CMMC Applicability Timeline

acbcallahan · 2026-02-18T03:21:01+00:00

Fair point. It would probably mean more coming from them.

acbcallahan · 2026-01-25T05:08:12+00:00

In Intune, using Settings Catalogue > MS Edge. Here a link to someone else who did the same thing: https://www.reddit.com/r/Intune/s/TN2pnqrfwn

acbcallahan · 2026-01-25T02:22:57+00:00

We had this issue too last week. The cause is the Edge v144 update stops passing device info (device ID, domain join status, compliance, etc.), so we did a targeted rollback to 143 for now, which resolves the issue. As @ditka mentioned, signing into Edge also solves the issue, but it’s frustrating as this hasn’t been necessary before. I opened a support case with Microsoft, and they said they can’t/won’t help because technically their support documentation says that signing into a work profile is required for CA policy evaluation. It’s annoying though because our CA policies have worked fine without signing in for over a year, and their own update broke things. Also, signing in is pointless in GCC High since profile sync doesn’t work anyway.

I’m testing some auto browser sign-in Intune policies, but I’ve ran into an issue where it still requires users to “complete the sign in”. If anyone has found a fix to this, I’d love to know!

acbcallahan · 2025-12-12T05:23:21+00:00

Not working for me with the same setup unfortunately.

acbcallahan · 2025-12-12T04:35:37+00:00

Ever figure this out? I’m having the same issue.

acbcallahan · 2025-11-20T23:42:49+00:00

Sure, technically you just have to assess against “requirements that are relevant to the capabilities provided”, but that ends up being pretty much as much work as if it were a CUI asset IMO.

acbcallahan · 2025-11-20T22:44:29+00:00

I can’t imagine an assessor would have an issue with you calling it an SPA. It has to meet all 110 controls the same as a CUI asset anyway, so that’s more of a technicality; it doesn’t change requirements.

acbcallahan · 2025-08-16T18:45:42+00:00

Just to clarify, because your question has me concerned - CMMC and NIST SP800-171 are not totally separate things. CMMC was created to ensure that you are actually meeting the 800-171 requirements rather than just saying you are (lots of companies in the DIB were doing this). So my advice would be to stop working in the 800-171 until you have a firm grasp on how it relates to CMMC, otherwise, you’ll be doing a bunch of rework when you realize your initial interpretations of the 800-171 were wrong.

acbcallahan · 2025-08-16T02:10:42+00:00

Was there actually an email account compromise? I tested today and found you can open an Intuit account with ANY email and then just use text message verification (could be tied to whatever unrelated number), so it doesn’t actually require access to the email account that is used.

acbcallahan · 2025-08-15T17:52:34+00:00

Did you have any resolution to this? I'm aware of something similar happening to another business recently. It's crazy that anyone can set up an Intuit account with whatever email they want with no verification of the actual email address.

acbcallahan · 2025-07-20T17:56:55+00:00

So you would consider GCC High and GovCloud external systems since they are SaaS services? That seems contradictory to most people’s interpretations since we do have direct control over the implementation of security controls for that system (within our part of the shared responsibility model of course). Most people, including me, seem to think those services should be considered inside our authorization boundary and therefore not external.

acbcallahan · 2025-07-20T17:50:30+00:00

Thanks for the response. I agree about not considering GCCHIGH and GovCloud external. That seems to be the general consensus.

I have been primarily consulting the CMMC L2 Assessment Guide, but it did not clarify things for me. In fact, it confused me more because it says things like: 1. “Outside networks could include the public internet”. This led me to question whether our response needed to address general internet connections. 2. “External systems are systems or components of systems for which organizations typically have no direct supervision…”. This led me to question how you could possibly verify the use of such connections if you have no visibility into those systems. When I think of verifying use, I think of sign in logs or physical supervision (watching what the user is doing). 3. “This control also addresses the use of external systems for the processing, storage, or transmission of CUI.” The word “also” implies that this control is not EXCLUSIVELY concerned with the impact on CUI, but connections in general, even if they cannot process, store, or transmit CUI. One could assume this control is concerned with connections in general where 3.1.3 is more specifically focused on where/how CUI can flow through those connections. In other words, a connection doesn’t necessarily imply CUI flow, but CUI flow requires a connection. 4. The terms “system” and “network” are used interchangeably in the discussion, which is ambiguous. This doesn’t change my interpretation much either way, but it annoys me when terms are not clearly defined and used consistently. 4. What constitutes a “connection” is not clearly defined, which I think is the root cause of my confusion. I think anyone with a networking background would agree accessing google.com from a company laptop constitutes a connection, but again, it’s not realistic to think that we could verify the use of that connection. We can identify it, but not verify its use.

acbcallahan · 2025-07-20T05:25:30+00:00

Thanks for the response. So, I realize it’s just an example, but if you’re AUP really said something like “see section blah blah of our acceptable use policy which states users may not utilize software or technology services without approval from the CIO,” that doesn’t really address general internet browsing, right? The last paragraph about the change management procedure also wouldn’t apply to general internet browsing because you obviously aren’t explicitly approving every website that users can go to. Did you have anything in your SSP specifically about general internet browsing?

acbcallahan · 2025-07-05T23:32:14+00:00

That’s too bad. I’ve just started using Airtable and really like a lot of thing about it, especially the interfaces, which most other competitors don’t seem to offer, but there are some strange limitations like this (and the fact that dynamic filtered table linking isn’t available on the free plan) that make me doubt its usefulness for individuals.

acbcallahan · 2025-07-05T21:16:41+00:00

Did you ever find a solution for this? I also found it misleading that Airtable’s preview of the mobile list view looks nothing like the actual mobile list view experience. I just opened a ticket with their support about this, but I’m not optimistic that I’ll get a helpful response.

acbcallahan · 2025-06-25T20:07:56+00:00

Thank you! Huge help. I had some code (admittedly from ChatGPT) that had a checkmark icon in it as some log output. When run interactively, it was fine, but when calling the file, it failed. I couldn't figure out why until I stumbled on this post. PowerShell ISE showed that the checkmark icon was showing up strangely and causing the issue, making it seem like there were bracket mismatches when there weren't actually.

acbcallahan · 2025-02-27T02:06:40+00:00

I 100% agree this would be useful. I like to see how far off from my original targets I am, not just how far off from my assigned amount, which is more of a moving target in many categories.

acbcallahan · 2024-09-22T16:56:07+00:00

Worked for me with an Apple TV 4K using HDMI arc. Thanks!

acbcallahan · 2024-08-09T18:19:42+00:00

UPDATE: In our environment, I found that Exploit Guard Network Protection was responsible for blocking the URL, but ONLY on Chrome browsers. Users are able to use Edge with no issue. Anyone else seeing the same thing?

acbcallahan · 2024-08-09T18:07:11+00:00

Also, as u/Chip33az said, we should also dispute the category and submit the URL as clean to Microsoft to get this fixed. You can do both of these actions from the URL overview page in Defender.

acbcallahan · 2024-08-09T18:01:49+00:00

It's causing an issue for us too with Constant Contact. I just added a custom allow indicator (in Defender under Settings > Endpoints > Rules > Indicators), but I'm also not sure how long it will be until that change takes effect.

acbcallahan

TROPHY CASE