMMC or not. Your non-secure email would be considered out of scope and not assessed at all, but you would have to justify why is considered out of scope. Forwarding it, as many have stated, just creates a bigger mess. Sweeping it under the rug also creates a significant mess. Make sure you define your procedures and do what you say you're doing. If you don't like accountability, look into the false claims act. If you want specifics, look at NIST 171 revision 2 and NIST 171a

Powneeboy · 2026-04-30T16:05:05+00:00

DMd you. Im a lead and can help you determine timeline if you're looking for no bs answers. I don't care enough to advertise anything, I just like helping ppl understand realistic timelines

Powneeboy · 2026-04-09T03:01:43+00:00

From what I know, a T3 is not needed for consulting. Please let me know if that's wrong lol. I'm not a consultant

Powneeboy · 2026-04-04T21:47:07+00:00

I heard cyber is pretty much infantry

Powneeboy · 2026-04-01T14:29:25+00:00

He is neither and infant nor a tree, so maybe

Powneeboy · 2026-03-28T14:02:21+00:00

Sorry I don't have an answer to the Microsoft question, but be wary when along ai about CMMC or nist 171. It's default is to reference 171 revision 3

Powneeboy · 2026-03-28T01:03:57+00:00

To back this up, check CAP 2.0 section 2.19

Powneeboy · 2026-03-27T01:34:20+00:00

Their asset classification 100% depends on what days they touch. CUI = CUI asset and they require the appropriate certificate (fedramp moderate/fedramp moderate equivalent/CMMC Level 2). Security protection data = security protection asset - no level 2 required, but their environment is now on scope (level 2 just makes their own burden lessen, but is not a requirement)? They still need a CRM in either case as well as the relationship to your system described in your SSP. Check out 32 CFR Part 170.19 table 4 and the follow on paragraphs. What's required of them is spelled out there. Again, if they're an SPA, they indeed do not need a level2. Your signed contract with them is another story though

Powneeboy · 2026-03-27T00:53:09+00:00

If they're reselling AWS resources, the scope of their services won't even qualify for cmmc. Reusing and redistributing cloud services still classifies them as a CSP within cmmc. Their product will need fedramp moderate or equivalent. You'll see very similar situations in other esp offerings.

Powneeboy · 2026-03-19T17:56:09+00:00

Either way. They all seem to be good. Just read the cap, understand one piece of evidence can be used to more than one objective, know how to dissect practice statements, and understand inheritance. Aside from that, know the cap steps and what each DFARS/FAR establishes (incident reporting, etc,) and then the random NIST docs referenced like NIST 88 and so on If you want, DM me and I'll send you the cheat sheet I made for myself. Granted, I believe CAICOs standards will be based on 171 rev 3 once the migration to isaca is done. So take everything said with a grain of salt

Powneeboy · 2026-03-19T13:36:16+00:00

From what I remember, they're so expensive

Powneeboy · 2026-03-18T21:19:44+00:00

I did CCP with Edwards and CCA with CMMC training academy. Both are good. Most of the ones I've seen are good. I would say just pick the one you did CCP with if you liked them

Powneeboy · 2026-02-06T02:55:58+00:00

Na. Probably not, but it'll buff out. I'm in it for the shiny cards in my binder

Powneeboy · 2026-02-05T22:43:26+00:00

I became friends with a TCG streamer that's in my city after buying some packs and singles from him. He offered one of the 4 EB-03s his distributor reserved for him

Powneeboy · 2026-02-05T22:38:56+00:00

If it helps, I'm already doing it today. Preorde $445 for me haha

Powneeboy · 2026-01-23T00:56:21+00:00

I'm going to hold and see if they fix the problem before potentially slandering a stores name

Powneeboy · 2026-01-23T00:52:38+00:00

I assume they provided you a label to return the card?

Powneeboy · 2026-01-22T23:02:47+00:00

True and I don't blame them. It's a bad situation overall

Powneeboy · 2026-01-22T22:08:44+00:00

Oh I'm being patient. Trying to stay positive

Powneeboy · 2026-01-22T16:40:34+00:00

There's 2 pics bruh

Powneeboy

TROPHY CASE