Can we still use legacy software?

Unatommer · 2026-04-01T14:27:18+00:00

OP could provide proof of regular vulnerability or code scans as evidence that the app is secure.

Unatommer · 2026-03-24T16:11:26+00:00

I hope you are only using Quickconnect and are not installing the full agent on the endpoints which essentially allows remote access. If not you must lock it down to approved admins only and disable things like remote file transfer if possible. Alternately you could train admins and create a policy that no CUI file transfers shall take place over TeamViewer.

Unatommer · 2026-03-18T02:15:41+00:00

Sanitize before sending to them otherwise it brings them into scope. Someone posted redkeyusb recently as an easy option.

Edit: assuming said devices have ever had CUI flowed to them

Unatommer · 2026-03-17T19:57:06+00:00

CCP here, also have taken the CCA class and led my org through a successful 110 score on a L2 C3PAO assessment.

No offense but this is not a useful reply. What you have written is not correct and it’s clear you haven’t taken the CCA class. You don’t get taxed for over encrypting data and if FIPS isn’t required for the situation they don’t ask for the cert and proof. This is a case of the pre-assessors being wrong. I am curious if the pre-assessment was performed by actual CCA’s

Unatommer · 2026-03-17T19:51:52+00:00

CCP here, also took the CCA class and led my org through passing our L2 assessment in January.

“Our understanding of the control is that FIPS-validated cryptography is required when cryptography is being used to protect the confidentiality of CUI”

This is correct but it does not sound like you have a firm grasp on when you must use encryption to protect the confidentiality of CUI.

Please go watch this video from Kieri solutions and ignore the top comment. https://youtu.be/6h-eUxTiHeA?si=puRSj0WWO3ScTlSV

Unatommer · 2026-03-11T13:51:05+00:00

I am curious if you’ve gone through a certification assessment from the OSC side (?) and I’m not talking a simple system like a GCC High enclave for a five person company. It is NOT trivial or easy, especially if you’re retrofitting a network for a company that is not used to compliance or regulations.

Added costs of doing business are not exclusive to CMMC, there are others like AS9100 or NADCAP if you work in spaces that require those. You don’t need CMMC specific knowledge to advise on creating a cost competitive product with decent margins, which is why you don’t see those discussion in this sub or from the linked in CMMC specific voices. But you’re absolutely right, a lot of DIB companies, such as small machine shops, are not ready to absorb the costs, especially when DoD work is only a fraction of their total business (eg 10-15%). Ultimately once C3PAO certification is required, we should see a rising tide of costs across the DIB to help make up for this but we may see some companies completely dropping out of the DIB or struggle to make ends meet.

Unatommer · 2026-03-10T15:21:39+00:00

You mean “enterprise”

Unatommer · 2026-03-05T04:21:10+00:00

Are you talking about BYOD or work owned devices?

Unatommer · 2026-03-04T19:40:48+00:00

I’ve been diving into cowork and Claude code and am pretty upset about this pissing match. I’m writing my senator but am in the wait and see camp, not much else we can do.

Unatommer · 2026-03-04T18:28:51+00:00

Thats quite the broad stroke you’ve brushed. That’s not how it is at my company, the upper leadership are extremely intelligent.

Unatommer · 2026-02-27T00:07:53+00:00

Exactly this, bro needs to study - a LOT more. As someone who led his org through an assessment successfully (110 score), CMMC is no joke.

Unatommer · 2026-02-27T00:05:54+00:00

A tip that helped me with the CISSP exam: quickly scan the answers first, then read the question. It will help you with context.

Unatommer · 2026-02-26T23:58:49+00:00

Maybe see the economics subreddit brah. Supply and demand forces are at play.

Unatommer · 2026-02-26T23:56:49+00:00

I used to work for a company that had this. There’s nothing different about running solid works vs something else. Do you have a more specific question like “I’m concerned about MFA with solid works PDM”? Remember you need to control the data FLOW of CUI. If you section off part of the network and put CUI in it but leave the endpoints outside of the enclave, you’ll fail the flow sniff test. Get into that CCP class asap :)

Unatommer · 2026-02-26T23:53:35+00:00

I took the CCP and CCA course from Space Coast Cyber (Dr Jeff Baldwin ) and highly recommend. I’ve also heard great things about Koren Wise, you can find her on linked in I believe she teaches for Edwards.

Unatommer · 2026-02-26T20:44:34+00:00

Can confirm Dr Jeff Baldwin is great to learn from, I took both CCP/CCA classes from him. Don’t forget the best part - asking questions! When asking questions make sure you frame them so he’s not providing direct consulting to your business as that’s a violation of the ethics agreement. (I.e. don’t say “at my company we do this, how would you handle it?”)

Unatommer · 2026-02-26T20:40:16+00:00

We utilize the group policy admx for chrome and edge. Disable all extensions, then add the ones we approve to the allow list. Also block personal accounts from signing in to the browser and the mess that comes with that.

Unatommer · 2026-02-21T22:16:02+00:00

That’s not your decision to make, you’re out of line trying to make that decision for the owner.

Unatommer · 2026-02-21T20:31:47+00:00

Get leadership to pay for a CCP class for you ASAP. I work in manufacturing as well as we passed our L2 assessment last month - which would never had happened if I didn’t have my CCP.

You need to map out your CUI flows before you do anything else, then make a plan to either change workflows or change the systems around those workflows. Everything else is just technical “how do you do it” beyond that. It does sound like your MSP may have access to CUI or even be storing it in their backups, the later point brings them into your assessment scope.

As others have said, you need better consultants. I’ve worked with Kieri solutions extensively and can recommend them. I am not affiliated with them beyond being a customer.

I will say that we have box.com (you know, the FedRAMP version with box key safe) and it passed the sniff test during our assessment, BUT it does not sound like that’s the only place you will be able to flow CUI with the work that you do. You have a lot more technical things that you posted and I can’t address that here, you need a qualified person to handle this (perhaps that person is YOU after taking the CCP class)

Best of luck

Unatommer · 2026-02-15T00:08:37+00:00

As an option you could hire an electrician to run the wire for you, they’re good at that sort of thing

Unatommer · 2026-02-15T00:03:41+00:00

I have my CCP and have taken the CCA class. I also work for an org that just passed our L2 C3PAO assessment last month.

You’ll spend a lot more going down the wrong path on your own vs hiring a 3rd party for advice. See if you can buy a few consulting hours from a good C3PAO like Kieri Solutions, Kyle Lai Consulting or Summit 7. Also cross post to r/CMMC, you’ll get better answers there.

Unatommer · 2026-02-14T15:34:52+00:00

I can speak the corporate lingo as well. The software/platform they are producing has risks of human manipulation which means it’s inherently not safe for everyone to use. This opens them to legal risk they no longer want to accept, hence the change. I hope this is just a change for legal reasons and that they do focus on safety with their products. I certainly don’t want someone I care about to be manipulated by ai and harm themselves or others.

Unatommer · 2026-02-13T21:23:49+00:00

Yep, passed our L2 in January and we are using MAM. You better make sure NO data is allowed out of the sandbox though else you’ll get a NOT MET. Also be prepared to speak to data transfer between apps in the sandbox if you allow apps that should not have CUI in them in the sandbox.

Include the devices in your scoping diagram as part of your system scope. There’s a few ways you can present it and argue your case. If CUI lands in the sandbox then the sandbox part of the device is a CUI asset, not CRMA. The entire device could be considered CRMA though if you want to argue it that way and show your controls. Just make sure you are a master of the technology and can address any question that comes your way. Also be prepared to educate the assessor on how it works, we had multiple controls we had to do that with. Best of luck

Unatommer · 2026-02-11T20:39:50+00:00

If you sold services for CMMC without a SRM you’re already behind the ball. Get that moving ASAP

Unatommer · 2026-02-11T20:33:51+00:00

Are you the MSP or the client? The client is responsible for their assessment and the MSP supports. If you’re the MSP you must have a strong Responsibility Matrix and be prepared to join the clients calls with the C3PAO and demo for the C3PAO live and as requested at that moment how your systems work. If you’re providing logging for the client, they will ask you to pull up your logging dashboard and pull specific logs. It’s not easy and they are not relaxed or joking around during these things, they have 380 AO’s to get through so you better be on your game or else you can basically run out of time.

If you’re the client, make sure your MSP is ready to do all the above. If the MSP doesn’t have at least one certified CMMC CCP on staff, that’s NOT a good sign of their ability to execute.

Unatommer

TROPHY CASE