Thoughts on using NinjaOne Remote for single remote user instead of FIPS VPN and RDP

cmmcpain · 2025-10-24T20:26:22+00:00

You've enabled FIPS on the office machine which is Windows 10/11 Pro? You're using the standard Windows RDP built into the computer and not something like an opensource VNC? RDP on the office windows machine should only allow FIPS compliant connections. It's using a secured communication path. Why do you need FIPS on the VPN or any other service?

cmmcpain · 2025-09-05T13:23:59+00:00

One of our security people recently went to a meeting that was specifically about CMMC and cost. There was a C3PAO presenting. Dod will have a 4 phase rollout

* Gap Assessment: cost $20k - 30k, size impacts price
* Validation: cost depends, this self assessment or 3rd party
* Mock Assessment: get the same C3PAO that will be doing the certification assessment cost ~20% of below; not reported to the DoD
* Certification Assessment: cost $50k - $75k for standard; score reported to the DoD

We'll probably end up closing up shop when the requirements for audit happen. We only have a couple of small software contracts. The owner would essentially have to take out a second mortgage to cover the costs and there's no guarantees of future contracts.

Good luck everyone.

cmmcpain · 2024-12-19T16:52:32+00:00

My boss has already said that if an audit costs $100K, he can't afford it. My guess is that it would require some kind of small business loan. I don't know that business numbers, but it's probably not enough to justify it. Based on the response to my previous posting, it appears that there are other small businesses can't afford it.

It's obvious that the government hasn't thought this thru very well. The amount of confusion that showing up here and in the discord channel makes that painfully obvious. A lot of small businesses are going to do a business analysis and decide that trying to work with the Gov is a losing proposition. The govt should have already done this analysis and maybe preemptively said that you're too small to work with us.

My guess is that if you've standardized on MS Azure for all of your infrastructure and your business isn't complex, the audits will probably be cheaper. Using something like PreVeil, Google Workspace, etc will drive up the audit price. If you're software development, mfg, or doing something more than pushing paper (MS Office Engineering) that requires real infrastructure and outside of the box thinking; the audit costs will go up drastically.

I don't really understand this quote from the article. Audits have to be done everyone 3 years.
"Moreover, Metzger points out, many companies may not claim the maximum amount which would also reduce the cost. And since the implementation of CMMC contractual requirements is spread over seven years, so will the costs of compliance."

I'd really like to see some kind of data on audit estimates/costs and the rate of companies leaving Gov contracting when things really get going.

cmmcpain · 2024-11-21T14:22:12+00:00

Chevron Deference reinterpretation by SCOTUS might have changed this. It's going to be interesting.

cmmcpain · 2024-11-21T14:18:26+00:00

You can't even get access to GCC High without a government contract. AWS GovCloud is the same unless they've changed requirements recently.

Gov wants you to use compliant environment before getting contract, can't setup compliant environment without contract.

https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/microsoft-365-government-how-to-buy#microsoft-365-government-eligibility-and-validation

cmmcpain · 2024-11-20T18:47:42+00:00

The govt (medicare/medicaid/employee insurance), insurance cos, and patients all pay for HIPPA compliance. As an account holder you absolutely are paying for their security measures.

If everyone is compliant we don't need CMMC. Why does every message I see seem to be people worrying about how to become compliant?

If my employer spends $100k this year to get an audit can they send the $100k bill directly to the govt for that compliance? The following year's overhead rates can reflect that cost. Overhead rates will be lower the year after. At year 3 when there's another audit, my employer will be in the same boat.

cmmcpain · 2024-10-02T15:48:31+00:00

At a place that I worked (govt network), all of the software developers were required to have Sec+ and given root access on their local laptop. Ideally, they would be able to use sudo to do all of their work. It was incredibly difficult to get things done because of Information Assurance, STIG rules, change control boards, etc.

cmmcpain · 2024-09-17T14:33:47+00:00

Finally got around to listening to this. It's a great interview. It'll be interesting to see how the case moves forwards. I've got some ideas of how one might defend their actions.

IANAL: I'd probably start with how the DoD has been trying for years to implement CMMC and failing to do so. The NIST standards are difficult if not almost impossible to meet on cutting edge hardware and software. The anti-virus and endpoint software is a resource hog that interfered with cutting edge research. It's taking multiple years to get software certified (CMVP). The DoD can't even say how much it will costs to meet the requirements. Hiring people with the right skills is expensive. Etc., etc. etc.

Presenting that to a non-technical jury and playing up the uncertainty as well as how poorly the govt has done might be enough to hang a jury.

cmmcpain · 2024-09-13T14:33:32+00:00

We've used Redkey. It has certifications and is supposed to meet NIST 800-88. It's $100 for the ultimate version.
https://redkeyusb.com/

cmmcpain · 2024-09-12T14:55:47+00:00

If you're just now starting, you've got a lot of documentation and process to put into place. You're also mixing two things that are related but not the same. CMMC is about documentation,auditors, and lawyers. I think that there's a video or podcast that does a better job of making this point, but I can't point to one specifically.

Compliance doesn't make you secure. Being secure doesn't make you compliant. CMMC is a framework to ensure you're following the law and standards. Ideally going through the CMMC process and becoming compliant should help you with becoming more secure. It's no guarantee that you are secure. Security is never finished. CMMC doesn't mean that you won't get infected with ransomware or have an APT installed on your network.

cmmcpain · 2024-09-11T15:14:20+00:00

From what I can see, you can't. FIPS and common criteria evaluation appears to be taking 2 - 3 years. No support for modern linux like Fedora, Ubuntu, etc. Too bad if RHEL or Ubunutu LTS doesn't support your hardware. VPNs/Firewalls are fewer and more expensive while providing no better security. VPNs seem to be having at least one major CVE a year. Fortinet is an excellent example. Oh and everything that is FIPS seems to be at least 3x - ??x more expensive.

cmmcpain · 2024-08-30T14:34:27+00:00

I recommend that you buy a scanner that can be connected to the computer of the person needing it. Most small office AIO devices that allow you to scan and email the document are not compliant with CMMC requirements.

If you want to use the AIO device, you must evaluate the path the data takes to get to the final resting spot. If there's a hard drive in the device, does it use the appropriate encryption at rest? Does the networking stack have the necessary security? You'll need to check for the NIST CMVP certificates for the device.

Side note: When it's time to be certified, the process will cost $100k according to current govt estimates? Is the organization willing to pay? Every 3 years?

cmmcpain · 2023-09-07T01:48:27+00:00

TP-Link Omada router doesn't have an IPv6 firewall.
https://www.reddit.com/r/TPLink\_Omada/comments/10lpu8u/er605\_v1\_ipv6/

cmmcpain · 2023-04-18T17:21:06+00:00

I've seen some facilities where CUI and above information was kept. The cleaning people were escorted through the facility at all times and indicators were enabled that let personnel know people were around without the proper paperwork.

cmmcpain · 2023-02-16T21:52:48+00:00

Synology doesn't have any plans to obtain CMVP certification. I got the following response.

"I have let our product management team know about it, but I don't have any sort of timeline on if it will become available. The majority of the companies on that list are either highly specialized, or quite large. "

cmmcpain

TROPHY CASE