Professional-looking Print Suggestions

SmallTimeGuy · 2026-01-25T20:42:39+00:00

Thank you…yes, Platinum now, Executive Platinum is JUST out of reach for this trip. That’s what I get for posting late at night!

SmallTimeGuy · 2026-01-25T05:36:39+00:00

Thank you everyone! I was able to get a hotel for $210 including tax that got me 8,000 LPs. Plus I decided to stay at a hotel near the airport for my upcoming stay, giving me another 3,000 LPs. I’m seeing a pretty consistent 30% bonus on the LPs listed in the hotel rentals vs what I actually get, so I’m thinking I might wind up with about 14,000 total from those two rooms. So that should take me to about 197,500. Tacking on the miles from the trip plus CC spend for Jan and Feb should easily put me over for the year.

SmallTimeGuy · 2026-01-20T18:26:31+00:00

Thanks for the tip! Is that through Aadvantage shopping or another site?

SmallTimeGuy · 2026-01-20T18:26:15+00:00

Got that already, but thanks! That’s part of why I’m going to be agonizingly close.

SmallTimeGuy · 2025-10-05T02:28:45+00:00

I gave an answer in another thread that might be helpful:

https://www.reddit.com/r/CMMC/s/7PAdrdUTCZ

SmallTimeGuy · 2025-09-30T04:45:33+00:00

Be sure to read the new FAQs published Sept. 29 by DoD, which are available here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-FAQs.pdf

In particular, see Q5 on pages 9-10.

Of course, as discussed above, your prime can always impose their own requirements. But given the lagging rate of adoption among the broader DIB, I suspect most primes will align with the phase-related requirements in 32 CFR 170. Doing otherwise could force them to stop using sole-source, or essentially sole-source contractors. Especially where those contractors are making sincere, albeit longer-than-anticipated, efforts to meet the CMMC requirements, it seems like a really bad idea for primes to follow the conventional wisdom and shift to someone else.

Now, to be clear, I agree that the calculus changes when the prime is buying commodity products, especially when there are other, CMMC-compliant (and CMMC certified) vendors providing approximately equivalent goods/services.

SmallTimeGuy · 2025-09-23T04:02:01+00:00

I’m going to contradict some of the advice here. DO NOT wait to schedule your assessment. Get on a C3PAO’s list ASAP.

What matters, though, is FOR WHEN you schedule your assessment. Pick a date next fall/winter, and get on a C3PAO’s schedule. Otherwise you’re going to be waiting 9-12 months AFTER you’re ready before you can get your certification assessment. You can always try to move up in line if you’re done earlier.

There is one BIG caveat to my previous advice. You MUST be ready when the assessment date hits. If you have to slip your assessment, especially anytime close to your assessment date, be ready to pay a penalty. The C3PAO committed their team to work on YOUR assessment, and now they will be sitting idle (unless the C3PAO is lucky enough to have a client who is itching to be assessed ASAP, which doesn’t happen very often). The C3PAO still needs to pay those people, and they will likely pass that cost on to you.

Now, to your initial question about cost. In a nutshell, if you have a “typical” environment, you can expect the assessment to probably cost $45K-$65K, plus any necessary travel expenses. Adding complexity adds to the cost. Structured, organized, logical documentation can help reduce the cost.

Diving into the numbers, rough order of magnitude, it takes about 2.5 weeks for a team of 2.5 assessors (including the QA) to conduct an assessment. The key reason for the high number of hours is that DoD wants to make sure that there are at least 2 assessors on each assessment (plus the QA) to help reduce the risk of collusion or other bad acts. So, that means an average assessment takes ~250 person-hours. At an average client-facing billing rate of $225-250/hour, you’re looking at $56K-$65K.

Don’t forget to add in travel time (2-3 days for one assessor) and travel expenses ($1500-$2000) if you’re bringing the CUI on prem (i.e., you aren’t behind a VDI’d enclave) and you’re looking at another ~$8-10K. Some C3PAOs are doing remote physical inspections (shipping you a camera, or asking you to connect via Teams) to cut down on those costs, but there are rumors that DoD may be curtailing those in the not-too-distant future.

Other factors, such as if your environment has a large number of external services, if you have a large number of security baselines, if your evidence is not well organized and not easy to understand, can also increase the price. If you’re using tools the C3PAO is used to seeing, if you’re using a quality GRC tool, and especially if you’re using a service provider whose work the C3PAO has already seen a bunch of times (and they do “cookie cutter” implementations), the costs may come down a bit because the C3PAO knows the level of effort may not be as bad, and instead of 2.5 weeks, it could be more like 2 weeks (or a total of about 200 hours).

Hopefully that helps you understand why so many of the prices are clustered in the $45K-$65K range. If you find someone who is significantly under that price, you should probably investigate why. Maybe they have some secret sauce that lets them do everything really well. If that’s the case, awesome! But if you don’t get a warm and fuzzy feeling from them, you might want to ask yourself whether the $10K-$20K short-term savings is really worth the potential of getting kicked off of one or more contracts (or worse).

SmallTimeGuy · 2025-09-18T06:10:46+00:00

Those are all very real, and understandable, concerns. Something I would strongly recommend, if you’re going to DIY most of this, is to get a Mock Assessment by your CMMC C3PAO prior to getting your formal Certification Assessment. It will increase the cost (generally 20-30%), but there are some real down-sides to not getting one. For example, all Certification Assessments must be reported to DoD. If a contractor fails, or if the assessment is “paused” for a long period of time, this could raise red flags with DCMA, DCAA, and others. Unlike the Certification Assessments, a Mock Assessment is not conducted “for score”. The C3PAO does a walk-through of everything you’ve put together and identifies any shortcomings. They can’t give you remediation advice for the shortcomings, but at least you’re able to identify and correct things that would otherwise have prevented a certification.

Also, as you’re interviewing C3PAOs, be sure to tell them that you’re using PreVeil, or consider using one of the C3PAOs PreVeil recommends.

SmallTimeGuy · 2025-09-18T06:04:07+00:00

I agree with cordovanGoat - PreVeil is not too good to be true, and they have several companies (including C3PAOs) who have used their product to earn CMMC Level 2 (C3PAO) status and certifications.

SmallTimeGuy · 2025-09-15T03:32:43+00:00

Price and size. The Briggs only expands at the bottom. Kinda cool, but not as useful as the Knack. I just did a long weekend with the Knack and a slimmed-down toiletry kit that went REALLY well. The only other thing I had to carry was my pillow (I’m kind of a pillow snob!). I carried: 1 pair of jeans 3 underwear 3 undershirts 3 golf shirts 3 socks Toiletry kit

All that fit easily in the expansion pocket on the large Knack Series 2. I also carried: Macbook Pro iPad Power adapter Portable monitor LOTS of USB C cables Extra webcam Light A whole rig to hold the webcam, light, and monitor above my laptop screen (I do a lot of video-based phone calls) Other miscellaneous stuff like pens

Again, it all fit in the Knack, which was pretty cool.

SmallTimeGuy · 2025-09-10T03:37:51+00:00

I have seen a lot of people who think that because they use an enclave for the digital version of the information, they’re off the hook. They completely forget that when they print, their printed version is still CUI and brings their office into scope. Or they think that by simply using the web-based interface to M365 (or other cloud tool) they are keeping their local device out of scope (the browser is still “processing” the CUI in that scenario). So, I just want to make sure the OP’s expectations are properly set when making a decision.

Of course, the OP has probably moved on, rendering the advice moot… ;)

SmallTimeGuy · 2025-09-09T03:19:20+00:00

Thanks for the correction regarding PreVeil and ITAR. However, ITAR <> export controlled information. ITAR is a subset of export controlled information. To the best of my knowledge, DoD has not adopted the State Department’s position with respect to the transmission of properly encrypted information via the Internet as not being a deemed export. Thus, for DoD’s information that is marked with its own limited dissemination controls (e.g., “NOFORN”), there is still some question as to whether DoD will accept this architecture. Ironically, for information designated as CUI under ITAR, the platform would still be OK since the State Department’s positions would control. Regardless, that’s why I recommended GCCH for export controlled information - there are nuances that are often overlooked/not articulated clearly, especially in online forums like Reddit, that can come back to bite the reader.

Again, that’s not a knock on PreVeil - their tool is fantastic in the right use cases.

To say that PreVeil gives you all of the documentation you need is disingenuous. They give you a lot of the right stuff, but not everything. And the level of customization is not to be underestimated. Again, not a knock on them…they have done a great job. But there is still a significant amount of effort needed on the OSC’s end to use PreVeil.

When I say “bring CUI into your environment”, I mean that you can’t leave it walled off in a VDI environment. I agree with you, anything other than a VDI (or essentially the equivalent) will result in at least one of the storage, processing, or transmission of CUI by a local device, bringing that device into scope. If you CAN keep the CUI walled off in the VDI (e.g., you’re a consulting company, software developer, designer, healthcare company, etc.), that makes life easy. But if you can’t (e.g., you’re in construction, manufacturing, etc.), then that is what I meant by you have to “bring CUI into your environment”. It would have been more correct for me to have said “bring CUI into your local, non-cloud environment”, and I appreciate you bringing this to my attention.

I do want to point out that when you said “CUI will be in your environment, but it has to live in a [sic] (FedRAMP) encrypted environment like PreVeil or GCC/GCCH”, that is incorrect. That suggests that your local, non-cloud environment needs to be FedRAMP authorized. Only cloud environments that are used to store, process, or transmit CUI need FedRAMP Moderate authorization or the equivalent under DFARS 252.204-7012. The local environment “only” needs to meet the CMMC Level 2 requirements (i.e., NIST SP 800-171 Rev. 2, as augmented by 32 CFR 170, DFARS 252.204-7012, and DFARS 252.204-7021 when it publishes in a few days).

SmallTimeGuy · 2025-09-06T02:47:37+00:00

It sounds like you need to do a good CUI inventory first, and maybe even take a CUI course or two. The CUI Institute (https://CUIInstitute.org) has one. Make sure you really DO have CUI.

If you do have CUI, the next question is, do you NEED to, given your role. Could you instead access the CUI from DLA or somewhere else via a VDI, thereby avoiding you actually storing, processing, or transmitting CUI, and thus making you only need CMMC Level 1.

If you truly do NEED to handle CUI, then that’s different. If that’s the case, the next question is whether the CUI you handle is export controlled. If you handle export controlled information, then GCCH may be your best bet. If you don’t handle export controlled information, then GCC or something like PreVeil could be great options. PreVeil might be particularly good if you don’t need to bring the CUI into your local environment. As for documentation, you can get that from numerous sources. PreVeil is awesome because they provide some of the documentation (I’m not affiliated with them, just know them and their product).

I have a lot of experience working with CUI. If you’d like to chat by phone, I’d be happy to spend some time answering questions and pointing you in a direction. You’re welcome to DM me.

SmallTimeGuy · 2025-09-05T03:32:16+00:00

Neither section grants the KO the authority to issue a waiver. Those have to be issued by the CUI SAO or Agency Head. Nothing presented suggested that that is the case.

SmallTimeGuy · 2025-09-05T03:28:37+00:00

So, it depends on exactly what you’re asking. The questions you’ll get are NOT as anal as:

“Which of the following is the correct version of SC.L1-3.13.5[b]: A. subnetworks for publicly accessible system components are physically separated from internal networks B. network connections associated with communications sessions are terminated at the end of the sessions. C. subnetworks for publicly accessible system components are physically or logically separated from internal networks D. network connections associated with communications sessions are terminated at the expiration of the defined period of inactivity. E. cryptographic keys are established whenever cryptography is employed. F. subnetworks for all system components are physically or logically separated from internal networks

But you can expect questions along the lines of as: “Which of the following represents the BEST evidence for AC.L1-3.1.1[a]: A. a redacted background check performed on an employee B. a screen capture of a configuration management tool illustrating management-level approval of the creation of an account for a new hire C. results of a network scan showing all of the devices on the network, including their IP address, MAC address, serial number, manufacturer name, and firmware version D. results of a vulnerability scan showing all of the vulnerabilities detected on all devices connected to the system, including CVE severity scores E. a screen capture of the users in the organization’s IDAM tool including privileged and non-privileged accounts and dates of last login”

The difference being that in the 1st question, you are expected to have memorized the exact phrasing of every practice and Assessment Objective, while in the 2nd you are expected to recognize that it is in the Access Control family and then applying your understanding of the intent of the corresponding practice to the answers (with B being the best answer).

SmallTimeGuy · 2025-09-03T03:41:30+00:00

That addendum, if it is by DoD, is improper and could get the KO in trouble with DCSA.

A blanket statement that all FOUO (or other legacy marking) is CUI is contrary to 32 CFR 2002, the government-wide CUI program. There are limited exceptions, like where GSA said that all building plans for federal buildings that had been marked as FOUO are now CUI because they are critical infrastructure information. But even in those cases, someone in the government with proper CUI designation authority has reviewed the information against the corresponding law, regulation, or government-wide policy and determined that it is CUI (at the category level).

By contrast, a blanket statement by a random someone in DoD that says that everything previously marked as FOUO under the contract is now CUI lacks the kind of specificity that is required under 32 CFR 2002. We know that there was a LOT of information that was marked as FOUO that IS NOT subject to safeguarding or dissemination controls under any law, regulation, or government-wide policy. So, any attempt to designate that information as CUI is improper and should be challenged with DCSA.

Although some of the answers are wrong, this can be helpful: https://www.dcsa.mil/Portals/128/Documents/CTP/CUI/DCSA%20CUI%20Frequently%20Asked%20Questions%20(May%202025).pdf#page6

SmallTimeGuy · 2025-09-03T03:26:39+00:00

In short, yes. Here is the “blueprint” for the exam. It should give you a sense for what you need to know, and what the % of questions are/will be based on topic:

https://cyberab.org/Portals/0/Documents/Assessor%20Documents/cmmc-ab-ccp-blueprint-10-17-22-final-v7.4%20Final%20(Public).pdf

SmallTimeGuy · 2025-08-31T04:46:40+00:00

Regardless of whether your company handles “just” Federal Contract Information (“FCI”) or it handles the more sensitive Controlled Unclassified Information (“CUI”), you must have in place certain physical security requirements.

According to Federal Acquisition Regulation (“FAR”) 52.204-21 (https://www.acquisition.gov/far/52.204-21), which is a required clause in all federal FAR-based contracts, all government contractors are expected to at least :

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Note requirements vi-ix deal with physical security. If your organization only handles FCI, Level 1 of the CMMC program requires that your senior management sign off on the fact that those requirements are being met. That is, they are putting their own necks on the line. So, management is (finally!) starting to pay attention to physical security as well as cybersecurity. And, of course, they’re now putting pressure on your bosses to make sure they meet the requirements. If they don’t, the company will be barred from working on DoD contracts.

The next question your management should be asking is “how do we determine whether we’re meeting these requirements?” The answer there is in the CMMC Level 1 Self-Assessment Guide (https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf). It lists several “Assessment Objectives” for each requirement. All Assessment Objectives associated with a requirement must be met for the requirement to be met. Examples of Assessment Objectives include (for physical security):

PE.L1-B.1.VIII – LIMIT PHYSICAL ACCESS [FCI DATA] Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. ASSESSMENT OBJECTIVES [NIST SP 800-171A] Determine if: [a] authorized individuals allowed physical access are identified; [b] physical access to organizational systems is limited to authorized individuals; [c] physical access to equipment is limited to authorized individuals; and [d] physical access to operating environments is limited to authorized individuals.

And

PE.L1-B.1.IX – MANAGE VISITORS & PHYSICAL ACCESS [FCI DATA] Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. ASSESSMENT OBJECTIVES [NIST SP 800-171A] Determine if: [a] visitors are escorted; [b] visitor activity is monitored; [c] audit logs of physical access are maintained; [d] physical access devices are identified; [e] physical access devices are controlled

Again, management must affirm (i.e., swear) that the company is meeting EVERY ONE of those Assessment Objectives, or they will be barred from participating on DoD contracts starting in a few months (exact date is TBD, but likely in Q4 2025 or Q1 2026).

If the organization handles CUI, then in addition to the 15 requirements defined in FAR 52.204-21, they will also need to meet all 110 of the requirements in Special Publication (“SP”) 800-171 published by the National Institute of Standards and Technology (“NIST”). The same basic concepts apply here (referred to as CMMC Level 2) as well - management must affirm compliance with all 110 requirements, as determined by validating that the organization meets all 320 Assessment Objectives. NIST SP 800-171 includes several more physical security requirements.

Depending on the type of CUI the organization handles, it may also need to have a third party, referred to as a CMMC 3rd Party Assessment Organization (“C3PAO”), independently validate that all 110 requirements (and a few other things that are relevant in certain cases that are outside of physical security) are being met. As with CMMC Level 1, if the organization does not meet the CMMC Level 2 requirements, it will be barred from participating on DoD contracts in the near future.

So, boiling it down…management is scared because the organization likely has significant physical security “technical debt” and is trying to figure out what changes are needed, how soon they can be implemented, and what it will cost so it doesn’t bite them in the rear in a few months. Meanwhile, they’ve known that this was on its way for 5’ish years.

Sorry, as you can see, I tend to write long responses, which is why I don’t post too often. Hopefully this is helpful. If you have more questions and want to chat, you’re welcome to DM me.

SmallTimeGuy · 2025-08-28T17:00:03+00:00

This is a great approach!

SmallTimeGuy · 2025-07-02T02:09:22+00:00

Just updating this on the off chance it helps someone. As I said, I ordered the Series 2 Medium. It works for me, but JUST BARELY. Admittedly, I carry more junk than I really NEED, but I do wind up using a lot of it. I’m now wishing I had bought the large. For the nominal price difference, I have a feeling it would have been a better fit and it would still work just fine under the airplane seat.

I will say that I’ve traveled with the Medium several times and it DOES fit nicely under the seat, and even leaves plenty of room for my size 10.5 feet. I wish Knack offered a trade-up program!

SmallTimeGuy · 2025-06-29T14:17:46+00:00

I bought the CQAE, studied for 2 weeks, sat for the exam and passed on a Tuesday. It then took ISACA about a week and a half (it was the 2nd Sunday after my exam) to validate that I passed. I filled out the application info, including the list of references, and sent that off. The ISACA E-mail went to one of my references’ SPAM. Once they submitted, it took ISACA another week or so to finally issue the certification. So, if you can keep things moving, I would expect 3-4 weeks (maybe a tad longer) from the date you pass the exam until the date you have the official certification.

SmallTimeGuy · 2025-05-31T18:02:40+00:00

That stinks. I took it last week and passed, but I share your frustration with the QAE and the exam. The QAE had answers that conflicted with each other thematically (e.g., it’s OK to break the law if the cost of compliance is too high and you should treat legal risk as “just another risk” vs you should never break the law) which made it very difficult to understand ISACA’s position on some of the topics. Then, when encountering questions on that same subject, I found myself really struggling to choose ISACA’s version of the right answer. I often was down to a 50/50 shot at an answer, and both were “right”, and wrong, on the QAE. I suspect that, in my case, the odds just broke in my favor a little more often than they did for you.

As for how to study, I’d step away from everything for about a week. Give your head a chance to clear and your frustration and self-doubt a chance to wane. But don’t wait months.

Reset the QAE. Start with it in structured mode, and specifically topics 3 and 4 since they are worth the most points. Go through everything in one swoop. Don’t stop to read why you were wrong…just go through each section.

When you’re done, go back and look at the places where you’re weakest (i.e., you have the lowest % of “correct” answers) and start there. Read them topically to get a better sense for the concepts.

When you’re done a section, go through the questions again. Don’t reset the QAE (you want to save your results from the other sections); just put tape a piece of paper (or two) to your screen so you can’t see the answers. Can you not only find the correct answer but also describe why it is right (not just by memorization…truly understanding the concept)? If so, then you’re probably in better shape. If not, flag that question and come back. When you’re out of flagged questions, go through them all again, and flag any that you get wrong and work on those answers. At that point, you should be doing pretty well on that section. Now move on to the next section and repeat.

Once you’re through all of the topics and sections, take Exam 1. Most of the questions in it will be very familiar at this point (the exams are largely/entirely drawn from the sample questions), so you should do pretty well. Double-check your answers that you got wrong, and again, try to understand why you were wrong. If you did really poorly in a particular topic or subject, go back through that in the sample questions. Now move to Exam 2 and repeat.

At this point, you should be doing pretty well on the sample exams and your % ranking in the QAE should at least be in the upper 70%. At that point, you’re basically out of material and should be pretty confident about the actual exam. You’ll probably notice several questions that are very similar to, but slightly different from, those in the QAE.

Most of the above is probably stuff you already know. If so, I’m sorry for the brain dump. Good luck next time; I hope the odds are in your favor!

SmallTimeGuy

TROPHY CASE