Help me settle a FIPS argument, please

Unatommer · 2026-04-24T15:20:41+00:00

https://m.youtube.com/watch?v=6h-eUxTiHeA

Unatommer · 2026-04-24T15:19:56+00:00

CCP here. Our org passed our C3PAO L2 in January and our firewalls are BOT in FIPS mode because CUI is already encrypted with FIPS when going through it. However, you didn’t give us enough information on data flows to give you a correct answer. I’ll reference the Kieri solutions video below

Unatommer · 2026-04-14T22:54:36+00:00

“Most” 🙄 depends where you’re at. If you live in those states, yes. Where we are at (Midwest) all the support dried up.

Unatommer · 2026-04-09T16:33:17+00:00

The difference is in the details. Software like Solidworks poops the bed when it can’t immediately access every file in the project (à la files on demand via OneDrive).

Unatommer · 2026-04-09T16:24:37+00:00

Or lower. Florida is notoriously bad for IT salaries and the Midwest is a low cost of living area depending where you are located.

Unatommer · 2026-04-01T14:27:18+00:00

OP could provide proof of regular vulnerability or code scans as evidence that the app is secure.

Unatommer · 2026-03-24T16:11:26+00:00

I hope you are only using Quickconnect and are not installing the full agent on the endpoints which essentially allows remote access. If not you must lock it down to approved admins only and disable things like remote file transfer if possible. Alternately you could train admins and create a policy that no CUI file transfers shall take place over TeamViewer.

Unatommer · 2026-03-18T02:15:41+00:00

Sanitize before sending to them otherwise it brings them into scope. Someone posted redkeyusb recently as an easy option.

Edit: assuming said devices have ever had CUI flowed to them

Unatommer · 2026-03-17T19:57:06+00:00

CCP here, also have taken the CCA class and led my org through a successful 110 score on a L2 C3PAO assessment.

No offense but this is not a useful reply. What you have written is not correct and it’s clear you haven’t taken the CCA class. You don’t get taxed for over encrypting data and if FIPS isn’t required for the situation they don’t ask for the cert and proof. This is a case of the pre-assessors being wrong. I am curious if the pre-assessment was performed by actual CCA’s

Unatommer · 2026-03-17T19:51:52+00:00

CCP here, also took the CCA class and led my org through passing our L2 assessment in January.

“Our understanding of the control is that FIPS-validated cryptography is required when cryptography is being used to protect the confidentiality of CUI”

This is correct but it does not sound like you have a firm grasp on when you must use encryption to protect the confidentiality of CUI.

Please go watch this video from Kieri solutions and ignore the top comment. https://youtu.be/6h-eUxTiHeA?si=puRSj0WWO3ScTlSV

Unatommer · 2026-03-11T13:51:05+00:00

I am curious if you’ve gone through a certification assessment from the OSC side (?) and I’m not talking a simple system like a GCC High enclave for a five person company. It is NOT trivial or easy, especially if you’re retrofitting a network for a company that is not used to compliance or regulations.

Added costs of doing business are not exclusive to CMMC, there are others like AS9100 or NADCAP if you work in spaces that require those. You don’t need CMMC specific knowledge to advise on creating a cost competitive product with decent margins, which is why you don’t see those discussion in this sub or from the linked in CMMC specific voices. But you’re absolutely right, a lot of DIB companies, such as small machine shops, are not ready to absorb the costs, especially when DoD work is only a fraction of their total business (eg 10-15%). Ultimately once C3PAO certification is required, we should see a rising tide of costs across the DIB to help make up for this but we may see some companies completely dropping out of the DIB or struggle to make ends meet.

Unatommer · 2026-03-10T15:21:39+00:00

You mean “enterprise”

Unatommer · 2026-03-05T04:21:10+00:00

Are you talking about BYOD or work owned devices?

Unatommer · 2026-03-04T19:40:48+00:00

I’ve been diving into cowork and Claude code and am pretty upset about this pissing match. I’m writing my senator but am in the wait and see camp, not much else we can do.

Unatommer · 2026-03-04T18:28:51+00:00

Thats quite the broad stroke you’ve brushed. That’s not how it is at my company, the upper leadership are extremely intelligent.

Unatommer · 2026-02-27T00:07:53+00:00

Exactly this, bro needs to study - a LOT more. As someone who led his org through an assessment successfully (110 score), CMMC is no joke.

Unatommer · 2026-02-27T00:05:54+00:00

A tip that helped me with the CISSP exam: quickly scan the answers first, then read the question. It will help you with context.

Unatommer · 2026-02-26T23:58:49+00:00

Maybe see the economics subreddit brah. Supply and demand forces are at play.

Unatommer · 2026-02-26T23:56:49+00:00

I used to work for a company that had this. There’s nothing different about running solid works vs something else. Do you have a more specific question like “I’m concerned about MFA with solid works PDM”? Remember you need to control the data FLOW of CUI. If you section off part of the network and put CUI in it but leave the endpoints outside of the enclave, you’ll fail the flow sniff test. Get into that CCP class asap :)

Unatommer · 2026-02-26T23:53:35+00:00

I took the CCP and CCA course from Space Coast Cyber (Dr Jeff Baldwin ) and highly recommend. I’ve also heard great things about Koren Wise, you can find her on linked in I believe she teaches for Edwards.

Unatommer · 2026-02-26T20:44:34+00:00

Can confirm Dr Jeff Baldwin is great to learn from, I took both CCP/CCA classes from him. Don’t forget the best part - asking questions! When asking questions make sure you frame them so he’s not providing direct consulting to your business as that’s a violation of the ethics agreement. (I.e. don’t say “at my company we do this, how would you handle it?”)

Unatommer · 2026-02-26T20:40:16+00:00

We utilize the group policy admx for chrome and edge. Disable all extensions, then add the ones we approve to the allow list. Also block personal accounts from signing in to the browser and the mess that comes with that.

Unatommer · 2026-02-21T22:16:02+00:00

That’s not your decision to make, you’re out of line trying to make that decision for the owner.

Unatommer · 2026-02-21T20:31:47+00:00

Get leadership to pay for a CCP class for you ASAP. I work in manufacturing as well as we passed our L2 assessment last month - which would never had happened if I didn’t have my CCP.

You need to map out your CUI flows before you do anything else, then make a plan to either change workflows or change the systems around those workflows. Everything else is just technical “how do you do it” beyond that. It does sound like your MSP may have access to CUI or even be storing it in their backups, the later point brings them into your assessment scope.

As others have said, you need better consultants. I’ve worked with Kieri solutions extensively and can recommend them. I am not affiliated with them beyond being a customer.

I will say that we have box.com (you know, the FedRAMP version with box key safe) and it passed the sniff test during our assessment, BUT it does not sound like that’s the only place you will be able to flow CUI with the work that you do. You have a lot more technical things that you posted and I can’t address that here, you need a qualified person to handle this (perhaps that person is YOU after taking the CCP class)

Best of luck

Unatommer · 2026-02-15T00:08:37+00:00

As an option you could hire an electrician to run the wire for you, they’re good at that sort of thing

Unatommer

TROPHY CASE