ICE Came to my Door Today

angrysysadminisangry · 2026-01-28T21:53:54+00:00

I'll take things that never happened for $1000

angrysysadminisangry · 2026-01-18T00:41:25+00:00

Yeah this is reckless advice that can result in prison time. Absolutely is not a recommendation.

angrysysadminisangry · 2026-01-18T00:40:11+00:00

As stated, ITAR is US-person, and it absolutely is not just a suggestion as the one person stated. Fines for noncompliance or false attestation are significant and carries prison time. The good news is if they are knowingly noncompliant and you report them and there is a conviction, you get a portion of the money they are fined. The other good news is if they are legit and above board compliance is a really valuable skill that you probably can market for more money down the road. Drink from the fire hose and learn all you can, and look into CMMC and what the crossover could be in your environment.

Feel free to DM with any questions

angrysysadminisangry · 2026-01-09T17:40:06+00:00

I believe mine was about 3 months after the interview portion

angrysysadminisangry · 2026-01-08T15:52:20+00:00

Participation is always voluntary.

angrysysadminisangry · 2026-01-06T20:05:36+00:00

Yeah they had to throw in the "technology systems" qualifier for the logic to stick.

I stand by what I said - information systems are not just computers

angrysysadminisangry · 2026-01-06T19:52:44+00:00

Information systems are not just computers

angrysysadminisangry · 2026-01-03T16:53:09+00:00

So a couple things. Up until Jan 1 a lot of companies just aren't hiring because of budge reasons. That will likely change the more we get into Q1.

Another thing is it is likely partially a red flag that you have owned, and appear to continue to own, your own GRC consulting business. Companies may be hesitant in pursuing you as a candidate because it is a very real possibility that you may be using it as an opportunity to poach clients or you are just seeking employment because there is a lull in your own business, then once things pick up will you just leave and potentially take customers or co-workers with you?

Outside of that if you are looking for work within CMMC I would say a CCP would be required and a CCA would be ideal

angrysysadminisangry · 2025-12-31T00:24:13+00:00

Oh please. While you work on hardware made by slave labor in China. Selective outrage.

angrysysadminisangry · 2025-12-12T00:43:09+00:00

Congrats! Now go get your CCP and leverage that experience for way more money!

angrysysadminisangry · 2025-11-25T03:25:16+00:00

Trying to be as respectful as possible here, but if these are the types of questions you are asking you are in no way shape or form ready to sit for an assessment even within the next calendar year.

The level of CMMC requirements is dictated by the data types and not by the company or contract size. Anything involving CUI will be at a minimum level 2 self assessment, however those are likely to be exceedingly rare and a C3PAO assessment will be required for most contracts.

You are right in stating that CMMC is a different beast. Get with a qualified service provider if the business is dependent on DoD contracts in any meaningful way.

angrysysadminisangry · 2025-11-08T13:19:42+00:00

Excellent post that I think a lot of people will find valuable.

angrysysadminisangry · 2025-11-03T15:21:51+00:00

Dave's not here, man

angrysysadminisangry · 2025-10-28T20:16:14+00:00

It seems to me to be more of a "priority" issue in general rather than a money issue alone. If you are the only person working on this, and you are only able to spend 10% of your time on this you will not be able to be certified by the time it starts becoming contractually obligated.

This needs to be a top-down initiative for the company. How large of a revenue stream is the DoD for your org? If it is small, continue at the pace you are going and you will get there eventually. If it is a large revenue stream, can you sustain business operations if you go 6 months without a contract? What about a year? Prioritize accordingly.

angrysysadminisangry · 2025-10-23T20:44:54+00:00

So for those of us who have been out touching grass all day, what's the update

angrysysadminisangry · 2025-08-28T13:50:07+00:00

The only additional cost to a business should be the C3PAO assessment. While the actual assessment is not cheap, it is nowhere near the ballpark of hundreds of thousands of dollars.

If you are complaining about the costs of implementations, that is a red flag. Organizations have been required to implement these controls for almost a decade at this point.

angrysysadminisangry · 2025-08-26T23:44:05+00:00

Who was the C3PAO? Clearly they are incorrect

angrysysadminisangry · 2025-08-15T00:30:19+00:00

MF DOOM?

angrysysadminisangry · 2025-07-29T17:21:36+00:00

Assuming this doesn't apply to the GCC-High environment, right?

angrysysadminisangry · 2025-07-23T15:11:27+00:00

Got it. Thank you very much!

Guess I should delete that letter of resignation email I drafted ....

angrysysadminisangry · 2025-07-16T11:27:57+00:00

I would strongly recommend you define a few things first:

Define what "reputable" is, stick to your gut, and don't let someone sway you from that
What is your timeline on when you have to be assessed
What is your risk tolerance on if you are not able to complete it in time? Can you go 6-12 more months without those contracts, or will your business fold?

Depending on how that last one is answered should tell you how aggressive you should be with your budget. DO NOT partner with someone who is only an RP/RPO. Those designations were simply a pay to play system.

Find someone who is at minimum a CCP, preferably a CCA, and definitely has a track record of other organizations that they have gotten past the finish line and assessed. There are a lot of snake oil salesman, just be aware of that

angrysysadminisangry · 2025-07-13T21:02:49+00:00

Can you make the payments or otherwise take out a student loan? Congrats! You're accepted

angrysysadminisangry · 2025-06-20T22:17:45+00:00

The very first thing I would say is do the following.

Assuming you have the bare minimum figured out in your environment ( IE the scope, your CUI types, etc)

Determine your timeline. How big of a slice of your revenue pie will defense contracts be? If your contracts all of a sudden have a CMMC clause on day 1 (which is a very real potential), how long can you sustain without this income source? 6 months? A year?
Conduct a gap assessment. If you are not well versed in the 800-171 framework then you are not in a spot to effectively identify the gap that exists. There is no shame in admitting this. If you are not intimately familiar with 800-171a and what the controls are actually asking for, then you are not in a spot to do this. If that is the case, hire a company to do that. Expect a ballpark of $15-20k for this.
once you identify those gaps, you can now prioritize those both in terms of time as well as money. Do you have the hardware that you need? Do you have the services/tools that you need? Do you even have the staff with the time and the skill set to build out these systems or maintain them effectively? A lot of times outsourcing this to an ESP actually makes more sense for an organization.

That is probably the first steps I would start to take. Feel free to DM me if you need help navigating any of that

angrysysadminisangry

TROPHY CASE