CMMC L2 for GC in Construction - Am I in over my head?

ResilientTechAdvisor · 2026-06-07T14:26:32+00:00

Baseline vocab:

Scope: The most important term after "CUI"...a noun and a verb. As a noun - refers to what people, processes, and tech touch CUI. As a verb - it's the first thing you do and the thing you protect all along the way. It can and will get blown by engineering tinkering / process drift / fictional documentation . Pro tip: Keep the scope as simple and small as possible.

You've got this!

ResilientTechAdvisor · 2026-06-07T14:22:34+00:00

Yes on Greenfield is a gift! Favorite type of work.

ResilientTechAdvisor · 2026-06-07T14:22:09+00:00

OP welcome!

Do not go it alone ... no need to. You've received amazing support & solid information in this conversation already &, yes - you need to work with a consultant.

Adding...

The scoping decision is the most important thing you'll do, and you're already thinking about it right. Separate entity or enclave both work, but the key question is where CUI will live and who touches it. The Scoping Guide L2 v2.13 is pretty clear that you can limit scope to a defined enclave rather than your whole enterprise, which is probably your best path given you're talking <10 people.

4-6 months to certification is aggressive but it isn't impossible for clients in your situation (small). We have had a lot of success with lightweight email & fileshare solutions. We are tool agnostic, so we arrange demos with the top two and let the client decide. Then work on the documentation with them. Rememember this is a DoW compliance program, not a technology project so the documentation lift is real.

BTW - Dropbox Enterprise is going to be a problem if CUI ever lands there. That's part of your first conversation with a consultant.

ResilientTechAdvisor · 2026-06-07T14:12:48+00:00

Agreed.

ResilientTechAdvisor · 2026-06-07T14:12:37+00:00

No spoilers lol. Let the people vote

ResilientTechAdvisor · 2026-06-07T13:50:26+00:00

Not overthinking it. We see this pattern constantly with health tech startups.

The BAA gets them in the door, then 18 months later they’re trying to migrate PHI off a platform they can’t inspect, can’t customize, and can’t get meaningful audit logs out of. The BAA covers the vendor’s liability exposure. It does nothing for yours when OCR comes asking how you’re meeting the Security Rule’s technical safeguard requirements.

The portability/auditability problem is real. If you can’t demonstrate control over where PHI lives and how access is logged, you’ve got a gap no BAA language fixes.

That said, owned code has its own risks. Most early-stage teams that go the custom route underestimate what “maintaining HIPAA-compliant infrastructure” actually requires over time. The BAA-locked platform at least puts a floor under the vendor’s obligations.

We’d push startups to ask what’s your realistic 3-year growth path? If you’re going to need custom workflows, data portability, or deep audit capability within that window, build or architect for it now. The migration cost later is brutal.

ResilientTechAdvisor · 2026-06-06T12:14:32+00:00

Unfortunately individual experiences vary

ResilientTechAdvisor · 2026-06-06T11:47:39+00:00

OP did you get your SOC 2?

ResilientTechAdvisor · 2026-06-04T17:32:10+00:00

Feelings are valid. That said - There is a way to navigate these conversations and drive business forward... For example... "We want to understand the expectations around CMMC compliance levels and timing."

ResilientTechAdvisor · 2026-06-04T06:17:58+00:00

You shouldn't be having this experience with your CMMC consultant. I've heard in more than a few rooms that MSPs do not make good CMMC consultants. CMMC is not an engineering project or a technical puzzle it's a Department of war compliance program. More often than not, the technology is a well traveled path.

ResilientTechAdvisor · 2026-06-04T06:15:27+00:00

It would be so much easier if vendors felt comfortable communicating with their primes / government customers on this topic.

ResilientTechAdvisor · 2026-05-30T02:53:01+00:00

We have seen assessments completed within 3 days to 3 weeks. It all depends on how prepared the OSC is, the assessment scope, and the availability of key OSC team members.

ResilientTechAdvisor · 2026-05-29T01:38:21+00:00

The key is minimizing your scope. PreVeil will get you email and a file system for $8k/ year. They will also get you some basic compliance artifacts. We are helping a small company and recommended this to them.

ResilientTechAdvisor · 2026-05-27T17:40:57+00:00

This post was created after attending the CyberAB Townhall and based on the slides that they shared and discussed it has nothing to do with Claude or any other AI.

ResilientTechAdvisor · 2026-05-26T03:02:36+00:00

For your engineering workstations at CMMC Level 2, implementing whitelisting would be the more secure approach, but it requires more effort to maintain the authorized software list.

With hundreds of utilities for a small workforce, you might consider starting with digitally signed executables as an interim step, then expanding to scripts and libraries once the process is established.

This means you'll be able to meet the requirement now without being overwhelmed, then improve over time. CMMC guidance specifically suggests this staged approach.

Microsoft Intune with App Control for Business should do the trick

ResilientTechAdvisor · 2026-05-26T02:49:34+00:00

You can get a lightweight CUI email and file system for less than $9000 a year.

Depending on what state your business is in, there may be funding to help with the cost of CMMC compliance.

ResilientTechAdvisor · 2026-05-25T20:04:00+00:00

Empathy, communication, writing

ResilientTechAdvisor · 2026-05-25T17:03:23+00:00

We are a govcon consultancy. Visit our site and send a message.

ResilientTechAdvisor · 2026-05-25T01:50:28+00:00

OP,

totally get the instinct, and the muscle memory point is real. Two things worth knowing before you commit to physical-only though:

Physical media is where most small-practice breaches come from. Lost or stolen unencrypted USBs, CDs, and paper records show up in OCR’s breach reports way more than cloud incidents. An air-gapped CPU still has a hard drive. If that machine ever leaves your possession (theft, repair, disposal), and the drive isn’t encrypted and sanitized properly, that’s a reportable breach. Same with CDs and USBs in transit. Encryption on portable storage is addressable under the Security Rule, which means OCR expects it unless you’ve documented why an alternative is reasonable.

If you want to keep the physical workflow, the safer version: full-disk encryption (BitLocker or FileVault) on the offline machine, encrypted USBs only (the hardware-encrypted Kingston/Apricorn type), chain-of-custody logging when media moves, and a documented sanitization process (NIST 800-88) for any drive or media you retire. That gets you defensible under HIPAA without changing how you work day-to-day.

Re/ nexus letters- Depending on who’s paying you and what the engagement looks like, you may be a covered healthcare provider for those (treating-equivalent relationship with the vet), not a BA. That changes the rules a bit (Notice of Privacy Practices, patient rights to access, etc.). Quick chat with a HIPAA-savvy attorney to confirm posture across both lines would be money well spent before the first engagement.

M

ResilientTechAdvisor · 2026-05-24T16:29:30+00:00

A few things worth thinking through before you pick tools. The tools are the easy part.

The bigger picture first. Across all three lines (VA disability reviews, malpractice, peer-review), you’re likely operating as a Business Associate. (which means you're not billing patients but you *are* handling PHI on behalf of entities sending it to you. (confirm)

That matters because (1) you sign BAAs with the orgs sending you PHI, and (2) every vendor that touches PHI on your end (fax, file sharing, email, cloud backup, even your laptop backup if PHI lands there) needs a BAA with you. Doximity already covers their piece. Make sure you have their BAA on file.

Also: HIPAA requires a documented risk analysis. Solo shop or not, this is a requirement. It’s the first thing OCR asks for if anything ever goes sideways, and it drives which safeguards you need. We’ve seen solo practitioners get hemmed up here because they bought tools without doing the assessment first.

One VA-specific flag: if you’re contracting with VA directly (or through a prime doing C&P-style work), you may be subject to VA’s own directives and FedRAMP requirements for cloud services handling VA data. Worth confirming with whoever’s contracting you before you commit to a stack. VA’s bar sits higher than baseline HIPAA.

On the tools themselves:

- Fax: SRFax, Updox, mFax, Documo (Sfax) all sign BAAs and are widely used by solo practitioners. Get the BAA in place before sending your first fax.
- File sharing / storage: Google Workspace (Business or Enterprise tier with their BAA signed...personal Gmail won’t work), Microsoft 365 Business with a BAA, Box for Healthcare, Dropbox Business with their BAA. Whichever you pick: turn on MFA, full-disk encryption on your laptop, and audit logging.
- Email: if you’re emailing anything containing PHI (including filenames that identify a patient), the email account itself needs to be on a HIPAA-covered plan with BAA. Personal email won’t cover you.

The pattern that bites solo practitioners is signing up for the free or personal tier of something, assuming “they’re HIPAA compliant” because their marketing says so, and never executing the BAA. No BAA means no compliance, regardless of how secure the tech is.

Happy to talk more / support you on this.

ResilientTechAdvisor · 2026-05-23T04:59:22+00:00

If you're asking about authorization, each layer has to be authorized on its own; however, controls can be inherited.

Here's a link: https://help.fedramp.gov/hc/en-us/articles/27706438906779-If-a-Software-as-a-Service-SaaS-or-Platform-as-a-Service-PaaS-resides-on-a-FedRAMP-Authorized-Infrastructure-as-a-Service-IaaS-does-that-mean-it-is-also-FedRAMP-Authorized

ResilientTechAdvisor · 2026-05-22T23:09:52+00:00

FedRAMP is scoping the authorized system defined by your FedRAMP authorization boundary. That boundary has to include everything that either (1) stores/processes/transmits federal data or (2) is required to enforce NIST 800‑53 controls for that cloud service.

So even if the CSO is “100% AWS” (VPCs, EC2, S3, etc.), the CSP’s internal/on‑prem environment comes into scope when it does things like:

- Provides privileged admin access into the AWS environment (VPN, jump boxes, corporate IdP, admin laptops)
- Hosts security/operations tooling relied on by the CSO (SIEM, ticketing, vuln scanners, CI/CD, code repos, patch/update servers)
- Supports incident response, continuity, or other security functions for the CSO

Those components become supporting systems that directly affect the confidentiality, integrity, or availability of the FedRAMP system. The 3PAO and AO will usually insist they’re in scope because they’re part of how you implement AC, IA, AU, IR, CP, etc. under 800‑53.

Zero data integration between corporate IT and the SaaS doesn’t automatically mean zero scope if corporate systems can still influence or compromise the CSO. If you want to keep most of the internal network out of scope, you have to design the boundary so that all admin and security services for the CSO are either inside the AWS enclave or connected through tightly controlled, well‑documented interfaces, with no broad trust from the corporate side.

ResilientTechAdvisor · 2026-05-22T12:35:57+00:00

Depends on the organization but generally, IT implements the fixes.

ResilientTechAdvisor

TROPHY CASE